Online detection of network traffic anomalies using behavioral distance

2009 17th International Workshop on Quality of Service Pub Date : 2009-07-13 DOI:10.1109/IWQoS.2009.5201415

Hemant Sengar, Xinyuan Wang, Haining Wang, D. Wijesekera, S. Jajodia

{"title":"Online detection of network traffic anomalies using behavioral distance","authors":"Hemant Sengar, Xinyuan Wang, Haining Wang, D. Wijesekera, S. Jajodia","doi":"10.1109/IWQoS.2009.5201415","DOIUrl":null,"url":null,"abstract":"While network-wide anomaly analysis has been well studied, the on-line detection of network traffic anomalies at a vantage point inside the Internet still poses quite a challenge to network administrators. In this paper, we develop a behavioral distance based anomaly detection mechanism with the capability of performing on-line traffic analysis. To construct accurate online traffic profiles, we introduce horizontal and vertical distance metrics between various traffic features (i.e., packet header fields) in the traffic data streams. The significant advantages of the proposed approach lie in four aspects: (1) it is efficient and simple enough to process on-line traffic data; (2) it facilitates protocol behavioral analysis without maintaining per-flow state; (3) it is scalable to high speed traffic links because of the aggregation, and (4) using various combinations of packet features and measuring distances between them, it is capable for accurate on-line anomaly detection. We validate the efficacy of our proposed detection system by using network traffic traces collected at Abilene and MAWI high-speed links.","PeriodicalId":231103,"journal":{"name":"2009 17th International Workshop on Quality of Service","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-07-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"31","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 17th International Workshop on Quality of Service","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IWQoS.2009.5201415","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 31

Abstract

While network-wide anomaly analysis has been well studied, the on-line detection of network traffic anomalies at a vantage point inside the Internet still poses quite a challenge to network administrators. In this paper, we develop a behavioral distance based anomaly detection mechanism with the capability of performing on-line traffic analysis. To construct accurate online traffic profiles, we introduce horizontal and vertical distance metrics between various traffic features (i.e., packet header fields) in the traffic data streams. The significant advantages of the proposed approach lie in four aspects: (1) it is efficient and simple enough to process on-line traffic data; (2) it facilitates protocol behavioral analysis without maintaining per-flow state; (3) it is scalable to high speed traffic links because of the aggregation, and (4) using various combinations of packet features and measuring distances between them, it is capable for accurate on-line anomaly detection. We validate the efficacy of our proposed detection system by using network traffic traces collected at Abilene and MAWI high-speed links.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

使用行为距离在线检测网络流量异常

虽然网络范围内的异常分析已经得到了很好的研究，但在互联网内部的有利位置在线检测网络流量异常仍然给网络管理员带来了相当大的挑战。在本文中，我们开发了一种基于行为距离的异常检测机制，该机制具有在线流量分析的能力。为了构建准确的在线流量概况，我们在流量数据流中引入了各种流量特征(即数据包报头字段)之间的水平和垂直距离度量。该方法的显著优势体现在四个方面:(1)对在线交通数据的处理既高效又简单;(2)便于协议行为分析，无需维护每流状态;(3)由于其聚合性，可扩展到高速流量链路;(4)利用数据包特征的各种组合和测量它们之间的距离，能够准确地在线检测异常。我们通过使用在阿比林和MAWI高速链路收集的网络流量痕迹来验证我们提出的检测系统的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2009 17th International Workshop on Quality of Service

自引率

0.00%

发文量