|Table of Contents|

Network anomaly detection method based on RTT matrix subspace

《南京理工大学学报》(自然科学版)[ISSN:1005-9830/CN:32-1397/N]

Issue:
2015年02期
Page:
215-224
Research Field:
Publishing date:

Info

Title:
Network anomaly detection method based on RTT matrix subspace
Author(s):
Li Bainan12Qian Yekui2Luo Xingguo1
1.Laboratory of System on Chip Design Technology Researches,National Digital Switching System Engineering and Technological Research Center,Zhengzhou 450002,China; 2.Department of Command and Control,Air Defence Forces Academy of PLA,Zhengzhou 450052,Chi
Keywords:
anomaly detection principal component analysis subspace round-trip time matrix
PACS:
TP393
DOI:
-
Abstract:
Aiming at the problems that previous anomaly detection methods either focus on the single link/path,or need sophisticated monitoring techniques based on the traffic matrix,the round-trip time(RTT)matrix model is constructed.The concept RTT matrix subspace is introduced and the analysis method based on the RTT matrix subspace(ARMS for short)is put forward.In order to verify the feasibility of ARMS,the real measurement data from Abilene show that ARMS can satisfy two preconditions for the anomaly detection.Simulation experiments on NS2 show that ARMS can detect the anomaly network more accurately than traditional time series analysis,the detection effect is better when the abnormal traffic augments or is distributed more widely,and it is unrelated with the network topology size.

References:

[1] Thottan M,Ji Chuanyi.Anomaly detection in IP networks[J].IEEE Transaction on Signal Processing,2003,51(2):2109-2118.
[2]Paul B,Jeffery K,David P,et al.A signal analysis of network traffic anomalies[A].Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement[C].Marseille,France:IMW,2002:71-82.
[3]Jake D B.Aberrant behavior detection in time series for network monitoring[A].Proceedings of the 14th USENIX Conference on System Administration[C].Berkeley,US:Berkeley CA,2000:139-146.
[4]McGregor A J,Braun H W.Automated event detection for active measurement systems[A].Proceedings of Passive and Active Measurement(PAM)[C].Amsterdam,Netherland:PAM,2001:23-32.
[5]Connie L,Cottrell J.Experiences in traceroute and available bandwidth change analysis[A].SIGCOMM Workshop[C].Portland,US:ACM Press,2004:247-252.
[6]Anukool L,Mark C,Christophe D.Mining anomalies using traffic feature distributions[A].SIGCOMM[C].Philadelphia,US:ACM Press,2005:217-228.
[7]Mardani M.Robust network traffic estimation via sparsity and low rank[A].Acoustics,Speech and Signal Processing(ICASSP)[C].Vancouver,Canada:IEEE,2013:4529-4533.
[8]Novakov S,Lung Chunghorng,Lambadaris I,et al.Studies in applying PCA and wavelet algorithms for network traffic anomaly detection[A].High Performance Switching and Routing(HPSR)[C].Taipei,China:IEEE,2013:185-190.
[9]张润楚.多元统计分析[M].北京:科学出版社,2006:213-246.
[10]周静静,杨家海,杨扬,等.流量矩阵估算的研究进展[J].软件学报,2007,18(11):2669-2682.
Zhou Jingjing,Yang Jiahai,Yang Yang,et al.Research on traffic matrix estimation[J].Journal of Software,2007,18(11):2669-2682.
[11]Augustin S,Kavé S,Nina T.Combining filtering and statistical methods for anomaly detection[A].Internet Measurement Conference 2005[C].Berkeley,US:USENIX Association,2005:331-344.
[12]Simmross-Wattenberg F,Asensio-Perez J I,Casaseca-de-la-Higuera P,et al.Anomaly detection in network traffic based on statistical inference and alpha-stable modeling[J].Dependable and Secure Computing,2011,8(4):494-509.
[13]钱叶魁,陈鸣.基于奇异值分解更新的多元在线异常检测方法[J].电子与信息学报,2010,32(10):2404-2409.
Qian Yekui,Chen Ming.A multivariate online anomaly detection algorithm based on SVD updating[J].Journal of Electronics & Information Technology,2010,32(10):2404-2409.
[14]钱叶魁,陈鸣.因特网流量矩阵的流形结构[J].电子与信息学报,2010,32(12):2982-2986. Qian Yekui,Chen Ming.On the manifold structure of internet traffic matrix[J].Journal of Electronics & Information Technology,2010,32(12):2982-2986.
[15]钱叶魁,陈鸣,郝强,等.ODC:一种在线检测和分类全网络流量异常的方法[J].通信学报,2011,32(1):111-120.
Qian Yekui,Chen Ming,Hao Qiang,et al.ODC:A method for online detecting & classifying network-wide traffic anomalies[J].Journal on Communications,2011,32(1):111-120.
[16]钱叶魁,陈鸣.面向PCA异常检测器的攻击和防御机制[J].电子学报,2011,39(3):543-548. Qian Yekui,Chen Ming.Poison attack and defense strategies on PCA-based anomaly detector[J].ACTA Electronica Sinica,2011,39(3):543-548.
[17]钱叶魁,陈鸣.MOADA-SVR:一种基于支持向量回归的多元在线异常检测方法[J].通信学报,2011,32(12):106-113.
Qian Yekui,Chen Ming.MOADA-SVR:A multivariate online anomaly detection algorithm based on SVR[J].Journal on Communications,2011,32(12):106-113.
[18]Barford P,Duffield N,Ron A,et al.Network Performance anomaly detection and localization[A].INFOCOM[C].New York,USA:IEEE,2009:1377-1385.
[19]David R C,Fabián E B,Zihui G.Crowdsourcing service-level network event monitoring[A].SIGCOMM[C].New Delhi,India:IEEE,2011:387-398.
[20]Huang Yiyi,Feamster N,Lakhina A,et al.Diagnosing network disruptions with network-wide analysis[A].Sigmetrics[C].San Diego,US:ACM,2007,35(1):61-72.
[21]Sriharsha G,Puneet S,Sonia F.Pegasus:Precision hunting for icebergs and anomalies in network flows[A].IEEE INFOCOM[C].Dulin,Italy:IEEE,2013:654-662.
[22]钱叶魁,陈鸣,叶立新,等.基于多尺度主成分分析的全网络异常检测方法[J].软件学报,2012,23(2):361-377.
Qian Yekui,Chen Ming,Ye Lixin,et al.Network-wide anomaly detection method based on multiscale principal component analysis[J].Journal of Software,2012,23(2):361-377.
[23]Claudia P,Maria R de O,Rui V,et al.Robust feature selection and robust PCA for internet traffic anomaly detection[A].IEEE INFOCOM[C].Orlando,US:IEEE,2012:1231-1239.
[24]Yeung Dit-Yan,Ding Yuxin.Host-based intrusion detection using dynamic and static behavioral models[J].Pattern Recognition,2003,36(5):229-243.
[25]Yan He,Flavel A,Ge Zihui,et al.Argus:End-to-end service anomaly detection and localization from an ISP's point of view[A].IEEE INFOCOM[C].Orlando,US:IEEE,2012:982-1000.
[26]Wang Yufeng,Nakao Akihirio.Heterogeneity playing key role:Modeling and analyzing the dynamics of incentive mechanisms in autonomous networks[J].Journal ACM Transaction on Autonomous and Adaptive Systems,2012,7(1):31.
[27]Horn R A,Johnson C R(美).矩阵分析[M].张明尧,张凡 译.北京:机械工业出版社,2005.
[28]Abilene.The Abilene Observatory Data Collections[EB/OL].http://abilene.internet2.edu/observafoty/data-collec-tions.html,2012.
[29]Steven McCanne,Sally Floyd,Kevin Fall.The network simulator-ns2[EB/OL].http://www.isi.edu/nsnam/ns/.2014.
[30]Alberto M,Anukool L,Ibrahim M,et al.BRITE:Universal topology generation from a user's perspective[A].Proceedings of the 9th IEEE International Symposium on Modeling,Analysis,and Simulation of Computer and Telecommunications Systems[C].Cincinnati,US:IEEE,2001:346-356.
[31]Anukool L,Konstantina P,Mark C,et al.Structural analysis of network traffic flows[A].ACM Sigmetrics[C].New York,US:IEEE,2004:61-72.

Memo

Memo:
-
Last Update: 2015-04-30