johnh: research teaching PAPERS software other contact about

Parametric Methods for Anomaly Detection in Aggregate Traffic

Gautam Thatte, Urbashi Mitra, and John Heidemann
USC/Information Sciences Institute

Abstract

This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic. By adopting simple statistical models for anomalous and background traffic in the time-domain, one can estimate model parameters in real-time, thus obviating the need for a long training phase or manual parameter tuning. The detection mechanism uses a sequential probability ratio test, allowing for control over the false positive rate while examining the trade-off between detection time and the strength of an anomaly. Additionally, it uses both traffic-rate and packet-size statistics, yielding a bivariate model that eliminates most false positives. The method is analyzed using the bitrate SNR metric, which is shown to be an effective metric for anomaly detection. The performance of the bPDM is evaluated in three ways: first, synthetically generated traffic provides for a controlled comparison of detection time as a function of the anomalous level of traffic. Second, the approach is shown to be able to detect controlled artificial attacks over the USC campus network in varying real traffic mixes. Third, the proposed algorithm achieves rapid detection of real denial-of-service attacks as determined by the replay of previously captured network traces. The method developed in this paper is able to detect all attacks in these scenarios in a few seconds or less.

Availability

This paper is available in several formats: abstract web page with pointers and cites, PDF, paper copies can be obtained by mail to the authors. Copyright terms for this paper appear below.

Reference

Thatte09a: Gautam Thatte, Urbashi Mitra, and John Heidemann. Parametric Methods for Anomaly Detection in Aggregate Traffic. Technical Report ISI-TR-2009-663, USC/Information Sciences Institute, August, 2009. <http://www.isi.edu/~johnh/PAPERS/Thatte09a.html>.

@techreport{Thatte09a,
	author = "Gautam Thatte and Urbashi Mitra and John Heidemann",
	title = "Parametric Methods for Anomaly Detection in Aggregate Traffic",
	institution = "USC/Information Sciences Institute",
	year = "2009",
	number = "ISI-TR-2009-663",
	month = "August",
	keywords = "internet anonaly detection, DoS attack
                  detection, parameteric methods",
	url = "http://www.isi.edu/~johnh/PAPERS/Thatte09a.html",
	pdfurl = "http://www.isi.edu/~johnh/PAPERS/Thatte09a.pdf",
	myorganization = "USC/Information Sciences Institute",
	copyrightholder = "authors",
}

Copyright

This paper is copyright © 2009 by its authors. Permission to make digital or hard copies of part or all of this work for personal use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Abstracting with credit is permitted.

To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission of the authors.