28-02-2013, 11:43 AM
Parametric Methods for Anomaly Detection in Aggregate Traffic
Parametric Methods.docx (Size: 32.87 KB / Downloads: 20)
Abstract:
This paper develops parametric methods to detect network anomalies using
only aggregate traffic statistics, in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic. By adopting simple statistical models for anomalous and background traffic in the time domain, one can estimate model parameters in real time, thus obviating the need for a long training phase or manual parameter tuning. The proposed bivariate parametric detection mechanism (bPDM) uses a sequential probability ratio test, allowing for control over the false positive rate while examining the tradeoff between detection time and the strength of an anomaly.Additionally, it uses both traffic-rate and packet-size statistics,yielding a bivariate model that eliminates most false positives. The method is analyzed using the bit-rate signal-to-noise ratio (SNR) metric, which is shown to be an effective metric for anomaly detection.