Proceedings ArticleDOI
Mining anomalies using traffic feature distributions
Anukool Lakhina,Mark Crovella,Christophe Diot +2 more
- Vol. 35, Iss: 4, pp 217-228
TLDR
It is argued that the distributions of packet features observed in flow traces reveals both the presence and the structure of a wide range of anomalies, and that using feature distributions, anomalies naturally fall into distinct and meaningful clusters that can be used to automatically classify anomalies and to uncover new anomaly types.Abstract:Â
The increasing practicality of large-scale flow capture makes it possible to conceive of traffic analysis methods that detect and identify a large and diverse set of anomalies. However the challenge of effectively analyzing this massive data source for anomaly diagnosis is as yet unmet. We argue that the distributions of packet features (IP addresses and ports) observed in flow traces reveals both the presence and the structure of a wide range of anomalies. Using entropy as a summarization tool, we show that the analysis of feature distributions leads to significant advances on two fronts: (1) it enables highly sensitive detection of a wide range of anomalies, augmenting detections by volume-based methods, and (2) it enables automatic classification of anomalies via unsupervised learning. We show that using feature distributions, anomalies naturally fall into distinct and meaningful clusters. These clusters can be used to automatically classify anomalies and to uncover new anomaly types. We validate our claims on data from two backbone networks (Abilene and Geant) and conclude that feature distributions show promise as a key element of a fairly general network anomaly diagnosis framework.read more
Citations
More filters
Journal ArticleDOI
Anomaly detection: A survey
TL;DR: This survey tries to provide a structured and comprehensive overview of the research on anomaly detection by grouping existing techniques into different categories based on the underlying approach adopted by each technique.
Journal ArticleDOI
Review: A review of novelty detection
TL;DR: This review aims to provide an updated and structured investigation of novelty detection research papers that have appeared in the machine learning literature during the last decade.
Book
Outlier Analysis
TL;DR: Outlier Analysis is a comprehensive exposition, as understood by data mining experts, statisticians and computer scientists, and emphasis was placed on simplifying the content, so that students and practitioners can also benefit.
Proceedings ArticleDOI
Adversarial machine learning
TL;DR: In this article, the authors discuss an emerging field of study: adversarial machine learning (AML), the study of effective machine learning techniques against an adversarial opponent, and give a taxonomy for classifying attacks against online machine learning algorithms.
Journal ArticleDOI
Adversarial Machine Learning
TL;DR: The author briefly introduces the emerging field of adversarial machine learning, in which opponents can cause traditional machine learning algorithms to behave poorly in security applications.
References
More filters
Journal ArticleDOI
An Intrusion-Detection Model
TL;DR: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described, based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage.
Proceedings ArticleDOI
Diagnosing network-wide traffic anomalies
TL;DR: A general method based on a separation of the high-dimensional space occupied by a set of network traffic measurements into disjoint subspaces corresponding to normal and anomalous network conditions to diagnose anomalies is proposed.
Journal ArticleDOI
Control Procedures for Residuals Associated With Principal Component Analysis
TL;DR: In this article, the treatment of residuals associated with principal component analysis (PCA) is discussed, i.e., the difference between the original observations and the predictions of them using less than a full set of principal components.
Proceedings ArticleDOI
A signal analysis of network traffic anomalies
TL;DR: This paper reports results of signal analysis of four classes of network traffic anomalies: outages, flash crowds, attacks and measurement failures, and shows that wavelet filters are quite effective at exposing the details of both ambient and anomalous traffic.
Proceedings Article
Autograph: toward automated, distributed worm signature detection
TL;DR: Autograph as mentioned in this paper is a system that automatically generates signatures for novel Internet worms that propagate using TCP transport, and it is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives).