Dingde Jiang,Zhengzheng Xu,Peng Zhang,Ting Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.09.014

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic anomalies contain existing abnormal changes in network traffic, which are derived from malicious and anomalous behaviors of users or network devices, such as network faults, abuses, network attacks, etc. These anomalies often damage our operation networks and even lead to network disruptions. In the present paper, we propose a novel method for detecting traffic anomalies in a network by exacting and capturing their features in the transform domain. Here, we take in consideration network topology information and network-wide traffic jointly. We find that anomalous network-wide traffic usually exhibits distinct high-frequency nature. This motivates us to utilize transform domain analysis theory to characterize network-wide traffic to identify its abnormal components. Besides, we group all origin-destination flows in the network in accordance with common destination nodes. By combining network topology information and transform-domain analysis in the given time window, the specious traffic components can be found and identified. Simulation results show that our detection algorithm exhibits a fairly robust detection ability and provides the better detection performance than previous algorithms. (c) 2013 Elsevier Ltd. All rights reserved.

Xiao-Dong Zang,Jian Gong,Xiao-Yan Hu

DOI: https://doi.org/10.1109/access.2019.2914303

IF: 3.9

2019-01-01

IEEE Access

Abstract:Anomaly detection is the first step with a challenging task of securing a communication network, as the anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting different anomalies, such as volume based (e.g., DDoS or Flash crowd) and spatial based (e.g., network scan), that arise simultaneously in the wild but also of attributing the anomalous point to a single-anomaly event causing it. Besides, we also tackle the problem of low-detection accuracy caused by the phenomenon of traffic drift. To this end, a novel adaptive profile-based anomaly detection scheme is proposed. More specifically, a more comprehensive metrics set is defined from the dimensions of temporal, spatial, category, and intensity to compose IP traffic behavior characteristic spectrum for fine-grained traffic characterization. Then, the digital signature matrix obtained by using the ant colony optimization (ACO) algorithm is applied to construct the baseline profile of the normal traffic behavior. Anomalous points are identified and analyzed by using confidence bands and a generic clustering technique, respectively. Finally, a lightweight updating strategy is applied to reduce the number of false positives. Real-world data of China Education Research Network backbone and synthetic data are collected to verify our proposal. The experimental results demonstrate that our approach provides a fine-grained behavior description ability and has significantly increased the detection accuracy compared with other similar alternatives.

Fan-Bo MENG,Nan JIANG,Bo LIU,Ran LI,Fei XIA

DOI: https://doi.org/10.12783/dtetr/ssme-ist2016/4030

2016-01-01

DEStech Transactions on Engineering and Technology Research

Abstract:With the advance of new network technologies, new types of applications are quickly arising. Network traffic exponentially is rising. Accordingly, this results in new challenges for network traffic anomaly detections. This paper proposes a new quick detection approach to network traffic anomalies. Firstly, network traffic is regarded as a time series of signals and is constructed into a matrix. Secondly, the principal component decomposition is performed for the matrix. The network traffic is divided into principal and non-principal components. Thirdly, the empirical mode decomposition is carried out for these two components. In this case, a quick anomaly detection algorithm is presented. Simulation results show that our approach is feasible and promising.

Fengyu Wang,Bin Gong,Yi Hu,Ningbo Zhang

DOI: https://doi.org/10.1109/embeddedcom-scalcom.2009.86

2009-01-01

Abstract:As the development of Internet, it is more and more difficult to detect anomaly promptly and precisely. In this paper, we proposed an anomaly detection algorithm based on the predicting of multi-level wavelet detail signals synchronously. Firstly, process the time series of traffic with non-decimated Haar wavelet transform and produce detail signals. Secondly, predict the detail signals of wavelet transform and get the residual ratio series, which can expose the anomaly more obviously than original signal. Finally, based on principal of “3σ” of normal distribution, abrupt changes can be detected. Along with the arriving of traffic data, this algorithm detects anomaly on several time-scales recursively without delay. So this algorithm can detect traffic anomaly more precisely and promptly. Analysis and experiments reveal that this algorithm can detect anomalies effectively.

Xueyuan Duan,Yu Fu,Kun Wang

DOI: https://doi.org/10.48550/arXiv.2205.03907

2022-05-08

Networking and Internet Architecture

Abstract:To address the problem that traditional network traffic anomaly detection algorithms do not suffi-ciently mine potential features in long time domain, an anomaly detection method based on mul-ti-scale residual features of network traffic is proposed. The original traffic is divided into subse-quences of different time spans using sliding windows, and each subsequence is decomposed and reconstructed into data sequences of different levels using wavelet transform technique; the stacked autoencoder (SAE) constructs similar feature space using normal network traffic, and gen-erates reconstructed error vector using the difference between reconstructed samples and input samples in the similar feature space; the multi-path residual group is used to learn reconstructed error The traffic classification is completed by a lightweight classifier. The experimental results show that the detection performance of the proposed method for anomalous network traffic is sig-nificantly improved compared with traditional methods; it confirms that the longer time span and more S transformation scales have positive effects on discovering potential diversity information in the original network traffic.

Dingde Jiang,Yang Han,Xingwei Wang,Zhengzheng Xu

2010-01-01

Abstract:Traffic anomalies are abnormal changes in network traffic. There are many causes of resulting in traffic anomaly changes, including network fault, abuse, network attack and so on. This paper proposes a novel method for detecting traffic anomalies in a network. Firstly, all Origin-Destination (OD) flows in the network are grouped with accordance with common destination nodes. We then make time-frequency analysis for each group and extract their high frequency component. Based on the extracted high frequency signal, correlation coefficients of each OD flow against the other in a group are computed. Consequently, we can make the exact anomaly detection. Simulation results show that our approach is effective and promising.

Shuying Chang,Xuesong Qiu,Zhipeng Gao,Ke Liu,Feng Qi

DOI: https://doi.org/10.1109/CNSM.2010.5691206

2010-01-01

Abstract:With the development of high-speed networks, the challenge of effectively analyzing the massive data source for anomaly detection and diagnosis is yet to be resolved. This paper proposes a new flow-based anomaly detection method based on summary data structures and combinations of traffic features. Using IPFIX flow records as input, parallel sketches are established for chosen traffic features respectively. For each sketch, we use Holt-Winters forecasting technique to achieve their forecast sketches and deviation matrixes. When the deviation exceeds a certain threshold, sub-alarms will be generated. According to the characteristics of various attacks and combinations of traffic features, sub-alarms can be merged into final alarms. While sketches of flows are being constructed, destination addresses are recorded in linked lists which are used to locate victims by a series of set operations. This method can not only detect the existence of anomalies in near real time, but can roughly indicate the anomaly types and locate abnormal addresses.

Shuying Chang,Xuesong Qiu,Zhipeng Gao,Feng Qi

DOI: https://doi.org/10.1109/icbnmt.2010.5705084

2010-01-01

Abstract:Network traffic anomaly detection is an important component in network security and management domains which can help to improve availability and reliability of networks. This paper proposes a flow-based anomaly detection method with the help of entropy. Using IPFIX, flow records containing multiple traffic features are collected in each time window. With entropy, joint probability space for multiple traffic features is constructed which is the basis of the proposed scheme. The anomaly detection method is composed of two stages. The first stage is to systematically construct the probability distribution of traffic features in normal traffic pattern. In the second stage, to detect abnormal network activities, the improved Kullback-Leibler distance between the observed probability distribution for the multiple traffic features and the forecast distribution which can be achieved by Holt-Winters technique is calculated. The improved Kullback-Leibler distance is a calculation that measures the level of difference of two probability distributions. When the distance exceeds a pre-set threshold, alerts will be generated. Finally, the scheme is demonstrated by experiment and the result shows that this method has high accuracy and low complexity.

Hong Wang,Zhenghu Gong,Qing Guan,Baosheng Wang

DOI: https://doi.org/10.1109/icn.2008.83

2008-01-01

Abstract:Anomalies generate vast amounts of bogus traffic, which can overwhelm the network and any attached hosts. Identifying Traffic anomalies rapidly and accurately is critical to network stability and usefulness. Most papers focus on analyzing the volume of data or packets on the network. However, legitimate network traffic may be bursty or highly variable, rendering such naive approaches ineffective[7]. We propose a novel method called MultiA to solve this problem. Rather than just looking at volumes of packets, MultiA intelligently adopted Multistage Filter and information entropy take into account the behavior of the network. The MultiA is scalable, automated and self-training. We find this technique effectively identifies network traffic anomalies while avoiding the high false alarms rate.

Yangrui HU,Xingshu CHEN,Junfeng WANG,Xiaoming YE

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.11.008

2016-01-01

Abstract:Real network environment lack of labeled data set, so traditional anomaly traffic detection method based on labeled data set is unsuitable for actual large-scale network. To resolve this, the paper proposes an improved k-means anomaly traffic detection method for unlabeled data sets. Firstly, collect the Sichuan University network outlet lfow and store in the distributed ifle system;secondly, construct user behavior feature set on the basis of network lfow analysis, and extract relevant characteristics by Spark big data processing platform. Referenced principles of group to define the normal behavior of clusters in the actual flow, construct normal flow behavior model on improved K-means++cosine clustering method;Finally, the cosine distance between the normal behavior model and user actual flow behavior is calculated to detected anomaly flow behavior. The feasibility and validity of the method are verified by attacking experiment. The experimental results show that the normal lfow behavior model for anomaly lfow detection has higher accuracy.

A.S.Syed Navaz,S.Gopalakrishnan,R.Meena

DOI: https://doi.org/10.48550/arXiv.1308.5310

2013-08-24

Abstract:Introducing Internet traffic anomaly detection mechanism based on large deviations results for empirical measures. Using past traffic traces we characterize network traffic during various time-of-day intervals, assuming that it is anomaly-free. Throughout, we compare the two approaches presenting their advantages and disadvantages to identify and classify temporal network anomalies. We also demonstrate how our framework can be used to monitor traffic from multiple network elements in order to identify both spatial and temporal anomalies. We validate our techniques by analyzing real traffic traces with time-stamped anomalies.

Networking and Internet Architecture

Ding De Jiang,Cheng Yao,Wei Han Zhang,Zheng

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1461

2013-01-01

Advanced Materials Research

Abstract:This paper presents a detection algorithm for anomaly network traffic, which is based on spectral kurtosis analysis. Firstly, we turn network traffic into time-frequency signals at different scales. These time-frequency signals hold the more detailed nature corresponding to different scales. Secondly, the time-frequency signals at different scales are transformed into a series of new time signals by time-frequency analysis theory. These new time signals hold obvious narrowband nature and embody the local properties of network traffic. Thirdly, we calculate the spectral kurtosis values of the new time signals and then perform the feature extractions. As a result, the abnormal network traffic can be correctly identified. Simulation results show that our algorithm is feasible and promising.

Wei Xiong,Naixue Xiong,Laurence T. Yang,Jong Hyuk Park,Hanping Hu,Qian Wang

DOI: https://doi.org/10.1007/s11227-011-0644-y

2011-01-01

Abstract:It has been increasingly important for Pervasive and Ubiquitous Applications (PUA) of the network traffic, especially anomaly detection which plays a critical role in enforcing a high protection level of the network against threats. In this paper, we present a network traffic anomaly detection method based on the catastrophe theory. In order to characterize the normal behavior of the network, we construct a profile of the normal network traffic by using an equilibrium surface of the catastrophe theory. When anomalies occur, the state of the network traffic will deviate from the normal equilibrium surface. Then, taking the normal equilibrium surface as a reference, we monitor the ongoing network traffic and we use a new index called as catastrophe distance to quantify the deviation. According to the decision theory, network traffic anomalies can be identified by the catastrophe distance. We evaluate the performance of our approach using the DARPA intrusion detection data set. Experiment results show that our approach is significantly effective on the network traffic anomaly detection.

FENG Zhen,HU Guang-ming,YAO Xing-miao,ZHOU Ying-jie

DOI: https://doi.org/10.3969/j.issn.2095-6835.2010.24.038

2010-01-01

Abstract:Anomaly detection in backbone network faces two problems:anomaly traffic is relatively small and real-time detection is difficult to implement.Aiming at these two difficulties,this paper proposed a detection method of traffic anomaly based on multi-flows and multi-parameters.Our method classified network traffic into several sub-flows which are closely related to network anomaly,extracted a variety of traffic features and packets features,and then detected traffic anomaly through multi-flows and multi-parameters.The detection results in Internet2's real data show that the proposed method can effectively detect flood attacks and port scans,these results almost equal to the results of the offline analysis.

Zheng Liming,Zou Peng,Jia Yan,Han Weihong

2012-01-01

China Communications

Abstract:Detecting traffic anomalies is essential. for diagnosing attacks. High-Speed Backbone Networks (HSBN) require Traffic Anomaly Detection Systems (TADS) which are accurate (high detection and low false positive rates) and efficient. The proposed approach utilizes entropy as traffic distributions metric over some traffic dimensions. An efficient algorithm, having low computational and space complexity, is used to estimate entropy. Entropy values over all dimensions are collected to form a detection vector for every sliding window. One class support vector machine classifies all detection vectors into one of two groups: abnormal vectors and normal vectors. A Multi-Windows Correlation Algorithm (MWCA) calculates comprehensive anomaly scores observed in a sequence of windows in order to reduce false positive rates and obtain high detection rates. Some real-world traffic traces have been used to validate and evaluate the efficiency and accuracy of this system through three experiments. In Experiment 1, the estimating algorithm of entropy which costs less memory and runs faster than traditional algorithms is more suitable for detection anomalies. In Experiment 2, the classification and correlation algorithms can improve the detection accuracy significantly. Experiment 3 compares the subject system and three well-known systems. Ours system is the most accurate one. Those results have indicated that the proposed system significantly improves the accuracy and efficiency.

Yu Zheng,Xinglin Lian,Zhangxuan Dang,Chunlei Peng,Chao Yang,Jianfeng Ma

DOI: https://doi.org/10.1145/3583780.3615214

2023-01-01

Abstract:Anomaly traffic detection is a crucial issue in the cyber-security field. Previously, many researchers regarded anomaly traffic detection as a supervised classification problem. However, in real scenarios, anomaly network traffic is unpredictable, dynamically changing and difficult to collect. To address these limitations, we employ anomaly detection setting to propose a novel semi-supervised anomaly network traffic detection framework. It only learns features of normal samples during the training phase. Our framework utilizes low-pass filtering to extract multi-scale low-frequency information from 2-D traffic image. Furthermore, we design a two-stage fusion scheme to incorporate information from original and multi-scale low-frequency traffic image modalities. We conduct experiments on two public datasets: ISCX Tor-nonTor and USTC-TFC2016. The experimental results show that our method outperforms current state-of-the-art anomaly detection methods.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Xiaofen Wang,Liaojun Pang,Qingqi Pei,Xuejun Li

DOI: https://doi.org/10.1109/ICCASM.2010.5620645

2010-01-01

Abstract:Fast network traffic anomaly detection is an important issue in network security. At present, the Internet environment becomes more and more complex than ever before. The unexpected anomaly occurs constantly, which brings great loss to Internet services. This makes people put forward higher requirements for the speed and real-time of network traffic anomaly detection. How to quickly perceive the traffic anomaly is a new demand in the network anomaly detection. Due to the shortage of the conventional detection methods in terms of speed, a fast anomaly detection scheme is proposed in this paper, which is based on the iterative estimation of Hurst parameter. The anomaly can be determined through the value of estimation. Meanwhile, by online we can estimate continuously and refresh the value of Hurst according to the latest network traffic, and then we can get the latest traffic data and speed up the process of anomaly detection. Analyses show that this scheme is effective in fast anomaly detection. © 2010 IEEE.

Bo Li,Simin Zhang,Ke Li

DOI: https://doi.org/10.1002/cpe.3955

2016-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryAnomaly detection plays a crucial part in identifying unforeseen attacks for network and information security. However, the accuracy of existing network anomaly detection approaches is limited because of the lack of sufficient and high‐quality features. Most research works only take information from one network layer into account, which leads to a situation that some key features of other network layers are omitted. To address this issue, we propose a novel approach, named Multi‐Layers Anomaly Detection, which extracts and combines features from different network layers. In order to reduce redundancy and noise derived from the combination of multiple layers, an algorithm called RanPF is designed by applying principal components analysis (PCA) into random forest (RF) algorithm. RanPF uses features selected by PCA to decide the height of every tree in RF and provides a method to select which features for tree nodes to use according to the weights of principal components. To obtain high‐quality features, we adopt an attribute learning mechanism. Naive Bayes is used to characterize the attribute information, which is fast and simple compared with other learning algorithms such as SVM. In addition, a series of experiments conducted on two real‐life datasets demonstrate that our approach outperforms the state‐of‐the‐art methods in terms of detection rate and false alarm rate. MLAD achieves about 99% detection rate and about 0.6% false alarm rate on average when the ratio of the training set is 60%. Copyright © 2016 John Wiley & Sons, Ltd.

Shenglong Liu,Yuxiao Xia,Di Wang

DOI: https://doi.org/10.1109/access.2024.3376413

IF: 3.9

2024-03-27

IEEE Access

Abstract:In the era of mobile big data, smart mobile devices have become an integral part of our daily life, which brings many benefits to the digital society. However, their popularity and relatively lax security make them vulnerable to various cyber threats. Traditional network traffic analysis techniques utilizing pattern matching and regular expressions matching algorithms are becoming insufficient for mobile big data. Network traffic anomaly detection is an effective method to replace traditional methods. Network traffic anomaly detection can solve many new challenges brought by future network and protect the security of network. In this article, we propose a streaming network framework for mobile big data, referred to as SNMDF, which provides massive data traffic collection, processing, analysis, and updating functions, to cope with the tremendous amount of data traffic. In particular, by analyzing the specific characteristics of anomaly traffic data from flow and user behavior, our proposed SNMDF demonstrates its capability to offer real data-based advice to address new challenges for future wireless networks from the viewpoints of operators. Tested by real mobile big data, SNMDF has proven its efficiency and reliability. Furthermore, SNMDF is accessed for the digital twin of the space Internet, which validates that it can be generalized to other environments with massive data traffic or big data.

computer science, information systems,telecommunications,engineering, electrical & electronic