NADA ' Network Anomaly Detection Algorithm
Authors
Abstract
This paper deals with a new iterative Network Anomaly Detection Algorithm ' NADA, which is threefold: it accomplishes the detection, classification and identification of traffic anomalies. Our approach goes one step further than others since it fully provides all information required to limit the extent of anomalies by locating them in traffic traces, identifying their classes (e.g., if it is a Denial of Service, a Network Scan, or other type of anomalies), and giving their features as, for instance, the source and destination addresses and ports being involved. For this purpose, NADA uses a generic multi-featured approach executed at different time scales and at different levels of IP aggregation. Besides that, the NADA approach contributed to the definition of a set of traffic anomaly signatures. The use of these signatures makes NADA suitable and efficient to use in a monitoring environment. NADA has been validated using data traces containing documented anomalies as the one gathered in the MetroSec project.
Conference
3rd International Week on Management of Networks and Services End-to-End Virtualization of Networks and Services Manweek 2007, October 2007