CISUC

A Multi-Scale Tomographic Algorithm for Detecting and Classifying Traffic Anomalies

Authors

Abstract

The occurrence of a traffic anomaly is always responsible for a degradation of performance. The anomaly can be observable, at some scale, in different ways: an increase in the number of packets, an increase in the number of bytes, a concentration of packets around a port number, etc.
In this paper we propose an anomaly independent methodology for detecting such traffic anomalies and to classify them. To accomplish that, we integrate previous work in a multi-criteria tomographic analysis process, criteria being bytes, packets or flow rate, port number or address distribution, etc. As a demarcation from this inspiring work, this new methodology is based on a multi-scale analysis, which always permits the exhibition of anomalies on at least one parameter at one time scale. The motivation for using simple parameters deals with making the interpretation of anomalies simpler, and mitigation mechanisms obvious. In addition, this methodology associates to each anomaly a set of parameters that is able to characterize the anomaly and will serve as a signature for it.
This paper presents this methodology, the related algorithm for anomaly detection, and its application on several real traffic traces captured on several networks: Auckland university, GEANT and Renater.

Keywords

Measurement, Traffic Analysis, Anomaly Detection

Subject

Traffic monitoring and measurement

Conference

2007 IEEE International Conference on Communications (ICC), June 2007


Cited by

Year 2009 : 3 citations

 Pedro Ricardo Morais Inácio, Study of the Impact of Intensive Attacks in the Self-Similarity Degree of the Network Trafic in Intra-Domain Aggregation Points, PhD Thesis, University Of Beira Interior, June 2009.

 Bruno B. Zarpelão, Leonardo S. Mendes, Mario L. Proença Jr. and Joel J. P. C. Rodrigues, Three Levels Network Analysis for Anomaly Detection, SoftCOM 2009.

 Bruno B. Zarpelão, Leonardo S. Mendes, Taufik Abrão, Lucas D. H. Sampaio, Moises F. Lima e Mario Lemes Proença Jr., Detecção de Anomalias em Redes de Computadores, XXVII SIMPÿSIO BRASILEIRO DE TELECOMUNICAÿÿES - SBrT 2009, DE 29 DE SETEMBRO A 2 DE OUTUBRO DE 2009.