A Multi-Scale Tomographic Algorithm for Detecting and Classifying Traffic Anomalies

Authors

Abstract

The occurrence of a traffic anomaly is always responsible for a degradation of performance. The anomaly can be observable, at some scale, in different ways: an increase in the number of packets, an increase in the number of bytes, a concentration of packets around a port number, etc.
In this paper we propose an anomaly independent methodology for detecting such traffic anomalies and to classify them. To accomplish that, we integrate previous work in a multi-criteria tomographic analysis process, criteria being bytes, packets or flow rate, port number or address distribution, etc. As a demarcation from this inspiring work, this new methodology is based on a multi-scale analysis, which always permits the exhibition of anomalies on at least one parameter at one time scale. The motivation for using simple parameters deals with making the interpretation of anomalies simpler, and mitigation mechanisms obvious. In addition, this methodology associates to each anomaly a set of parameters that is able to characterize the anomaly and will serve as a signature for it.
This paper presents this methodology, the related algorithm for anomaly detection, and its application on several real traffic traces captured on several networks: Auckland university, GEANT and Renater.

Keywords

Measurement, Traffic Analysis, Anomaly Detection

Subject

Traffic monitoring and measurement

Conference

2007 IEEE International Conference on Communications (ICC), June 2007