A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models

We present a novel technique to detect traffic anomalies based on network flow behavior in different traffic features. Based on the observation that a network has multiple behavior modes, we estimate the modes in each feature component and extract their model parameters during a learning phase. Observed network behavior is then compared to the baseline models by means of a twolayered distance computation: first, component-wise anomaly indices and second, a global anomaly index for each traffic feature enable effective detection of aberrant behavior. Our technique supports on-line detection and incorporation of administrator feedback and does not make use of explicit prior knowledge about normal and abnormal traffic.We expect benefits from the modeling and detection strategy chosen to reliably expose abnormal events of diverse nature at both detection layers while being resilient to seasonal effects. Experiments on simulated and real network traces confirm our expectations in detecting true anomalies without increasing the false positive rate. A comparison of our technique with entropyand histogram-based approaches demonstrates its ability to reveal anomalies that disappear in the background noise of output signals from these techniques.

Published in:
PAM 2008 LNCS 4979, 212-221
Springer Verlag

 Record created 2009-09-16, last modified 2018-03-18

Rate this document:

Rate this document:
(Not yet reviewed)