Detecting Distributed Network Traffic Anomaly with Network-Wide Correlation Analysis

Journal on Advances in Signal Processing (Impact Factor: 0.78). 01/2009; 2009(1). DOI: 10.1155/2009/752818
Source: DBLP


Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

Download full-text


Available from: Guangmin Hu, Aug 22, 2015
  • Source
    • "Meanwhile, the multi-domain alter correlation can even aggregate alters that possess common feature values. Instead of only focusing on traffic volume, researchers have extended the anomaly detection to frequency domain, in which the traffic distribution has been considered as random signals and its energy distribution in different frequency bands has been analyzed [4] [28] [36]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: The prosperity of the Internet has made it attractive to hackers and malicious attackers. Internet worms have become one type of major threats to the network infrastructure. Distributed defense collaborating with single-point-deployed security applications over multiple network domains are promising. However, most of the reported collaborative schemes for distributed defense are application-specific. There is not much research that studies the general properties of variant collaborative schemes systematically. In this paper explores properties of general collaborative defense strategies from the perspective of complex system. A three-layered network modeling platform has been developed. Taking advantage of small-world network model, the platform consists of two network layers and one application layer. On top of it, an experimental comparison study of collaborative defense schemes has been conducted. Their performance and effectiveness facing signature-embedded worm attacks have been evaluated.
    Full-text · Conference Paper · Jan 2010
  • [Show abstract] [Hide abstract]
    ABSTRACT: Security of network infrastructure has become a major concern. Ideally, a comprehensive solution for issues of security is expected to cover the entire fabric of a network’s infrastructure. However, this is not feasible owing to scalability and complexity. In this chapter, a comparison study of two major collaborative schemes for distributed defense is described. A three-layered network model including two network layers and one application layer has been developed. The chapter provides a brief review of the reported work on distributed defense schemes for network infrastructure security. It introduces a developed three-layered modeling platform. The chapter focuses on a description of our modeled worm-based attack and defense. It describes the operational detail of how the simulation experiments have been conducted. The chapter analyzes the results for the overall performance evaluation of applying multi-points collaboration for distributed defense. computer network security; distribution networks
    No preview · Chapter · Jun 2011
  • [Show abstract] [Hide abstract]
    ABSTRACT: For purposes such as end-to-end monitoring, capacity planning, and performance bottleneck troubleshooting across multi-domain networks, there is an increasing trend to deploy interoperable measurement frameworks such as perfSONAR. These deployments expose vast data archives of current and historic measurements, which can be queried using web services. Analysis of these measurements using effective schemes to detect and diagnose anomaly events is vital since it allows for verifying if network behavior meets expectations. In addition, it allows for proactive notification of bottlenecks that may be affecting a large number of users. In this paper, we describe our novel topology-aware scheme that can be integrated into perfSONAR deployments for detection and diagnosis of network-wide correlated anomaly events. Our scheme involves spatial and temporal analyses on combined topology and uncorrelated anomaly events information for detection of correlated anomaly events. Subsequently, a set of ‘filters’ are applied on the detected events to prioritize them based on potential severity, and to drill-down upon the events “nature” (e.g., event burstiness) and “root-location(s)” (e.g., edge or core location affinity). To validate our scheme, we use traceroute information and one-way delay measurements collected over 3 months between the various U.S. Department of Energy national lab network locations, published via perfSONAR web services. Further, using real-world case studies, we show how our scheme can provide helpful insights for detection, visualization and diagnosis of correlated network anomaly events, and can ultimately save time, effort, and costs spent on network management.
    No preview · Article · Apr 2014 · Journal of Network and Systems Management