Spatiotemporal model for Internet traffic anomalies

Vidarshana W. Bandara; Ali Pezeshki; Anura P. Jayasumana

Spatiotemporal model for Internet traffic anomalies

View Fulltext

Author(s): Vidarshana W. Bandara ¹ ; Ali Pezeshki ¹ ; Anura P. Jayasumana ¹
- Affiliations: 1: Electrical and Computer Engineering, Colorado State University, Fort Collins, CO 82523, USA
Source: Volume 3, Issue 1, March 2014, p. 41 – 53
DOI: 10.1049/iet-net.2013.0123 , Print ISSN 2047-4954, Online ISSN 2047-4962

Received 04/09/2013, Accepted 22/12/2013, Revised 01/12/2013, Published 06/03/2014

Models for Internet traffic anomalies greatly benefit a range of applications including robust network design, network provisioning and performance studies. A novel approach to analyse and model network traffic anomalies is presented. The proposed approach individually characterises different aspects of anomalies, such as origin, termination, propagation and changes in duration and volume, with common random processes. These characteristics are then integrated into a single model that successfully captures the overall anomaly behaviours. Characterisation of each anomaly property requires only a few parameters, leading to a concise set of parameters for the entire model. Although the model is calibrated with local measurements made at nodes, it successfully represents the global behaviours of anomalies over the network. The proposed model is applicable both at nodal level and at subnet level. This enables hierarchically analysing large and sophisticated networks. Anomalies are analysed using a multi-scale analysis framework based on which, a real-time monitoring system that efficiently communicate ongoing anomaly information across the network is developed. The system is also used for learning regional model parameters distributively. Internet2 traffic data is analysed using the framework, and the corresponding model parameters are derived. These results provide insight on the nature of anomalies in networks.

References

1. 1)
  - 18. Yasami, Y., Farahmand, M., Zargari, V.: ‘An ARP-based anomaly detection algorithm using hidden Markov model in enterprise networks’. Proc. Second Int. Conf. on Systems and Networks Communications (ICSNC), 25–31 August 2007, p. 69.
2. 2)
  - 9. Kandula, S., Katabi, D., Vasseur, J.: ‘Shrink: a tool for failure diagnosis in IP networks’. Proc. ACM MineNet workshop (SIGCOMM), August 2005, pp. 172–178.
3. 3)
  - 6. Thottan, M., Chuanyi, J.: ‘Anomaly detection in IP networks’, IEEE Trans. Signal Process., 2003, 51, (8), pp. 2191–2204 (doi: 10.1109/TSP.2003.814797).
4. 4)
  - J. Haupt , W. Bajwa , M. Rabbat , R. Nowak . Compressed sensing for networked data. IEEE Signal Process. Mag. , 2 , 92 - 101
5. 5)
  - 28. Crovella, M., Kolaczyk, E.: ‘Graph wavelets for spatial traffic analysis’. Proc. Int. Conf. IEEE Computer Communications (INFOCOM), San Francisco, April 2003, pp. 1–10.
6. 6)
  - 21. Kui, Z.: ‘A danger model based anomaly detection method for wireless sensor networks’. Proc. Second Int. Symp. on Knowledge Acquisition and Modeling (KAM), 30 November–1 December 2009, vol. 1, pp. 11–14.
7. 7)
  - 5. Huang, L., Nguyen, X., Garofalakis, M., Jordan, M.I., Joseph, A., Taft, N.: ‘In-network PCA and anomaly detection’, in Plat, J.C., Koller, D., Singer, Y., Roweis, S. (Eds.): ‘Advances in neural information processing systems’ (MIT Press, Cambridge, MA, 2007), pp. 617–624.
8. 8)
  - 26. Coates, M., Pointurier, Y., Rabbat, M.: ‘Compressed network monitoring for IP and all-optical networks’. Proc. Seventh Conf. ACM Internet Measurement (SIGCOMM), 2007, pp. 241–252.
9. 9)
  - 13. Jun, L., Manikopoulos, C.: ‘Network fault detection: classifier training method for anomaly fault detection in a production network using test network information’. Proc. 27th Int. Conf. IEEE Local Computer Networks (LCN), 6–8 November 2002, pp. 473–482.
10. 10)
  - 25. Coifman, R.R., Maggioni, M.: ‘Diffusion wavelets’, Appl. Comput. Harmon. Anal., 2006, 21, (1), pp. 53–94 (doi: 10.1016/j.acha.2006.04.004).
11. 11)
  - 10. Kompella, R., Yates, J., Greenberg, A., Snoeren, A.: ‘IP fault location via risk modeling’. Proc. Second Conf. Symp. on Networked Systems Design & Implementation (NSDI), May 2005, pp. 57–70.
12. 12)
  - 12. Best, D.M., Hafen, R.P., Olsen, B.K., Pike, W.A.: ‘Atypical behavior identification in large-scale network traffic’. Proc. IEEE Symp. on Large Data Analysis and Visualization (LDAV), 23–24 October 2011, pp. 15–22.
13. 13)
  - 32. DeGroot, M.H.: ‘Chapter 9’, in DeGroot, M.H., Schervish, M.J. (Eds.): ‘Probability and statistics’ (Addison-Wesley, Reading, MA, 1991, 3rd edn.).
14. 14)
  - 20. Xiaotao, W., Houkuan, H., Shengfeng, T., Xiaohui, Y., Baomin, X.: ‘An online adaptive network anomaly detection model’. Proc. Int. Joint Conf. Computational Sciences and Optimization (CSO), 24–26 April 2009, vol. 2, pp. 365–368.
15. 15)
  - 24. Hongmei, D., Xu, R.: ‘Model selection for anomaly detection in wireless ad hoc networks’. Proc. IEEE Symp. on Computational Intelligence and Data Mining (CIDM), 1 March–5 April 2007, pp. 540–546.
16. 16)
  - 23. Bartos, K., Rehak, M., Krmicek, V.: ‘Optimizing flow sampling for network anomaly detection’. Proc. 7th Int. Conf. Wireless Communications and Mobile Computing (IWCMC), 4–8 July 2011, pp. 1304–1309.
17. 17)
  - 22. Li, H.: ‘Research and implementation of an anomaly detection model based on clustering analysis’. Proc. Int. Symp. on Intelligence Information Processing and Trusted Computing (IPTC), 28–29 October 2010, pp. 458–462.
18. 18)
  - 17. Thatte, G., Mitra, U., Heidemann, J.: ‘Parametric methods for anomaly detection in aggregate traffic’, IEEE/ACM Trans. Netw., 2011, 19, (2), pp. 512–525 (doi: 10.1109/TNET.2010.2070845).
19. 19)
  - 11. Chhabra, P., Scott, C., Kolaczyk, E.D., Crovella, M.: ‘Distributed spatial anomaly detection’. Proc. Int. Conf. Computer Communications (INFOCOM), 13–18 April 2008, pp. 1705–1713.
20. 20)
  - 15. Tao, L., Ailing, Q., Yuanbin, H., Xintan, C.: ‘Method for network anomaly detection based on Bayesian statistical model with time slicing’. Proc. Seventh World Congress on Intelligent Control and Automation (WCICA), 25–27 June 2008, pp. 3359–3362.
21. 21)
  - 14. Oshima, S., Ichimura, Y., Nakashima, T., Sueyoshi, T.: ‘An anomaly detection system based on chi-square method with dynamic BIN algorithm’. Proc. Int. Conf. Broadband and Wireless Computing, Communication and Applications (BWCCA), 26–28 October 2011, pp. 549–554.
22. 22)
  - 4. Lakhina, A., Crovella, M., Diot, C.: ‘Diagnosing network-wide traffic anomalies’. Proc. Conf. Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), 2004, pp. 219–230.
23. 23)
  - 31. ‘The Internet2 network observatory data views’, http://www.internet2.edu/observatory/archive/data-views.html, 2013.
24. 24)
  - 7. Raghunath, B.R., Mahadeo, S.N.: ‘Network intrusion detection system (NIDS)’. Proc 1st Int. Conf. on Emerging Trends in Engineering and Technology (ICETET), 16–18 July 2008, pp. 1272–1277.
25. 25)
  - 30. ‘Inetnet2 network NOC – historical Abilene data’, http://www.noc.net.internet2.edu/i2network/live-network-status/historical-abilene-data.html, June 2008.
26. 26)
  - 16. Tabia, K., Benferhat, S., Djouadi, Y.: ‘A two-stage aggregation/thresholding scheme for multi-model anomaly-based approaches’. Proc. 33rd Conf. IEEE Local Computer Networks (LCN), 14–17 October 2008, pp. 919–926.
27. 27)
  - 2. Barford, P., Kline, J., Plonka, D., Ron, A.: ‘A signal analysis of network traffic anomalies’. Proc. Second ACM Workshop on Internet Measurement (SIGCOMM), Marseille, France, 6–8 November 2002, pp. 71–82.
28. 28)
  - 3. Barford, P., Plonka, D.: ‘Characteristics of network traffic flow anomalies’. Proc. First ACM Workshop on Internet Measurement (SIGCOMM), 2001, pp. 69–73.
29. 29)
  - 8. Shanbhag, S., Wolf, T.: ‘Correlation and collaboration in anomaly detection’. Proc. Conf. IEEE Global Telecommunications (GLOBECOM), 30 November 2008–4 December 2008, pp. 1–6.
30. 30)
  - 29. Bandara, V., Pezeshki, A., Jayasumana, A.P.: ‘Modeling spatial and temporal behavior of Internet traffic anomalies’. Proc. 35th Conf. IEEE Local Computer Networks (LCN), 10–14 October 2010, pp. 384–391.
31. 31)
  - 1. Paschalidis, I.C., Smaragdakis, G.: ‘Spatio-temporal network anomaly detection by assessing deviations of empirical measures’, IEEE/ACM Trans. Netw., 2009, 17, (3), pp. 685–697 (doi: 10.1109/TNET.2008.2001468).
32. 32)
  - 19. Hoang, X.A., Hu, J.: ‘An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls’. Proc. 12th Int. Conf. IEEE Networks (ICON), 16–19 November 2004, vol. 2, pp. 470–474.

Login

Not registered yet?

Share

Tools

Login to add to favourites

Key

Spatiotemporal model for Internet traffic anomalies

References

Related content