|Table of Contents|

Network anomaly detection method based on RTT matrix subspace


Research Field:
Publishing date:


Network anomaly detection method based on RTT matrix subspace
Li Bainan12Qian Yekui2Luo Xingguo1
1.Laboratory of System on Chip Design Technology Researches,National Digital Switching System Engineering and Technological Research Center,Zhengzhou 450002,China; 2.Department of Command and Control,Air Defence Forces Academy of PLA,Zhengzhou 450052,Chi
anomaly detection principal component analysis subspace round-trip time matrix
Aiming at the problems that previous anomaly detection methods either focus on the single link/path,or need sophisticated monitoring techniques based on the traffic matrix,the round-trip time(RTT)matrix model is constructed.The concept RTT matrix subspace is introduced and the analysis method based on the RTT matrix subspace(ARMS for short)is put forward.In order to verify the feasibility of ARMS,the real measurement data from Abilene show that ARMS can satisfy two preconditions for the anomaly detection.Simulation experiments on NS2 show that ARMS can detect the anomaly network more accurately than traditional time series analysis,the detection effect is better when the abnormal traffic augments or is distributed more widely,and it is unrelated with the network topology size.


[1] Thottan M,Ji Chuanyi.Anomaly detection in IP networks[J].IEEE Transaction on Signal Processing,2003,51(2):2109-2118.
[2]Paul B,Jeffery K,David P,et al.A signal analysis of network traffic anomalies[A].Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement[C].Marseille,France:IMW,2002:71-82.
[3]Jake D B.Aberrant behavior detection in time series for network monitoring[A].Proceedings of the 14th USENIX Conference on System Administration[C].Berkeley,US:Berkeley CA,2000:139-146.
[4]McGregor A J,Braun H W.Automated event detection for active measurement systems[A].Proceedings of Passive and Active Measurement(PAM)[C].Amsterdam,Netherland:PAM,2001:23-32.
[5]Connie L,Cottrell J.Experiences in traceroute and available bandwidth change analysis[A].SIGCOMM Workshop[C].Portland,US:ACM Press,2004:247-252.
[6]Anukool L,Mark C,Christophe D.Mining anomalies using traffic feature distributions[A].SIGCOMM[C].Philadelphia,US:ACM Press,2005:217-228.
[7]Mardani M.Robust network traffic estimation via sparsity and low rank[A].Acoustics,Speech and Signal Processing(ICASSP)[C].Vancouver,Canada:IEEE,2013:4529-4533.
[8]Novakov S,Lung Chunghorng,Lambadaris I,et al.Studies in applying PCA and wavelet algorithms for network traffic anomaly detection[A].High Performance Switching and Routing(HPSR)[C].Taipei,China:IEEE,2013:185-190.
Zhou Jingjing,Yang Jiahai,Yang Yang,et al.Research on traffic matrix estimation[J].Journal of Software,2007,18(11):2669-2682.
[11]Augustin S,Kavé S,Nina T.Combining filtering and statistical methods for anomaly detection[A].Internet Measurement Conference 2005[C].Berkeley,US:USENIX Association,2005:331-344.
[12]Simmross-Wattenberg F,Asensio-Perez J I,Casaseca-de-la-Higuera P,et al.Anomaly detection in network traffic based on statistical inference and alpha-stable modeling[J].Dependable and Secure Computing,2011,8(4):494-509.
Qian Yekui,Chen Ming.A multivariate online anomaly detection algorithm based on SVD updating[J].Journal of Electronics & Information Technology,2010,32(10):2404-2409.
[14]钱叶魁,陈鸣.因特网流量矩阵的流形结构[J].电子与信息学报,2010,32(12):2982-2986. Qian Yekui,Chen Ming.On the manifold structure of internet traffic matrix[J].Journal of Electronics & Information Technology,2010,32(12):2982-2986.
Qian Yekui,Chen Ming,Hao Qiang,et al.ODC:A method for online detecting & classifying network-wide traffic anomalies[J].Journal on Communications,2011,32(1):111-120.
[16]钱叶魁,陈鸣.面向PCA异常检测器的攻击和防御机制[J].电子学报,2011,39(3):543-548. Qian Yekui,Chen Ming.Poison attack and defense strategies on PCA-based anomaly detector[J].ACTA Electronica Sinica,2011,39(3):543-548.
Qian Yekui,Chen Ming.MOADA-SVR:A multivariate online anomaly detection algorithm based on SVR[J].Journal on Communications,2011,32(12):106-113.
[18]Barford P,Duffield N,Ron A,et al.Network Performance anomaly detection and localization[A].INFOCOM[C].New York,USA:IEEE,2009:1377-1385.
[19]David R C,Fabián E B,Zihui G.Crowdsourcing service-level network event monitoring[A].SIGCOMM[C].New Delhi,India:IEEE,2011:387-398.
[20]Huang Yiyi,Feamster N,Lakhina A,et al.Diagnosing network disruptions with network-wide analysis[A].Sigmetrics[C].San Diego,US:ACM,2007,35(1):61-72.
[21]Sriharsha G,Puneet S,Sonia F.Pegasus:Precision hunting for icebergs and anomalies in network flows[A].IEEE INFOCOM[C].Dulin,Italy:IEEE,2013:654-662.
Qian Yekui,Chen Ming,Ye Lixin,et al.Network-wide anomaly detection method based on multiscale principal component analysis[J].Journal of Software,2012,23(2):361-377.
[23]Claudia P,Maria R de O,Rui V,et al.Robust feature selection and robust PCA for internet traffic anomaly detection[A].IEEE INFOCOM[C].Orlando,US:IEEE,2012:1231-1239.
[24]Yeung Dit-Yan,Ding Yuxin.Host-based intrusion detection using dynamic and static behavioral models[J].Pattern Recognition,2003,36(5):229-243.
[25]Yan He,Flavel A,Ge Zihui,et al.Argus:End-to-end service anomaly detection and localization from an ISP's point of view[A].IEEE INFOCOM[C].Orlando,US:IEEE,2012:982-1000.
[26]Wang Yufeng,Nakao Akihirio.Heterogeneity playing key role:Modeling and analyzing the dynamics of incentive mechanisms in autonomous networks[J].Journal ACM Transaction on Autonomous and Adaptive Systems,2012,7(1):31.
[27]Horn R A,Johnson C R(美).矩阵分析[M].张明尧,张凡 译.北京:机械工业出版社,2005.
[28]Abilene.The Abilene Observatory Data Collections[EB/OL].http://abilene.internet2.edu/observafoty/data-collec-tions.html,2012.
[29]Steven McCanne,Sally Floyd,Kevin Fall.The network simulator-ns2[EB/OL].http://www.isi.edu/nsnam/ns/.2014.
[30]Alberto M,Anukool L,Ibrahim M,et al.BRITE:Universal topology generation from a user's perspective[A].Proceedings of the 9th IEEE International Symposium on Modeling,Analysis,and Simulation of Computer and Telecommunications Systems[C].Cincinnati,US:IEEE,2001:346-356.
[31]Anukool L,Konstantina P,Mark C,et al.Structural analysis of network traffic flows[A].ACM Sigmetrics[C].New York,US:IEEE,2004:61-72.


Last Update: 2015-04-30