Building Better Unsupervised Anomaly Detector with S-Transform

  • Sirikarn Pukkawanna
  • Hiroaki Hazeyama
  • Youki Kadobayashi
  • Suguru Yamaguchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


Unsupervised anomaly detection is most widely applicable due to capabilities of detecting known and novel anomalies without prior knowledge. In this paper, we propose an unsupervised anomaly detection method based on time-frequency analysis. We firstly use S-Transform to reveal the frequency characteristics of a network signal. Secondly, heuristics are used for anomaly detection. We evaluate performance of our method on MAWI and DARPA datasets. Furthermore, we compare the results with an unsupervised Wavelet Transform-based anomaly detection method. The results indicate that our method achieves better detection performance compared with the Wavelet Transform-based method.


Unsupervised anomaly detection time-frequency analysis signal processing multi-resolution analysis S-Transform 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Stockwell, R.G., Mansinha, L., Lowe, R.P.: Localization of the Complex Spectrum: The S-Transform. IEEE Trans. on Sig. Proc. 44(4), 998–1001 (1996)CrossRefGoogle Scholar
  2. 2.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A Survey. In: ACM Computing Surveys (2009)Google Scholar
  3. 3.
    Barford, P., Kline, J., Plonka, D., Ron, A.: A Signal Analysis of Network Traffic Anomalies. In: IMW (2002)Google Scholar
  4. 4.
    Salagean, M., Firoiu, I.: Anomaly Detection of Network Traffic Based on Analytical Discrete Wavelet Transform. In: COMM (2010)Google Scholar
  5. 5.
    Münz, G., Li, S., Carle, G.: Traffic Anomaly Detection using K-means Clustering. In: GI/ITG-Workshop MMBnet (2007)Google Scholar
  6. 6.
    Portnoy, L., Eskin, E., Stolfo, S.: Intrusion Detection with Unlabeled Data using Clustering. In: CSS Workshop DMSA (2001)Google Scholar
  7. 7.
    Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies using Traffic Feature Distributions. In: SIGCOMM (2005)Google Scholar
  8. 8.
    Callegari, C., Gazzarrini, L., Giordano, S., Pagano, M., Pepe, T.: A Novel PCA-based Network Anomaly Detection. In: ICC (2011)Google Scholar
  9. 9.
    Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: Multilevel Traffic Classification in the Dark. In: SIGCOMM (2005)Google Scholar
  10. 10.
    Pukkawanna, S., Pongpaibool, P., Visoottiviseth, V.: LD2: A System for Lightweight Detection of Denial-Of-Service Attacks. In: MILCOM (2008)Google Scholar
  11. 11.
    Ringberg, H., Soule, A., Rexford, J., Diot, C.: Sensitivity of PCA for traffic anomaly detection. In: SIGMETRICS (2007)Google Scholar
  12. 12.
    MAWI Working Group Traffic Archive,
  13. 13.
    Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA Off-Line Intrusion Detection. Computer Networks 34(4), 579–595 (2000)CrossRefGoogle Scholar
  14. 14.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Sirikarn Pukkawanna
    • 1
  • Hiroaki Hazeyama
    • 1
  • Youki Kadobayashi
    • 1
  • Suguru Yamaguchi
    • 1
  1. 1.Nara Institute of Science and TechnologyIkomaJapan

Personalised recommendations