Abstract
This paper proposes a general-purpose anomaly detection mechanism for Internet backbone traffic named GAMPAL (General-purpose Anomaly detection Mechanism using Prefix Aggregate without Labeled data). GAMPAL does not require labeled data to achieve general-purpose anomaly detection. For scalability to the number of entries in the BGP RIB (Border Gateway Protocol Routing Information Base), GAMPAL introduces prefix aggregate. The BGP RIB entries are classified into prefix aggregates, each of which is identified with the first three AS (Autonomous System) numbers in the AS_PATH attribute. GAMPAL establishes a prediction model for traffic sizes based on past traffic sizes. It adopts a LSTM-RNN (Long Short-Term Memory Recurrent Neural Network) model that focuses on the periodicity of the Internet traffic patterns at a weekly scale. The validity of GAMPAL is evaluated using real traffic information, BGP RIBs exported from the WIDE backbone network (AS2500), a nationwide backbone network for research and educational organizations in Japan, and the dataset of an ISP (Internet Service Provider) in Spain. As a result, GAMPAL successfully detects anomalies such as increased traffic due to an event, DDoS (Distributed Denial of Service) attacks targeted at a stub organization, a connection failure, an SSH (Secure Shell) scan attack, and anomaly spam.
Highlights
The Internet backbone network contains a large amount of traffic originating from various kinds of users and services [1]
The flow data (NetFlow) and the BGP RIBs exported from two types of networks are used to verify the versatility of GAMPAL
This paper proposes a general-purpose anomaly detection mechanism called GAMPAL for Internet backbone traffic derived from an LSTM-RNN-based prediction model
Summary
The Internet backbone network contains a large amount of traffic originating from various kinds of users and services [1]. The patterns of such traffic are peaked and jagged, and they change every moment, even during ordinary times. The signature-based approach is suitable for the detection of known anomalies and real-time anomaly detection even for a large amount of traffic, such as Internet backbone traffic [2,3,4] This technique fails to detect unknown anomalies such as new types of attacks. The behavior-based approach with such labeled data is
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
