Abstract
Diagnosing traffic anomalies rapidly and accurately is critical to the efficient operation of large computer networks. However, it is still a challenge for network administrators. One problem is that the amount of traffic data does not allow real-time analysis of details. Another problem is that some generic detection metrics possess lower capabilities on diagnosing anomalies. To overcome these problems, we propose a system model with an explicit algorithm to perform on-line traffic analysis. In this scheme, we first make use of degree distributions to effectively profile traffic features, and then use the entropy to determine and report changes of degree distributions, which changes of entropy values can accurately differentiate a massive network event, normal or anomalous by adaptive threshold. Evaluations of this scheme demonstrate that it is feasible and efficient for on-line anomaly detection in practice via simulations, using traffic trace collected at high-speed link.
Highlights
Anomalies are unusual and significant changes in a network’s traffic levels, which can create congestion in the network and stress resource utilization in a router
We first make use of degree distributions to effectively profile traffic features, and use the entropy to determine and report changes of degree distributions, which changes of entropy values can accurately differentiate a massive network event, normal or anomalous by adaptive threshold
On the other hand the destination IP addresses seen in flows will be much more random than in normal traffic, which causes a lot of hosts with in-degree 1, and indegree distribution appears to be more concentrated, entropy value of in-degree tends to decrease obviously
Summary
Anomalies are unusual and significant changes in a network’s traffic levels, which can create congestion in the network and stress resource utilization in a router. While recent studies demonstrate that entropybased anomaly detection obviously has some advantages [5] This approach is to capture fine-grained patterns in traffic distributions that simple volume based metrics cannot identify. The use of entropy can increase the sensitivity of detection to uncover anomalies incidents that may not manifest as volume anomalies Using such traffic features provides additional diagnostic information into the nature of the anomalous incidents (e.g., making distinction among worms, DDoS attack, and scans) that is not available from just volume-based anomaly detection. In this work we propose an anomaly detection mechanism using degree distributions to improve the detect abilities of port and address.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: International Journal of Communications, Network and System Sciences
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
