NADA ' Network Anomaly Detection Algorithm

Authors

Sílvia Farraposo
Edmundo Monteiro
Philippe Owezarski

Abstract

This paper deals with a new iterative Network Anomaly Detection Algorithm ' NADA, which is threefold: it accomplishes the detection, classification and identification of traffic anomalies. Our approach goes one step further than others since it fully provides all information required to limit the extent of anomalies by locating them in traffic traces, identifying their classes (e.g., if it is a Denial of Service, a Network Scan, or other type of anomalies), and giving their features as, for instance, the source and destination addresses and ports being involved. For this purpose, NADA uses a generic multi-featured approach executed at different time scales and at different levels of IP aggregation. Besides that, the NADA approach contributed to the definition of a set of traffic anomaly signatures. The use of these signatures makes NADA suitable and efficient to use in a monitoring environment. NADA has been validated using data traces containing documented anomalies as the one gathered in the MetroSec project.

Conference

3rd International Week on Management of Networks and Services End-to-End Virtualization of Networks and Services Manweek 2007, October 2007

Cited by

Year 2009 : 1 citations

Pedro Ricardo Morais Inácio, Study of the Impact of Intensive Attacks in the Self-Similarity Degree of the Network Trafic in Intra-Domain Aggregation Points, PhD Thesis, University Of Beira Interior, June 2009.