A signal analysis of network traffic anomalies

Abstract

Identifying anomalies rapidly and accurately is critical to the efficient operation of large computer networks. Accurately characterizing important classes of anomalies greatly facilitates their identification; however, the subtleties and complexities of anomalous traffic can easily confound this process. In this paper we report results of signal analysis of four classes of network traffic anomalies: outages, flash crowds, attacks and measurement failures. Data for this study consists of IP flow and SNMP measurements collected over a six month period at the border router of a large university. Our results show that wavelet filters are quite effective at exposing the details of both ambient and anomalous traffic. Specifically, we show that a pseudo-spline filter tuned at specific aggregation levels will expose distinct characteristics of each class of anomaly. We show that an effective way of exposing anomalies is via the detection of a sharp increase in the local variance of the filtered data. We evaluate traffic anomaly signals at different points within a network based on topological distance from the anomaly source or destination. We show that anomalies can be exposed effectively even when aggregated with a large amount of additional traffic. We also compare the difference between the same traffic anomaly signals as seen in SNMP and IP flow data, and show that the more coarse-grained SNMP data can also be used to expose anomalies effectively.

DOI: 10.1145/637201.637210
View Slides

Extracted Key Phrases

14 Figures and Tables

050'02'04'06'08'10'12'14'16
Citations per Year

838 Citations

Semantic Scholar estimates that this publication has 838 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@inproceedings{Barford2002ASA, title={A signal analysis of network traffic anomalies}, author={Paul Barford and Jeffery Kline and David Plonka and Amos Ron}, booktitle={Internet Measurement Workshop}, year={2002} }