Histogram-based traffic anomaly detection

Histogram-based traffic anomaly detection

Identifying network anomalies is essential in enterprise and provider networks for diagnosing events, like attacks or failures, that severely impact performance, security, and Service Level Agreements (SLAs). Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing dif...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE eTransactions on network and service management 2009-06, Vol.6 (2), p.110-121
Hauptverfasser: Kind, A., Stoecklin, M.P., Dimitropoulos, X.
Format: Artikel
Sprache:eng
Schlagworte:
Algorithm design and analysis
Anomalies
Clustering algorithms
clustering methods
Computer network security
Computer vision
Construction
Deviation
Event detection
Extraterrestrial measurements
Histograms
Intrusion detection
Mathematical models
Monitoring
Network security
Networks
Telecommunication traffic
Traffic control
Traffic engineering
Traffic flow
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 121
container_issue 2
container_start_page 110
container_title IEEE eTransactions on network and service management
container_volume 6
creator Kind, A.
Stoecklin, M.P.
Dimitropoulos, X.
description Identifying network anomalies is essential in enterprise and provider networks for diagnosing events, like attacks or failures, that severely impact performance, security, and Service Level Agreements (SLAs). Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing different packet header features, like IP addresses and port numbers. In this work, we describe a new approach to feature-based anomaly detection that constructs histograms of different traffic features, models histogram patterns, and identifies deviations from the created models. We assess the strengths and weaknesses of many design options, like the utility of different features, the construction of feature histograms, the modeling and clustering algorithms, and the detection of deviations. Compared to previous feature-based anomaly detection approaches, our work differs by constructing detailed histogram models, rather than using coarse entropy-based distribution approximations. We evaluate histogram-based anomaly detection and compare it to previous approaches using collected network traffic traces. Our results demonstrate the effectiveness of our technique in identifying a wide range of anomalies. The assessed technical details are generic and, therefore, we expect that the derived insights will be useful for similar future research efforts.
doi_str_mv 10.1109/TNSM.2009.090604
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_857427107</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>5374831</ieee_id><sourcerecordid>2294844071</sourcerecordid><originalsourceid>FETCH-LOGICAL-c316t-478dd85795e6817087cc588abb689cfa46a35440e636fba001b5823278e7ca403</originalsourceid><addsrcrecordid>eNqFkD1PwzAQhi0EEqWwI7FULIgh5Rx_nUdUFYpUYKDMluM4KFU-ip0O_fckCkKIhelueN5Xdw8hlxTmlIK-27y8Pc9TAD0HDRL4EZlQzdKEC6aOf-2n5CzGLYBAqtMJuV2VsWs_gq2TzEafz7pgi6J0M9u0ta0Os9x33nVl25yTk8JW0V98zyl5f1huFqtk_fr4tLhfJ45R2SVcYZ6jUFp4iVQBKucEos0yidoVlkvLBOfgJZNFZgFoJjBlqUKvnOXApuRm7N2F9nPvY2fqMjpfVbbx7T4aVAJSLhn7n6SITCAbOq__kNt2H5r-DdOfylNFQfUQjJALbYzBF2YXytqGg6FgBsdmcGwGx2Z03Eeuxkjpvf_Be8scGWVfF1Z1Hw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>857427107</pqid></control><display><type>article</type><title>Histogram-based traffic anomaly detection</title><source>IEEE Electronic Library (IEL)</source><creator>Kind, A. ; Stoecklin, M.P. ; Dimitropoulos, X.</creator><creatorcontrib>Kind, A. ; Stoecklin, M.P. ; Dimitropoulos, X.</creatorcontrib><description>Identifying network anomalies is essential in enterprise and provider networks for diagnosing events, like attacks or failures, that severely impact performance, security, and Service Level Agreements (SLAs). Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing different packet header features, like IP addresses and port numbers. In this work, we describe a new approach to feature-based anomaly detection that constructs histograms of different traffic features, models histogram patterns, and identifies deviations from the created models. We assess the strengths and weaknesses of many design options, like the utility of different features, the construction of feature histograms, the modeling and clustering algorithms, and the detection of deviations. Compared to previous feature-based anomaly detection approaches, our work differs by constructing detailed histogram models, rather than using coarse entropy-based distribution approximations. We evaluate histogram-based anomaly detection and compare it to previous approaches using collected network traffic traces. Our results demonstrate the effectiveness of our technique in identifying a wide range of anomalies. The assessed technical details are generic and, therefore, we expect that the derived insights will be useful for similar future research efforts.</description><identifier>ISSN: 1932-4537</identifier><identifier>EISSN: 1932-4537</identifier><identifier>DOI: 10.1109/TNSM.2009.090604</identifier><identifier>CODEN: ITNSC4</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Algorithm design and analysis ; Anomalies ; Clustering algorithms ; clustering methods ; Computer network security ; Computer vision ; Construction ; Deviation ; Event detection ; Extraterrestrial measurements ; Histograms ; Intrusion detection ; Mathematical models ; Monitoring ; Network security ; Networks ; Telecommunication traffic ; Traffic control ; Traffic engineering ; Traffic flow</subject><ispartof>IEEE eTransactions on network and service management, 2009-06, Vol.6 (2), p.110-121</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2009</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c316t-478dd85795e6817087cc588abb689cfa46a35440e636fba001b5823278e7ca403</citedby><cites>FETCH-LOGICAL-c316t-478dd85795e6817087cc588abb689cfa46a35440e636fba001b5823278e7ca403</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/5374831$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/5374831$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Kind, A.</creatorcontrib><creatorcontrib>Stoecklin, M.P.</creatorcontrib><creatorcontrib>Dimitropoulos, X.</creatorcontrib><title>Histogram-based traffic anomaly detection</title><title>IEEE eTransactions on network and service management</title><addtitle>T-NSM</addtitle><description>Identifying network anomalies is essential in enterprise and provider networks for diagnosing events, like attacks or failures, that severely impact performance, security, and Service Level Agreements (SLAs). Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing different packet header features, like IP addresses and port numbers. In this work, we describe a new approach to feature-based anomaly detection that constructs histograms of different traffic features, models histogram patterns, and identifies deviations from the created models. We assess the strengths and weaknesses of many design options, like the utility of different features, the construction of feature histograms, the modeling and clustering algorithms, and the detection of deviations. Compared to previous feature-based anomaly detection approaches, our work differs by constructing detailed histogram models, rather than using coarse entropy-based distribution approximations. We evaluate histogram-based anomaly detection and compare it to previous approaches using collected network traffic traces. Our results demonstrate the effectiveness of our technique in identifying a wide range of anomalies. The assessed technical details are generic and, therefore, we expect that the derived insights will be useful for similar future research efforts.</description><subject>Algorithm design and analysis</subject><subject>Anomalies</subject><subject>Clustering algorithms</subject><subject>clustering methods</subject><subject>Computer network security</subject><subject>Computer vision</subject><subject>Construction</subject><subject>Deviation</subject><subject>Event detection</subject><subject>Extraterrestrial measurements</subject><subject>Histograms</subject><subject>Intrusion detection</subject><subject>Mathematical models</subject><subject>Monitoring</subject><subject>Network security</subject><subject>Networks</subject><subject>Telecommunication traffic</subject><subject>Traffic control</subject><subject>Traffic engineering</subject><subject>Traffic flow</subject><issn>1932-4537</issn><issn>1932-4537</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2009</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNqFkD1PwzAQhi0EEqWwI7FULIgh5Rx_nUdUFYpUYKDMluM4KFU-ip0O_fckCkKIhelueN5Xdw8hlxTmlIK-27y8Pc9TAD0HDRL4EZlQzdKEC6aOf-2n5CzGLYBAqtMJuV2VsWs_gq2TzEafz7pgi6J0M9u0ta0Os9x33nVl25yTk8JW0V98zyl5f1huFqtk_fr4tLhfJ45R2SVcYZ6jUFp4iVQBKucEos0yidoVlkvLBOfgJZNFZgFoJjBlqUKvnOXApuRm7N2F9nPvY2fqMjpfVbbx7T4aVAJSLhn7n6SITCAbOq__kNt2H5r-DdOfylNFQfUQjJALbYzBF2YXytqGg6FgBsdmcGwGx2Z03Eeuxkjpvf_Be8scGWVfF1Z1Hw</recordid><startdate>200906</startdate><enddate>200906</enddate><creator>Kind, A.</creator><creator>Stoecklin, M.P.</creator><creator>Dimitropoulos, X.</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>200906</creationdate><title>Histogram-based traffic anomaly detection</title><author>Kind, A. ; Stoecklin, M.P. ; Dimitropoulos, X.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c316t-478dd85795e6817087cc588abb689cfa46a35440e636fba001b5823278e7ca403</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2009</creationdate><topic>Algorithm design and analysis</topic><topic>Anomalies</topic><topic>Clustering algorithms</topic><topic>clustering methods</topic><topic>Computer network security</topic><topic>Computer vision</topic><topic>Construction</topic><topic>Deviation</topic><topic>Event detection</topic><topic>Extraterrestrial measurements</topic><topic>Histograms</topic><topic>Intrusion detection</topic><topic>Mathematical models</topic><topic>Monitoring</topic><topic>Network security</topic><topic>Networks</topic><topic>Telecommunication traffic</topic><topic>Traffic control</topic><topic>Traffic engineering</topic><topic>Traffic flow</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Kind, A.</creatorcontrib><creatorcontrib>Stoecklin, M.P.</creatorcontrib><creatorcontrib>Dimitropoulos, X.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE eTransactions on network and service management</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Kind, A.</au><au>Stoecklin, M.P.</au><au>Dimitropoulos, X.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Histogram-based traffic anomaly detection</atitle><jtitle>IEEE eTransactions on network and service management</jtitle><stitle>T-NSM</stitle><date>2009-06</date><risdate>2009</risdate><volume>6</volume><issue>2</issue><spage>110</spage><epage>121</epage><pages>110-121</pages><issn>1932-4537</issn><eissn>1932-4537</eissn><coden>ITNSC4</coden><abstract>Identifying network anomalies is essential in enterprise and provider networks for diagnosing events, like attacks or failures, that severely impact performance, security, and Service Level Agreements (SLAs). Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing different packet header features, like IP addresses and port numbers. In this work, we describe a new approach to feature-based anomaly detection that constructs histograms of different traffic features, models histogram patterns, and identifies deviations from the created models. We assess the strengths and weaknesses of many design options, like the utility of different features, the construction of feature histograms, the modeling and clustering algorithms, and the detection of deviations. Compared to previous feature-based anomaly detection approaches, our work differs by constructing detailed histogram models, rather than using coarse entropy-based distribution approximations. We evaluate histogram-based anomaly detection and compare it to previous approaches using collected network traffic traces. Our results demonstrate the effectiveness of our technique in identifying a wide range of anomalies. The assessed technical details are generic and, therefore, we expect that the derived insights will be useful for similar future research efforts.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TNSM.2009.090604</doi><tpages>12</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1932-4537
ispartof IEEE eTransactions on network and service management, 2009-06, Vol.6 (2), p.110-121
issn 1932-4537
1932-4537
language eng
recordid cdi_proquest_journals_857427107
source IEEE Electronic Library (IEL)
subjects Algorithm design and analysis
Anomalies
Clustering algorithms
clustering methods
Computer network security
Computer vision
Construction
Deviation
Event detection
Extraterrestrial measurements
Histograms
Intrusion detection
Mathematical models
Monitoring
Network security
Networks
Telecommunication traffic
Traffic control
Traffic engineering
Traffic flow
title Histogram-based traffic anomaly detection
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-05T10%3A19%3A34IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Histogram-based%20traffic%20anomaly%20detection&rft.jtitle=IEEE%20eTransactions%20on%20network%20and%20service%20management&rft.au=Kind,%20A.&rft.date=2009-06&rft.volume=6&rft.issue=2&rft.spage=110&rft.epage=121&rft.pages=110-121&rft.issn=1932-4537&rft.eissn=1932-4537&rft.coden=ITNSC4&rft_id=info:doi/10.1109/TNSM.2009.090604&rft_dat=%3Cproquest_RIE%3E2294844071%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=857427107&rft_id=info:pmid/&rft_ieee_id=5374831&rfr_iscdi=true