Corpus ID: 16672252

Network Traffic Decomposition for Anomaly Detection

  title={Network Traffic Decomposition for Anomaly Detection},
  author={Tahereh Babaie and Sanjay Chawla and Sebastien Ardon},
In this paper we focus on the detection of network anomalies like Denial of Service (DoS) attacks and port scans in a unified manner. While there has been an extensive amount of research in network anomaly detection, current state of the art methods are only able to detect one class of anomalies at the cost of others. The key tool we will use is based on the spectral decomposition of a trajectory/hankel matrix which is able to detect deviations from both between and within correlation present… Expand
New Methods for Network Traffic Anomaly Detection
This thesis introduces a new problem, the Online Selective Anomaly Detection (OSAD) problem, to model the situation where the objective is to report new anomalies in the system and suppress know faults, and designs a new method for outlier detection based spectral decomposition of the Hankel matrix. Expand
Notice of Retraction: Efficient feature extraction using apache spark for network behavior anomaly detection
This work proposes an efficient traffic feature extraction architecture, which combines the benefit of traffic volume features and network communication pattern features and can detect low-intensity anomalous network behaviors and conventional traffic volume anomalies. Expand
A traffic anomaly detection approach in communication networks for applications of multimedia medical devices
This paper studies traffic anomaly detection problem in large-scale communication networks with multimedia medical devices and employs empirical mode decomposition method and wavelet packet transform to propose an accurate detection method to capture it. Expand
Network Volume Anomaly Detection and Identification in Large-Scale Networks Based on Online Time-Structured Traffic Tensor Tracking
An online subspace tracking of a Hankelized time-structured traffic tensor for normal flows based on the Candecomp/PARAFAC decomposition exploiting the recursive least squares algorithm is proposed. Expand
Investigation of the Method for Identifying Cyberattacks Based on Analysis of the State of Network Nodes
The effectiveness of the developed model of attack recognition in the network of telecommunications service providers was evaluated, which shows a sufficiently high accuracy of determining the class of suspicious activity. Expand
Attention-Based Bi-LSTM Model for Anomalous HTTP Traffic Detection
A deep neural network model utilizing Bidirectional Long Short-Term Memory (Bi-LSTM) with attention mechanism to model HTTP traffic as a natural language sequence with outstanding performance in malicious HTTP traffic detection is proposed. Expand
An Overview of DDOS Attacks Detection and Prevention in the Cloud
There is a good amount of research scope in detecting and preventing slow client application layer attacks in the cloud and prevention and detection methods used for DDOS (Distributed Denial of Service) attacks. Expand
Adaptive Management of Information Network Protection with Analysis of Intruder's Actions
The proposed method is based on analyzing the dynamics of the violator's actions and determining the situational confrontation parameters under stochastic uncertainty and allows you to maintain the operation of automated management systems for an organization with integrated structure when multiple threats are changing their dynamics. Expand
DeepHTTP: Semantics-Structure Model with Attention for Anomalous HTTP Traffic Detection and Pattern Mining
This work proposes DeepHTTP, a semantics structure integration model utilizing Bidirectional Long Short-Term Memory (Bi-LSTM) with attention mechanism to model HTTP traffic as a natural language sequence and integrates structural information to enhance the generalization capabilities of the model. Expand
Recovering Missing Values From Corrupted Historical Observations: Approaching the Limit of Predictability in Spectrum Prediction Tasks
This paper designs a robust online spectrum data recovery algorithm based on the alternating direction method and introduces the concept of maximum predictability to reveal the harmful effects of missing data and anomalies and to evaluate the effectiveness of the proposed algorithm from an information theory perspective. Expand


Sensitivity of PCA for traffic anomaly detection
This study identifies and evaluates four main challenges of using PCA to detect traffic anomalies: the false positive rate is very sensitive to small differences in the number of principal components in the normal subspace, the effectiveness of PCA is sensitive to the level of aggregation of the traffic measurements, a large anomaly may in advertently pollute the normalSubspace. Expand
Characterization of network-wide anomalies in traffic flows
This paper presents the first large-scale exploration of the power of the subspace method when applied to flow traffic, and finds that almost all of the anomalies detected represent events of interest to network operators. Expand
A signal analysis of network traffic anomalies
This paper reports results of signal analysis of four classes of network traffic anomalies: outages, flash crowds, attacks and measurement failures, and shows that wavelet filters are quite effective at exposing the details of both ambient and anomalous traffic. Expand
Diagnosing network-wide traffic anomalies
A general method based on a separation of the high-dimensional space occupied by a set of network traffic measurements into disjoint subspaces corresponding to normal and anomalous network conditions to diagnose anomalies is proposed. Expand
ASTUTE: detecting a different class of traffic anomalies
This work designs a computationally simple detection method for correlated anomalous flows, and discovers that this method uncovers a different class of anomalies than previous techniques do. Expand
Combining filtering and statistical methods for anomaly detection
It is explained here how any anomaly detection method can be viewed as a problem in statistical hypothesis testing, and four different methods for analyzing residuals, two of which are new are studied and compared. Expand
Network anomography
A new dynamic anomography algorithm is introduced, which effectively tracks routing and traffic change, so as to alert with high fidelity on intrinsic changes in network-level traffic, yet not on internal routing changes, an additional benefit of dynamicanomography is that it is robust to missing data, an important operational reality. Expand
The need for simulation in evaluating anomaly detectors
This paper argues that there are numerous important questions regarding the effectiveness of anomaly detectors that cannot be answered by the evaluation techniques employed today and presents an outline of an evaluation methodology that leverages both simulation and traces from operational networks. Expand
Applying PCA for Traffic Anomaly Detection: Problems and Solutions
A slightly modified version of PCA is developed that uses only data from a single router and proposes a solution to deal with the main problem, that PCA fails to capture temporal correlation, and is replaced with the Karhunen-Loeve transform. Expand
URCA: Pulling out Anomalies by their Root Causes
This work introduces Unsupervised Root Cause Analysis (URCA) which isolates anomalous traffic and classifies alarms with minimal manual assistance and high accuracy, and shows that URCA can accurately diagnose a large range of anomaly types, including network scans, DDoS attacks, and major routing changes. Expand