Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures

Dewaele, Guillaume; Fukuda, Kensuke; Borgnat, Pierre; Abry, Patrice; Cho, Kenjiro

doi:10.1145/1352664.1352675

Cited by 98 publications

(130 citation statements)

References 22 publications

Supporting

Mentioning

128

Contrasting

Order By: Relevance

“…Another technique that has been proposed for removing anomalies from Internet traffic data (or, rather, for negating their effect on evaluation results) is the following [176]. First, hash the data into a number of groups based on some select workload attribute, for example a flow's source IP address or destination port.…”

Section: Identifying Noise and Anomaliesmentioning

confidence: 99%

Workload Modeling for Computer Systems Performance Evaluation

Feitelson

2015

191

131

View full text Add to dashboard Cite

Reliable performance evaluations require the use of representative workloads. This is no easy task since modern computer systems and their workloads are complex, with many interrelated attributes and complicated structures. Experts often use sophisticated mathematics to analyze and describe workload models, making these models difficult for practitioners to grasp. This book aims to close this gap by emphasizing the intuition and the reasoning behind the definitions and derivations related to the workload models. It provides numerous examples from real production systems, with hundreds of graphs. Using this book, readers will be able to analyze collected workload data and clean it if necessary, derive statistical models that include skewed marginal distributions and correlations, and consider the need for generative models and feedback from the system. The descriptive statistics techniques covered are also useful for other domains.

show abstract

Section: Identifying Noise and Anomaliesmentioning

confidence: 99%

Workload Modeling for Computer Systems Performance Evaluation

Feitelson

2015

191

131

View full text Add to dashboard Cite

show abstract

“…of packets, bytes, or new flows) and/or particular traffic features (e.g., distribution of IP addresses and ports), using either single-link measurements or network-wide data. A non-exhaustive list of standard methods includes the use of signal processing techniques (e.g., ARIMA modeling, wavelets-based filtering) on single-link traffic measurements [1], Kalman filters [4] for network-wide anomaly detection, and Sketches applied to IP-flows [5,6].…”

Section: Related Work and Contributionsmentioning

confidence: 99%

“…The traces we shall work with consist of traffic from one of the trans-pacific links between Japan and the U.S.. MAWI traces are not labeled, but some previous work on anomaly detection has been done on them [6,15]. In particular, [15] detects network attacks using a signature-based approach, while [6] detects both attacks and anomalous flows using non-Gaussian modeling. We shall therefore refer to the combination of results obtained in both works as our ground truth for MAWI traffic.…”

Section: Experimental Evaluation Of Unadamentioning

confidence: 99%

UNADA: Unsupervised Network Anomaly Detection Using Sub-space Outliers Ranking

Casas

Mazel

Owezarski

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Current network monitoring systems rely strongly on signature-based and supervised-learning-based detection methods to hunt out network attacks and anomalies. Despite being opposite in nature, both approaches share a common downside: they require the knowledge provided by an expert system, either in terms of anomaly signatures, or as normal-operation profiles. In a diametrically opposite perspective we introduce UNADA, an Unsupervised Network Anomaly Detection Algorithm for knowledge-independent detection of anomalous traffic. UNADA uses a novel clustering technique based on Sub-Space-Density clustering to identify clusters and outliers in multiple low-dimensional spaces. The evidence of traffic structure provided by these multiple clusterings is then combined to produce an abnormality ranking of traffic flows, using a correlation-distance-based approach. We evaluate the ability of UNADA to discover network attacks in real traffic without relying on signatures, learning, or labeled traffic. Additionally, we compare its performance against previous unsupervised detection methods using traffic from two different networks.

show abstract

“…-hash based (sketch) anomaly detectors [11,12] usually report only IP addresses and corresponding time bin, no other information (e.g. port number) describes identified anomalies.…”

Section: Granularity Of Eventsmentioning

confidence: 99%

“…One consists of random projection techniques (sketches) and multi-resolution gamma modeling [11]. Hereafter we call it as the gamma-based method.…”

Section: Data and Processingmentioning

confidence: 99%

Uncovering Relations between Traffic Classifiers and Anomaly Detectors via Graph Theory

Fontugne

Borgnat²,

Abry³

et al. 2010

Traffic Monitoring and Analysis

Self Cite

View full text Add to dashboard Cite

Abstract. Network traffic classification and anomaly detection have received much attention in the last few years. However, due to the the lack of common ground truth, proposed methods are evaluated through diverse processes that are usually neither comparable nor reproducible. Our final goal is to provide a common dataset with associated ground truth resulting from the cross-validation of various algorithms. This paper deals with one of the substantial issues faced in achieving this ambitious goal: relating outputs from various algorithms. We propose a general methodology based on graph theory that relates outputs from diverse algorithms by taking into account all reported information. We validate our method by comparing results of two anomaly detectors which report traffic at different granularities. The proposed method succesfully identified similarities between the outputs of the two anomaly detectors although they report distinct features of the traffic.

show abstract

Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures

Cited by 98 publications

References 22 publications

Workload Modeling for Computer Systems Performance Evaluation

Workload Modeling for Computer Systems Performance Evaluation

UNADA: Unsupervised Network Anomaly Detection Using Sub-space Outliers Ranking

Uncovering Relations between Traffic Classifiers and Anomaly Detectors via Graph Theory

Contact Info

Product

Resources

About