Li Zonglin,Hu Guangmin,Yao Xingmiao,Yang Dan

DOI: https://doi.org/10.1155/2009/752818

2008-01-01

EURASIP Journal on Advances in Signal Processing

Abstract:Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

Bin Zhang,Jiahai Yang,Jianping Wu,Donghong Qin,Lei Gao

DOI: https://doi.org/10.1109/noms.2012.6211919

2012-01-01

Abstract:PCA-subspace method has been proposed for network-wide anomaly detection. Normal subspace contamination is still a great challenge for PCA although some methods are proposed to reduce the contamination. In this paper, we apply PCA-subspace method to six-month Origin-Destination (OD) flow data from the Abilene. The result shows that normal subspace contamination is mainly caused by anomalies from a few strongest OD flows, and seems unavoidable for subspace method. Further comparison of anomalies detected by subspace method and manually tagged anomalies from each OD flows, we find that anomalies detected by subspace method are mainly caused by anomalies from medium and a few large OD flows, and most anomalies of minor OD flows are buried in abnormal subspace and hard to be detected by PCA-subspace method. We analyze the reason for those anomalies undetected by subspace method and suggest to use normal subspace to detect anomalies caused by a few strongest OD flows, and to further divide abnormal subspace to detect more anomalies from minor OD flows. The goal of this paper is to address limitations neglected by prior works and further improve the subspace method on one hand, also call for novel detection methods for network-wide traffic on another hand.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1016/j.comcom.2007.10.010

IF: 5.047

2008-01-01

Computer Communications

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. Most current intrusion detection models lack the ability to process massive audit data streams for real-time anomaly detection. In this paper, we present an effective anomaly intrusion detection model based on Principal Component Analysis (PCA). The model is more suitable for high speed processing of massive data streams in real-time from various data sources by considering the frequency property of audit events than by use of the transition property or the correlation property. It can serve as a general framework that a practical Intrusion Detection Systems (IDS) can be implemented in various computing environments. In this method, a multi-pronged anomaly detection model is used to monitor various computer system and network behaviors. Three sources of data, system call data from the University of New Mexico (lpr) and from KLINNS Lab of Xi'an Jiaotong University (ftp), shell command data from AT&T Research laboratory, and network data from MIT Lincoln Lab, are used to validate the model and the method. The frequencies of individual system calls generated by one process and of individual commands embedded in one command block as well as features extracted in one network connection are transformed into an input data vector. Our method is employed to reduce the high dimensional data vectors and thus the detection is handled in a lower dimension with high efficiency and low use of system resources. The distance between a vector and its reconstruction in the reduced subspace is used for anomaly detection. Empirical results show that our model is promising in terms of detection accuracy and computational efficiency, and thus amenable for real-time intrusion detection.

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

Wenzhu Zhang,Jia Liu,Yuan Jian,Zhang Lin,Xiuming Shan

2010-01-01

Abstract:Monitoring P2P traffic is difficult due to the peers in P2P networks joining and leaving dynamically. This paper presents a method based on principal components analysis (PCA) to monitor the spatial-and-temporal characteristics of P2P traffic. The meaning of the largest eigenvalue and the corresponding eigenvector is explained by the PCA theory,which are calculated from the cross-correlation matrix of the flow data. A weight vector is also defined to monitor traffic patterns. Simulation results show that the spatial-and-temporal characteristics are effectively captured using the developed method.

Zhenhui Wang,Dezhi Han,Ming Li,Han Liu,Mingming Cui

DOI: https://doi.org/10.1080/09540091.2022.2051434

2022-04-07

Connection Science

Abstract:Network abnormal traffic detection can monitor the network environment in real time by extracting and analysing network traffic characteristics, and plays an important role in network security protection. In order to solve the problems that the existing detection methods cannot fully learn the spatio-temporal characteristics of data, the classification accuracy is not high, and the detection time and accuracy are susceptible to the influence of redundant data in the sample. Thus, this paper proposes a network abnormal detection method (PCSS) integrating principal component analysis (PCA) and single-stage headless face detector algorithms (SSH). PCSS applies the PCA algorithm to the data preprocessing to eliminate the interference of redundant data. At the same time, PCSS also combines feature fusion and SSH to enhance the feature extraction of unclear features data, and effectively improve the detection speed and accuracy. Simulation experiments based on IDS2017 and IDS2012 data sets are carried out in this paper. Experimental results show that PCSS is obviously superior to other detection models in detection speed and accuracy, which provides a new method for efficiently detecting traffic attacks.

computer science, artificial intelligence, theory & methods

Zheng Chen,Xinli Yu,Yuan Ling,Bo Song,Wei Quan,Xiaohua Hu,Erjia Yan

DOI: https://doi.org/10.48550/arXiv.1812.09387

2019-01-15

Abstract:Correlated anomaly detection (CAD) from streaming data is a type of group anomaly detection and an essential task in useful real-time data mining applications like botnet detection, financial event detection, industrial process monitor, etc. The primary approach for this type of detection in previous researches is based on principal score (PS) of divided batches or sliding windows by computing top eigenvalues of the correlation matrix, e.g. the Lanczos algorithm. However, this paper brings up the phenomenon of principal score degeneration for large data set, and then mathematically and practically prove current PS-based methods are likely to fail for CAD on large-scale streaming data even if the number of correlated anomalies grows with the data size at a reasonable rate; in reality, anomalies tend to be the minority of the data, and this issue can be more serious. We propose a framework with two novel randomized algorithms rPS and gPS for better detection of correlated anomalies from large streaming data of various correlation strength. The experiment shows high and balanced recall and estimated accuracy of our framework for anomaly detection from a large server log data set and a U.S. stock daily price data set in comparison to direct principal score evaluation and some other recent group anomaly detection algorithms. Moreover, our techniques significantly improve the computation efficiency and scalability for principal score calculation.

Machine Learning

Su Yang,Wenbin Zhou

DOI: https://doi.org/10.1109/PASSAT/SocialCom.2011.10

2011-01-01

Abstract:Some special natural and social events like natural disasters, terrorism attacks, and traffic accidents may have remarkable effect on people's collective behaviors, which means the behaviors of a large number of people viewed as a whole. Analysis of the patterns of collective behaviors in the sense of data mining is an important topic. Solving this problem is crucial and practical in that online detection of abnormal patterns of people's collective behaviors may lead to rapid response to emergent affairs. In terms of technology, the task can be regarded as detection of abnormal particle movement patterns from a global point of view. In this study, we propose a solution to solve this problem. First, the traffic flows observed by more than 4000 sensors are organized as high-dimensional time series. Second, a widely used manifold learning technique referred to as locally linear embedding (LLE) is used to compute the K coefficients in fitting every data point with its K nearest neighbors in the high-dimensional space, which can be regarded as a K-dimensional local feature associated with every data point. Then, the local features of the data points within a time window are summarized by using principal component analysis (PCA) to obtain a global feature to represent the traffic data in every time window. Finally, outlier detection is performed on such PCALLE feature space. The experimental results show that the proposed method can effectively detect abnormal traffic patterns, which correspond with some special days, like the New Year day, the national day of America, and some days with extreme weather. © 2011 IEEE.

Dingde Jiang,Jindi Liu,Zhengzheng Xu,Wenda Qin

DOI: https://doi.org/10.1109/iceceng.2011.6057677

2011-01-01

Abstract:Abnormal network traffic has a very great harm to the network, so we need to quickly detect abnormal traffic. However, the existing detection methods take a lot of computational overhead, which will make it hard to meet the real-time requirement. This paper presents a distributed network traffic anomaly detection algorithm based on sliding window, which uses decomposable principal component analysis to handle network traffic signals. Through sliding time window, traffic anomaly detection will be limited to the specified scope of time. This significantly reduces the amount of data analysis to improve the speed of anomaly detection. Using the dataset from real network to simulate, we validate that the proposed algorithm is effective and feasible.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Dingde Jiang,Cheng Yao,Zhengzheng Xu,Wenda Qin

DOI: https://doi.org/10.1002/ett.2619

IF: 3.6

2013-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abnormal network traffic has an important impact on network activities and leads to the severe damage to our networks because they are usually related with network faults and network attacks. How to detect effectively network traffic anomalies is an open issue for network researchers. This paper proposes a novel method for detecting traffic anomalies in high‐speed backbone networks, based on multi‐scale analysis. Firstly, the continuous wavelet transforms are performed for network traffic in multiple continuous scales. We then use the principal component analysis for the continuous wavelet transforms in the different scales and extract the nature of the anomalous network traffic. And the new mapping function is constructed to detect the abnormal traffic. Finally, we use the traffic data from the real network to validate our method. Simulation results show that our approach is more promising than the previous method.Copyright © 2013 John Wiley & Sons, Ltd.

Dingde Jiang,Hongwei Xu,Zhengzheng Xu,Zhenhua Chen

2010-01-01

Abstract:Origin-Destination (OD) traffic anomalies reflect network-level traffic anomaly behaviors, which is significantly dangerous to network operation. OD traffic anomalies in a network are investigated in this paper, using statistical analysis based on principle component analysis (PCA). Firstly, we use PCA method to analyze network traffic characteristics and to divide OD flows in the network into both normal and abnormal subspace. Then in abnormal subspace, OD flows are grouped according to common destination address. At the same time, we compute statistical correlations between OD flows in each group and detect traffic anomaly behavior. Finally, we exploit traffic data from a real network to validate our method. Simulation results show that our approach can effectively and accurately detect OD traffic anomalies.

Zong-Lin Li,Guang-Min Hu,Xingmiao Yao

DOI: https://doi.org/10.1109/icacia.2009.5361117

2009-01-01

Abstract:Distributed anomalous traffic is difficult to detect, since it is simultaneously dispersed in many links and tend to not present any obvious anomalous features in a single link. This paper proposed a multi-scale spatial detection method against distributed stealthy traffic anomaly, it can deploy early-stage detection on key nodes of network. Multi-scale wavelet packet analysis is performed separately on links at which information is available on each node, with the aim of getting abnormal frequency ranges at different time sections and reconstructing signals with anomalous features. Then from a spatial point of view, evaluate deviation degree of high dimension vectors that composed of reconstructions by kernel density estimation as anomaly indicator. Detection results on both real anomalies of American education backbone network and synthetic distributed anomalies shows, our method performs better than existing method.

Jin Xuexiang,Zhang Yi,Li,Hu Jianming

DOI: https://doi.org/10.1016/s1007-0214(08)72208-9

2008-01-01

Tsinghua Science & Technology

Abstract:One key function of intelligent transportation systems is to automatically detect abnormal traffic phenomena and to help further investigations of the cause of the abnormality. This paper describes a robust principal components analysis (RPCA)-based abnormal traffic flow pattern isolation and loop detector fault detection method. The results show that RPCA is a useful tool to distinguish regular traffic flow from abnormal traffic flow patterns caused by accidents and loop detector faults. This approach gives an effective traffic flow data pre-processing method to reduce the human effort in finding potential loop detector faults. The method can also be used to further investigate the causes of the abnormality.

Prateek Chanda,Malay Bhattacharya

DOI: https://doi.org/10.48550/arXiv.2111.13949

2021-11-28

Abstract:Often logs hosted in large data centers represent network traffic data over a long period of time. For instance, such network traffic data logged via a TCP dump packet sniffer (as considered in the 1998 DARPA intrusion attack) included network packets being transmitted between computers. While an online framework is necessary for detecting any anomalous or suspicious network activities like denial of service attacks or unauthorized usage in real time, often such large data centers log data over long periods of time (e.g., TCP dump) and hence an offline framework is much more suitable in such scenarios. Given a network log history of edges from a dynamic graph, how can we assign anomaly scores to individual edges indicating suspicious events with high accuracy using only constant memory and within limited time than state-of-the-art methods? We propose MDistrib and its variants which provides (a) faster detection of anomalous events via distributed processing with GPU support compared to other approaches, (b) better false positive guarantees than state of the art methods considering fixed space and (c) with collision aware based anomaly scoring for better accuracy results than state-of-the-art approaches. We describe experiments confirming that MDistrib is more efficient than prior work.

Distributed, Parallel, and Cluster Computing

Ting Huang,Xiuli Ma,Xiaokang Ji,Shiwei Tang

DOI: https://doi.org/10.1109/FSKD.2013.6816293

2013-01-01

Abstract:In many large-scale real-time monitoring applications, such as water quality monitoring of large water distribution networks, massive streams flow out of multiple concurrent sensors continuously. Online detection of abnormal event, especially of those spreading in the area, is vital to such networks, as the event will influence a large number of nodes once breaking out. In this paper, we first define such event as abnormal cascading pattern, and propose an efficient, online approach to detection. Instead of analyzing the streams independently, we focus on the correlation among streams and its variation. We first summarize the evolving correlation between each pair of streams into a profile, distinguish the abnormal variation based on the profile, and then catch the cascading pattern through associating the abnormal pairs. Experiments indicate high detection sensitivity, low false alarm rate and background noise tolerance of our approach.

Zhe Wang,Kai Hu,Ke Xu,Baolin Yin,Xiaowen Dong

DOI: https://doi.org/10.48550/arXiv.1104.2156

2012-03-06

Abstract:The network traffic matrix is widely used in network operation and management. It is therefore of crucial importance to analyze the components and the structure of the network traffic matrix, for which several mathematical approaches such as Principal Component Analysis (PCA) were proposed. In this paper, we first argue that PCA performs poorly for analyzing traffic matrix that is polluted by large volume anomalies, and then propose a new decomposition model for the network traffic matrix. According to this model, we carry out the structural analysis by decomposing the network traffic matrix into three sub-matrices, namely, the deterministic traffic, the anomaly traffic and the noise traffic matrix, which is similar to the Robust Principal Component Analysis (RPCA) problem previously studied in [13]. Based on the Relaxed Principal Component Pursuit (Relaxed PCP) method and the Accelerated Proximal Gradient (APG) algorithm, we present an iterative approach for decomposing a traffic matrix, and demonstrate its efficiency and flexibility by experimental results. Finally, we further discuss several features of the deterministic and noise traffic. Our study develops a novel method for the problem of structural analysis of the traffic matrix, which is robust against pollution of large volume anomalies.

Networking and Internet Architecture,Information Theory,Performance

ZHENG Jun,HU Ming-zeng,YUN Xiao-chun,ZHENG Zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.001

2006-01-01

Abstract:The anomaly detection algorithms of the large scale network(LSN) were required to analysis the vast network traffic of G bit level in real-time and on-the-fly.A novel monitoring mechanism of LSN anomaly detection based on the data stream approach was proposed.The main contributions included: the sketch data structure and the frequent sketch algorithm of data streams were designed for anomaly detection of LSN.Optimized query methods were designed for customizing the security monitoring and detection policy with the correlations of multi data streams.The data reduction was proposed to make it possible that the whole network traffic character could be got using a few of special data streams.The experiments of the real networking environments validate the effectivity of LSN anomaly detection methods.

Xudong Wang,Luis Miranda-Moreno,Lijun Sun

DOI: https://doi.org/10.48550/arXiv.2110.04352

2021-10-09

Abstract:Spatiotemporal traffic data (e.g., link speed/flow) collected from sensor networks can be organized as multivariate time series with additional spatial attributes. A crucial task in analyzing such data is to identify and detect anomalous observations and events from the data with complex spatial and temporal dependencies. Robust Principal Component Analysis (RPCA) is a widely used tool for anomaly detection. However, the traditional RPCA purely relies on the global low-rank assumption while ignoring the local temporal correlations. In light of this, this study proposes a Hankel-structured tensor version of RPCA for anomaly detection in spatiotemporal data. We treat the raw data with anomalies as a multivariate time series matrix (location $\times$ time) and assume the denoised matrix has a low-rank structure. Then we transform the low-rank matrix to a third-order tensor by applying temporal Hankelization. In the end, we decompose the corrupted matrix into a low-rank Hankel tensor and a sparse matrix. With the Hankelization operation, the model can simultaneously capture the global and local spatiotemporal correlations and exhibit more robust performance. We formulate the problem as an optimization problem and use tensor nuclear norm (TNN) to approximate the tensor rank and $l_1$ norm to approximate the sparsity. We develop an efficient solution algorithm based on the Alternating Direction Method of Multipliers (ADMM). Despite having three hyper-parameters, the model is easy to set in practice. We evaluate the proposed method by synthetic data and metro passenger flow time series and the results demonstrate the accuracy of anomaly detection.

Machine Learning

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang

DOI: https://doi.org/10.1109/ICC.2009.5199196

2009-01-01

Abstract:The randomness of the network behaviors poses serious challenges for discovering the abnormal patterns in network traffic flows. This paper presents a method based on blind source separation approach for detecting abnormal traffic flows. It decomposes the network traffic into two components: the routine pattern and the abnormal pattern. The scale-space filter with adaptive scale is applied to filter the noise without affecting the main behavior patterns which can be used to form the abnormal traffic metrics and profiles. The zero-crossing method is applied to extract the stochastic behavior pulse widths and the largest width is selected as the scale space factor. In this way, the influence of the inherent randomness could be removed or greatly reduced. The extracted patterns of the routine behaviors imply the user's habit and the abnormal patterns are useful for discovering anomalous behaviors such as scanning, flooding and content distribution attacks. A salient feature of the method is that no supervised learning process is needed. This is a very important advantage since obtaining labeled samples in traffic monitoring is extremely difficult. Experimental results based on the datasets of an actual network show that this method is effective for monitoring anomaly traffic flows in the gigabytes traffic environment and the identification accuracy is above 95%.