Abstract
The number and impact of attack over the Internet have been continuously increasing in the last years, pushing the focus of many research activities into the development of effective techniques to promptly detect and identify anomalies in the network traffic. In this paper, we propose a performance comparison between two different histogram based anomaly detection methods, which use either the Euclidean distance or the entropy to measure the deviation from the normal behaviour. Such an analysis has been carried out taking into consideration different traffic features.
The experimental results, obtained testing our systems over the publicly available MAWILAb dataset, point out that both the applied method and the chosen descriptor strongly impact the detection performance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Thottan, M., Liu, G., Ji, C.: Anomaly detection approaches for communication networks. In: Cormode, G., Thottan, M., Sammes, A.J. (eds.) Algorithms for Next Generation Networks. Computer Communications and Networks, pp. 239–261. Springer, London (2010)
Ahmed, M., Naser Mahmood, A., Hu, J.: A survey of network anomaly detection techniques. J. Netw. Comput. Appl. 60(C), 19–31 (2016)
Callegari, C., Coluccia, A., D’Alconzo, A., Ellens, W., Giordano, S., Mandjes, M., Pagano, M., Pepe, T., Ricciato, F., Zuraniewski, P.: A methodological overview on anomaly detection. In: Matijasevic, M., Callegari, C., Biersack, E. (eds.) Data Traffic Monitoring and Analysis. LNCS, vol. 7754, pp. 148–183. Springer, Berlin (2013)
Subhabrata, B.K., Krishnamurthy, E., Sen, S., Zhang, Y., Chen, Y.: Sketch-based change detection: methods, evaluation, and applications. In. Internet Measurement Conference, pp. 234–247(2003)
Borgnat, P., Dewaele, G., Fukuda, K., Abry, P., Cho, K.: Seven years and one day: sketching the evolution of internet traffic. In: INFOCOM, April 2009
Cormode, G., Muthukrishnan, S.: An improved data stream summary: the count-min sketch and its applications. J. Algorithms 55(1), 58–75 (2005)
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature. In: ACM SIGCOMM (2005)
Salem, O., Vaton, S., Gravey, A.: A scalable, efficient and informative approach for anomaly-based intrusion detection systems: theory and practice. Int. J. Netw. Manag. 20, 271–293 (2010)
Callegari, C., Gazzarrini, L., Giordano, S., Pagano, M., Pepe, T.: When randomness improves the anomaly detection performance. In: Proceedings of 3rd International Symposium on Applied Sciences in Biomedical and Communication Technologies (ISABEL) (2010)
Schweller, R., Gupta, A., Parsons, E., Chen, Y.: Reversible sketches for efficient and accurate change detection over network data streams. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. IMC 2004, pp. 207–212. ACM, New York (2004)
Kind, A., Stoecklin, M.P., Dimitropoulos, X.: Histogram-based traffic anomaly detection. IEEE Trans. Netw. Serv. Manag. 6(2), 110–121 (2009)
Brauckhoff, D., Dimitropoulos, X., Wagner, A., Salamatian, K.: Anomaly extraction in backbone networks using association rules. IEEE/ACM Trans. Netw. 20(6), 1788–1799 (2012)
Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast IP networks. In: 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE 2005), pp. 172–177, June 2005
Callegari, C., Giordano, S., Pagano, M.: On the use of compression algorithms for network anomaly detection. In: 2009 IEEE International Conference on Communications, pp. 1–5, June 2009
Lakhina, A.: Diagnosing network-wide traffic anomalies. In. ACM SIGCOMM, pp. 219–230 (2004)
Shannon, C.E., Weaver, W.: The Mathematical Theory of Communication. University of Illinois Press, Champaign (1949)
Kolmogorov, A., Fomin, S.: Elements of the Theory of Functions and Functional Analysis. Number v. 1 in Dover Books on Mathematics. Dover (1999)
Flow-Tools Home Page. http://www.ietf.org/rfc/rfc3954.txt
MAWI Working Group Traffic Archive. http://mawi.wide.ad.jp/mawi/. Accessed Nov 2011
MAWILab. http://www.fukuda-lab.org/mawilab/ Accessed Nov 2011
Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In: ACM CoNEXT (2010)
Callegari, C., Casella, A., Giordano, S., Pagano, M., Pepe, T.: Sketch-based multidimensional IDS: a new approach for network anomaly detection. In: IEEE Conference on Communications and Network Security, CNS 2013, National Harbor, MD, USA, 14–16 October 2013, pp. 350–358 (2013)
Acknowledgment
This work was partially supported by Multitech SeCurity system for intercOnnected space control groUnd staTions (SCOUT), a FP7 EU project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Callegari, C., Giordano, S., Pagano, M. (2016). Statistical Network Anomaly Detection: An Experimental Study. In: Doss, R., Piramuthu, S., Zhou, W. (eds) Future Network Systems and Security. FNSS 2016. Communications in Computer and Information Science, vol 670. Springer, Cham. https://doi.org/10.1007/978-3-319-48021-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-48021-3_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48020-6
Online ISBN: 978-3-319-48021-3
eBook Packages: Computer ScienceComputer Science (R0)