Abstract
In this Chapter we address the problem of detecting “anomalies” in the global network traffic produced by a large population of end-users. Empirical distributions across users are considered for several traffic variables at different timescales, and the goal is to identify statistically-significant deviations from the past behavior. This problem is casted into the framework of hypothesis testing. We first address the methodology for dynamically identifying a reference for the null hypothesis (“normal” traffic) that takes into account the typical non-stationarity of real traffic in volume and composition. Then, we illustrate two general distribution-based detection approaches based on both heuristic and formal methods. We discuss also operational criteria for dynamically tuning the detector, so as to track the physiological variation of traffic profiles and number of active users. The Chapter includes a final evaluation based on the analysis of a dataset from an operational 3G network, so as to show in practice the detection of real-world traffic anomalies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Ali, S., Silvey, S.: A general class of coefficients of divergence of one distribution. Journal of Royal Statistical Society 28 (1966)
Csiszár, I.: Information-type measures of difference of probability distributions and indirect observations. Studia Sci. Math. Hungar. 2, 299–318 (1967)
Burgess, et al.: Measuring system normality. ACM Transactions on Computer Systems 20 (2002)
D’Alconzo, et al.: A distribution-based approach to anomaly detection for 3G mobile networks. In: IEEE Globecom (2009)
D’Alconzo, et al.: Distribution-based anomaly detection in 3G mobile networks: from theory to practice. Int. J. of Network Management (2010)
Dasu, et al.: An information-theoretic approach to detecting changes in multi-dimensional data streams. In: INTERFACE 2006 (2006)
Gu, et al.: Detecting anomalies in network traffic using maximum entropy estimation. In: IMC (2005)
Lakhina, et al.: Structural analysis of network traffic flows. In: ACM SIGMETRICS (June 2004)
Svoboda, et al.: Composition of GPRS/UMTS traffic: snapshots from a live network. In: IPS-MOME 2006 (2006)
Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: IEEE IMC (2009)
Johnson, D.H., Sinanovic, S.: Symmetrizing the Kullback-Leibler distance. IEEE Transactions on Information Theory (March 2001)
Khayam, A., Radha, H.: Linear-complexity models for wireless MAC-to-MAC channels. ACM Wireless Networks 11 (2005)
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature. In: ACM SIGCOMM (2005)
Liese, F., Vajda, I.: Convex statistical distances. Teubner-Verlag (1987)
Ricciato, F., Coluccia, A., D’Alconzo, A., Veitch, D., Borgnat, P., Abry, P.: On the role of flows and sessions in internet traffic modeling: an explorative toy-model. In: IEEE Globecom (2009)
Ringberg, H., Roughan, M., Rexford, J.: The need for simulation in evaluating anomaly detectors. ACM SIGCOMM Computer Communication Review 38(1), 55–59 (2008)
Ringberg, H., Soule, A., Rexford, J.: Webclass: adding rigor to manual labeling of traffic anomalies. ACM SIGCOMM Computer Communication Review 38(1), 35–38 (2008)
Sesia, S., Toufik, I., Baker, M.: LTE, The UMTS Long Term Evolution: From Theory to Practice. J. Wiley & Sons (2009)
Thomas, J.A.T., Cover, T.M.: Elements of Information Theory. J. Wiley & Sons (1991)
Van Trees, H.L.: Detection, Estimation, and Modulation Theory. J. Wiley & Sons (2001)
Vapnik, V.N.: Statistical Learning Theory. J. Wiley & Sons (1998)
Song, X., et al.: Statistical change detection for multi-dimensional data. In: 13th ACM KDD 2007, pp. 667–676. ACM (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Coluccia, A., D’Alconzo, A., Ricciato, F. (2013). Distribution-Based Anomaly Detection in Network Traffic. In: Biersack, E., Callegari, C., Matijasevic, M. (eds) Data Traffic Monitoring and Analysis. Lecture Notes in Computer Science, vol 7754. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36784-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-36784-7_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36783-0
Online ISBN: 978-3-642-36784-7
eBook Packages: Computer ScienceComputer Science (R0)