An aggregated statistical approach for network flood detection using Gamma-Normal mixture modeling

Abstract

In this paper, we propose a fast statistical anomaly detector at the aggregated-level for two types of anomalies: floods and flash crowds. The performance of the statistical anomaly detectors is significantly dependent on the accuracy of statistical modeling. Thus, we initially introduce a new efficient statistical model for the network traffic called Gamma Normal mixture (GNM). We study the compatibility of GNM and network traffic using different tests. Consequently, we design a novel anomaly detector based on using the generalized likelihood ratio test (GLRT) and GNM. Moreover, to more accurately determine the position of the anomalies, overlapped sliding windows have been applied in the aggregation step. To evaluate the performance of the proposed anomaly detector, we use receiver operating characteristics (ROC). Experimental results under public network traces, confirm the high efficiency of the proposed method. Also, the comparison of the proposed anomaly detector with its nearest competitor verifies the higher performance and lower computational load in utilizing the new strategy.