Statistical Network Anomaly Detection: An Experimental Study

  • Christian CallegariEmail author
  • Stefano Giordano
  • Michele Pagano
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 670)


The number and impact of attack over the Internet have been continuously increasing in the last years, pushing the focus of many research activities into the development of effective techniques to promptly detect and identify anomalies in the network traffic. In this paper, we propose a performance comparison between two different histogram based anomaly detection methods, which use either the Euclidean distance or the entropy to measure the deviation from the normal behaviour. Such an analysis has been carried out taking into consideration different traffic features.

The experimental results, obtained testing our systems over the publicly available MAWILAb dataset, point out that both the applied method and the chosen descriptor strongly impact the detection performance.


Hash Function Shannon Entropy Anomaly Detection Traffic Feature Minkowski Distance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was partially supported by Multitech SeCurity system for intercOnnected space control groUnd staTions (SCOUT), a FP7 EU project.


  1. 1.
    Thottan, M., Liu, G., Ji, C.: Anomaly detection approaches for communication networks. In: Cormode, G., Thottan, M., Sammes, A.J. (eds.) Algorithms for Next Generation Networks. Computer Communications and Networks, pp. 239–261. Springer, London (2010)CrossRefGoogle Scholar
  2. 2.
    Ahmed, M., Naser Mahmood, A., Hu, J.: A survey of network anomaly detection techniques. J. Netw. Comput. Appl. 60(C), 19–31 (2016)CrossRefGoogle Scholar
  3. 3.
    Callegari, C., Coluccia, A., D’Alconzo, A., Ellens, W., Giordano, S., Mandjes, M., Pagano, M., Pepe, T., Ricciato, F., Zuraniewski, P.: A methodological overview on anomaly detection. In: Matijasevic, M., Callegari, C., Biersack, E. (eds.) Data Traffic Monitoring and Analysis. LNCS, vol. 7754, pp. 148–183. Springer, Berlin (2013)CrossRefGoogle Scholar
  4. 4.
    Subhabrata, B.K., Krishnamurthy, E., Sen, S., Zhang, Y., Chen, Y.: Sketch-based change detection: methods, evaluation, and applications. In. Internet Measurement Conference, pp. 234–247(2003)Google Scholar
  5. 5.
    Borgnat, P., Dewaele, G., Fukuda, K., Abry, P., Cho, K.: Seven years and one day: sketching the evolution of internet traffic. In: INFOCOM, April 2009Google Scholar
  6. 6.
    Cormode, G., Muthukrishnan, S.: An improved data stream summary: the count-min sketch and its applications. J. Algorithms 55(1), 58–75 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature. In: ACM SIGCOMM (2005)Google Scholar
  8. 8.
    Salem, O., Vaton, S., Gravey, A.: A scalable, efficient and informative approach for anomaly-based intrusion detection systems: theory and practice. Int. J. Netw. Manag. 20, 271–293 (2010)CrossRefGoogle Scholar
  9. 9.
    Callegari, C., Gazzarrini, L., Giordano, S., Pagano, M., Pepe, T.: When randomness improves the anomaly detection performance. In: Proceedings of 3rd International Symposium on Applied Sciences in Biomedical and Communication Technologies (ISABEL) (2010)Google Scholar
  10. 10.
    Schweller, R., Gupta, A., Parsons, E., Chen, Y.: Reversible sketches for efficient and accurate change detection over network data streams. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. IMC 2004, pp. 207–212. ACM, New York (2004)Google Scholar
  11. 11.
    Kind, A., Stoecklin, M.P., Dimitropoulos, X.: Histogram-based traffic anomaly detection. IEEE Trans. Netw. Serv. Manag. 6(2), 110–121 (2009)CrossRefGoogle Scholar
  12. 12.
    Brauckhoff, D., Dimitropoulos, X., Wagner, A., Salamatian, K.: Anomaly extraction in backbone networks using association rules. IEEE/ACM Trans. Netw. 20(6), 1788–1799 (2012)CrossRefGoogle Scholar
  13. 13.
    Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast IP networks. In: 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE 2005), pp. 172–177, June 2005Google Scholar
  14. 14.
    Callegari, C., Giordano, S., Pagano, M.: On the use of compression algorithms for network anomaly detection. In: 2009 IEEE International Conference on Communications, pp. 1–5, June 2009Google Scholar
  15. 15.
    Lakhina, A.: Diagnosing network-wide traffic anomalies. In. ACM SIGCOMM, pp. 219–230 (2004)Google Scholar
  16. 16.
    Shannon, C.E., Weaver, W.: The Mathematical Theory of Communication. University of Illinois Press, Champaign (1949)zbMATHGoogle Scholar
  17. 17.
    Kolmogorov, A., Fomin, S.: Elements of the Theory of Functions and Functional Analysis. Number v. 1 in Dover Books on Mathematics. Dover (1999)Google Scholar
  18. 18.
  19. 19.
    MAWI Working Group Traffic Archive. Accessed Nov 2011
  20. 20.
    MAWILab. Accessed Nov 2011
  21. 21.
    Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In: ACM CoNEXT (2010)Google Scholar
  22. 22.
    Callegari, C., Casella, A., Giordano, S., Pagano, M., Pepe, T.: Sketch-based multidimensional IDS: a new approach for network anomaly detection. In: IEEE Conference on Communications and Network Security, CNS 2013, National Harbor, MD, USA, 14–16 October 2013, pp. 350–358 (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Christian Callegari
    • 1
    Email author
  • Stefano Giordano
    • 2
  • Michele Pagano
    • 2
  1. 1.RaSS National LaboratoryCNITPisaItaly
  2. 2.Department of Information EngineeringUniversity of PisaPisaItaly

Personalised recommendations