Article

Detecting Distributed Network Traffic Anomaly with Network-Wide Correlation Analysis.

Journal on Advances in Signal Processing (Impact Factor: 0.81). 01/2009; 2009. DOI: 10.1155/2009/752818
Source: DBLP

ABSTRACT Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

0 Bookmarks
 · 
91 Views
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The prosperity of the Internet has made it attractive to hackers and malicious attackers. Internet worms have become one type of major threats to the network infrastructure. Distributed defense collaborating with single-point-deployed security applications over multiple network domains are promising. However, most of the reported collaborative schemes for distributed defense are application-specific. There is not much research that studies the general properties of variant collaborative schemes systematically. In this paper explores properties of general collaborative defense strategies from the perspective of complex system. A three-layered network modeling platform has been developed. Taking advantage of small-world network model, the platform consists of two network layers and one application layer. On top of it, an experimental comparison study of collaborative defense schemes has been conducted. Their performance and effectiveness facing signature-embedded worm attacks have been evaluated.
    The 6th International Conference on Collaborative Computing: Networking, Applications and Worksharing, CollaborateCom 2010, Chicago, IL, USA, 9-12 October 2010; 01/2010
  • [Show abstract] [Hide abstract]
    ABSTRACT: For purposes such as end-to-end monitoring, capacity planning, and performance bottleneck troubleshooting across multi-domain networks, there is an increasing trend to deploy interoperable measurement frameworks such as perfSONAR. These deployments expose vast data archives of current and historic measurements, which can be queried using web services. Analysis of these measurements using effective schemes to detect and diagnose anomaly events is vital since it allows for verifying if network behavior meets expectations. In addition, it allows for proactive notification of bottlenecks that may be affecting a large number of users. In this paper, we describe our novel topology-aware scheme that can be integrated into perfSONAR deployments for detection and diagnosis of network-wide correlated anomaly events. Our scheme involves spatial and temporal analyses on combined topology and uncorrelated anomaly events information for detection of correlated anomaly events. Subsequently, a set of ‘filters’ are applied on the detected events to prioritize them based on potential severity, and to drill-down upon the events “nature” (e.g., event burstiness) and “root-location(s)” (e.g., edge or core location affinity). To validate our scheme, we use traceroute information and one-way delay measurements collected over 3 months between the various U.S. Department of Energy national lab network locations, published via perfSONAR web services. Further, using real-world case studies, we show how our scheme can provide helpful insights for detection, visualization and diagnosis of correlated network anomaly events, and can ultimately save time, effort, and costs spent on network management.
    Journal of Network and Systems Management 04/2014; 22(2). · 0.43 Impact Factor

Full-text

Download
1 Download
Available from