Skip to main content
SpringerLink
Log in

Distribution-Based Anomaly Detection in Network Traffic

  • Chapter
Book cover Data Traffic Monitoring and Analysis

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 7754))

Abstract

In this Chapter we address the problem of detecting “anomalies” in the global network traffic produced by a large population of end-users. Empirical distributions across users are considered for several traffic variables at different timescales, and the goal is to identify statistically-significant deviations from the past behavior. This problem is casted into the framework of hypothesis testing. We first address the methodology for dynamically identifying a reference for the null hypothesis (“normal” traffic) that takes into account the typical non-stationarity of real traffic in volume and composition. Then, we illustrate two general distribution-based detection approaches based on both heuristic and formal methods. We discuss also operational criteria for dynamically tuning the detector, so as to track the physiological variation of traffic profiles and number of active users. The Chapter includes a final evaluation based on the analysis of a dataset from an operational 3G network, so as to show in practice the detection of real-world traffic anomalies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ali, S., Silvey, S.: A general class of coefficients of divergence of one distribution. Journal of Royal Statistical Society 28 (1966)

    Google Scholar 

  2. Csiszár, I.: Information-type measures of difference of probability distributions and indirect observations. Studia Sci. Math. Hungar. 2, 299–318 (1967)

    MathSciNet  MATH  Google Scholar 

  3. Burgess, et al.: Measuring system normality. ACM Transactions on Computer Systems 20 (2002)

    Google Scholar 

  4. D’Alconzo, et al.: A distribution-based approach to anomaly detection for 3G mobile networks. In: IEEE Globecom (2009)

    Google Scholar 

  5. D’Alconzo, et al.: Distribution-based anomaly detection in 3G mobile networks: from theory to practice. Int. J. of Network Management (2010)

    Google Scholar 

  6. Dasu, et al.: An information-theoretic approach to detecting changes in multi-dimensional data streams. In: INTERFACE 2006 (2006)

    Google Scholar 

  7. Gu, et al.: Detecting anomalies in network traffic using maximum entropy estimation. In: IMC (2005)

    Google Scholar 

  8. Lakhina, et al.: Structural analysis of network traffic flows. In: ACM SIGMETRICS (June 2004)

    Google Scholar 

  9. Svoboda, et al.: Composition of GPRS/UMTS traffic: snapshots from a live network. In: IPS-MOME 2006 (2006)

    Google Scholar 

  10. Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: IEEE IMC (2009)

    Google Scholar 

  11. Johnson, D.H., Sinanovic, S.: Symmetrizing the Kullback-Leibler distance. IEEE Transactions on Information Theory (March 2001)

    Google Scholar 

  12. Khayam, A., Radha, H.: Linear-complexity models for wireless MAC-to-MAC channels. ACM Wireless Networks 11 (2005)

    Google Scholar 

  13. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature. In: ACM SIGCOMM (2005)

    Google Scholar 

  14. Liese, F., Vajda, I.: Convex statistical distances. Teubner-Verlag (1987)

    Google Scholar 

  15. Ricciato, F., Coluccia, A., D’Alconzo, A., Veitch, D., Borgnat, P., Abry, P.: On the role of flows and sessions in internet traffic modeling: an explorative toy-model. In: IEEE Globecom (2009)

    Google Scholar 

  16. Ringberg, H., Roughan, M., Rexford, J.: The need for simulation in evaluating anomaly detectors. ACM SIGCOMM Computer Communication Review 38(1), 55–59 (2008)

    Article  Google Scholar 

  17. Ringberg, H., Soule, A., Rexford, J.: Webclass: adding rigor to manual labeling of traffic anomalies. ACM SIGCOMM Computer Communication Review 38(1), 35–38 (2008)

    Article  Google Scholar 

  18. Sesia, S., Toufik, I., Baker, M.: LTE, The UMTS Long Term Evolution: From Theory to Practice. J. Wiley & Sons (2009)

    Google Scholar 

  19. Thomas, J.A.T., Cover, T.M.: Elements of Information Theory. J. Wiley & Sons (1991)

    Google Scholar 

  20. Van Trees, H.L.: Detection, Estimation, and Modulation Theory. J. Wiley & Sons (2001)

    Google Scholar 

  21. Vapnik, V.N.: Statistical Learning Theory. J. Wiley & Sons (1998)

    Google Scholar 

  22. Song, X., et al.: Statistical change detection for multi-dimensional data. In: 13th ACM KDD 2007, pp. 667–676. ACM (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Salento, Lecce, Italy

    Angelo Coluccia & Fabio Ricciato

  2. Forschungszentrum Telekommunikation Wien, Vienna, Austria

    Alessandro D’Alconzo & Fabio Ricciato

Authors
  1. Angelo Coluccia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alessandro D’Alconzo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabio Ricciato
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Networking and Security Department, Eurécom, 450 Route des Chappes, 06410, Biot, France

    Ernst Biersack

  2. Department of Information Engineering, University of Pisa, Via Caruso 16, 56122, Pisa, Italy

    Christian Callegari

  3. Facults of Electrical Engineering and Computing, University of Zagreb, Unska 3, 10000, Zagreb, Croatia

    Maja Matijasevic

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Coluccia, A., D’Alconzo, A., Ricciato, F. (2013). Distribution-Based Anomaly Detection in Network Traffic. In: Biersack, E., Callegari, C., Matijasevic, M. (eds) Data Traffic Monitoring and Analysis. Lecture Notes in Computer Science, vol 7754. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36784-7_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36784-7_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36783-0

  • Online ISBN: 978-3-642-36784-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation