Abstract
Anomaly detection is an important technique used to identify patterns of unusual network behavior and keep the network under control. Today, network attacks are increasing in terms of both their number and sophistication. To avoid causing significant traffic patterns and being detected by existing techniques, many new attacks tend to involve gradual adjustment of behaviors, which always generate incomplete sessions due to their running mechanisms. Accordingly, in this work, we employ the behavior symmetry degree to profile the anomalies and further identify unusual behaviors. We first proposed a symmetry degree to identify the incomplete sessions generated by unusual behaviors; we then employ a sketch to calculate the symmetry degree of internal hosts to improve the identification efficiency for online applications. To reduce the memory cost and probability of collision, we divide the IP addresses into four segments that can be used as keys of the hash functions in the sketch. Moreover, to further improve detection accuracy, a threshold selection method is proposed for dynamic traffic pattern analysis. The hash functions in the sketch are then designed using Chinese remainder theory, which can analytically trace the IP addresses associated with the anomalies. We tested the proposed techniques based on traffic data collected from the northwest center of CERNET (China Education and Research Network); the results show that the proposed methods can effectively detect anomalies in large-scale networks.
Highlights
A NOMALY detection aims at identifying the presence of unusually network traffic patterns, which has become an increasingly critical challenge for network management andThe research presented in this paper is supported in part by the National Natural Science Foundation of China (61772411, 61672026, 61602370, U1736205), Project JCYJ20170816100819428 supported by SZSTI and China Scholarship Council (201706285018).Corresponding author: T
Most traditional anomaly detection methods mainly examine the statistical patterns extracted from the entire raw traffic volumes will lose their efficiency in detecting those smart attacks [5], [6], [7], [8], [9]
We propose the Symmetry Degree of specific Internal host (SDI), which can be defined using the maximum ratio between the OCDI and In Connection Degree of specific Internal host (ICDI) to characterize this kind of abnormal host behaviors effectively
Summary
A NOMALY detection aims at identifying the presence of unusually network traffic patterns, which has become an increasingly critical challenge for network management and. To extract stable and efficient traffic patterns from the massive raw traffic data and improve the ability of detecting smart attacks is a key challenge To address these limitations, we propose the behavior symmetry degree to characterize abnormal host behaviors. We propose the Symmetry Degree of specific Internal host (SDI), which can be defined using the maximum ratio between the OCDI and ICDI to characterize this kind of abnormal host behaviors effectively. The main contributions of this paper can be summarized as follows: 1) A graph based network model is proposed to describe the communication patterns between end hosts, in which a symmetry degree id defined that can be used to characterize the anomalies effectively. The proposed method can trace the anomaly-related IP addresses for efficient security management with analytic calculation and constant computational time. The proposed method can achieve a better performance with lower computation overhead
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
