Networking and Communication Engineering

Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

Anomaly Detection using Spatio-Temporal Measures


     

   Subscribe/Renew Journal


With the development of network technology and growing enlargement of network size, the network structure is be-coming more and more complicated. Mutual interactions of different network equipment, topology configurations, transmission protocols and cooperation and competition among the network users inevitably cause the network traffic flow which is controlled by several driving factors to appear non-stationary and complicated behavior. Because of its non-stationary property it cannot easily use traditional way to analyze the complicated network traffic. We present different approaches to characterize traffic: (i) a mod-el-free approach based on the method of types and Sanov‘s theorem, (ii) a model-based approach modeling traffic using a super statistics theory (iii) another model –based approach using Markov modulated process. Using these characterizations as a reference we continuously monitor traffic and employ large deviations and decision theory re-sults to ―compare‖ the empirical measure of the monitored traffic with the corresponding reference characterization, thus, identifying traffic anomalies in real-time. According to the super statistics theory, the complex dynamic sys-tem may have a large fluctuation of intensive quantities on large time scales which cause the system to behave as non-stationary which is also the characteristic of network traffic. Partitioning the non-stationary traffic time series into small stationary segments which can be modeled by discrete Generalized Pareto (GP) distribution. Differ-ent segments follow GP distribution with different distribution para-meters which are named slow parameters. Throughout, we compare these two approaches presenting their advantages and disadvantages to identify and classify temporal network anomalies. We also demon-strate how our framework can be used to monitor traffic from mul-tiple network elements in order to identify both spatial and temporal anomalies. We validate our techniques by analyzing real traffic traces with time-stamped anomalies.


Keywords

Large Deviations, Markov Processes, Method of Types, Super Statistics, Pareto Distribution, Network Traffic.
User
Subscription Login to verify subscription
Notifications
Font Size

Abstract Views: 188

PDF Views: 4




  • Anomaly Detection using Spatio-Temporal Measures

Abstract Views: 188  |  PDF Views: 4

Authors

Abstract


With the development of network technology and growing enlargement of network size, the network structure is be-coming more and more complicated. Mutual interactions of different network equipment, topology configurations, transmission protocols and cooperation and competition among the network users inevitably cause the network traffic flow which is controlled by several driving factors to appear non-stationary and complicated behavior. Because of its non-stationary property it cannot easily use traditional way to analyze the complicated network traffic. We present different approaches to characterize traffic: (i) a mod-el-free approach based on the method of types and Sanov‘s theorem, (ii) a model-based approach modeling traffic using a super statistics theory (iii) another model –based approach using Markov modulated process. Using these characterizations as a reference we continuously monitor traffic and employ large deviations and decision theory re-sults to ―compare‖ the empirical measure of the monitored traffic with the corresponding reference characterization, thus, identifying traffic anomalies in real-time. According to the super statistics theory, the complex dynamic sys-tem may have a large fluctuation of intensive quantities on large time scales which cause the system to behave as non-stationary which is also the characteristic of network traffic. Partitioning the non-stationary traffic time series into small stationary segments which can be modeled by discrete Generalized Pareto (GP) distribution. Differ-ent segments follow GP distribution with different distribution para-meters which are named slow parameters. Throughout, we compare these two approaches presenting their advantages and disadvantages to identify and classify temporal network anomalies. We also demon-strate how our framework can be used to monitor traffic from mul-tiple network elements in order to identify both spatial and temporal anomalies. We validate our techniques by analyzing real traffic traces with time-stamped anomalies.


Keywords


Large Deviations, Markov Processes, Method of Types, Super Statistics, Pareto Distribution, Network Traffic.