• DocumentCode
    1415726
  • Title

    Predictive Network Anomaly Detection and Visualization

  • Author

    Celenk, Mehmet ; Conley, Thomas ; Willis, John ; Graham, James

  • Author_Institution
    Sch. of Electr. Eng. & Comput. Sci., Ohio Univ., Athens, OH, USA
  • Volume
    5
  • Issue
    2
  • fYear
    2010
  • fDate
    6/1/2010 12:00:00 AM
  • Firstpage
    288
  • Lastpage
    299
  • Abstract
    Various approaches have been developed for quantifying and displaying network traffic information for determining network status and in detecting anomalies. Although many of these methods are effective, they rely on the collection of long-term network statistics. Here, we present an approach that uses short-term observations of network features and their respective time averaged entropies. Acute changes are localized in network feature space using adaptive Wiener filtering and auto-regressive moving average modeling. The color-enhanced datagram is designed to allow a network engineer to quickly capture and visually comprehend at a glance the statistical characteristics of a network anomaly. First, average entropy for each feature is calculated for every second of observation. Then, the resultant short-term measurement is subjected to first- and second-order time averaging statistics. These measurements are the basis of a novel approach to anomaly estimation based on the well-known Fisher linear discriminant (FLD). Average port, high port, server ports, and peered ports are some of the network features used for stochastic clustering and filtering. We empirically determine that these network features obey Gaussian-like distributions. The proposed algorithm is tested on real-time network traffic data from Ohio University´s main Internet connection. Experimentation has shown that the presented FLD-based scheme is accurate in identifying anomalies in network feature space, in localizing anomalies in network traffic flow, and in helping network engineers to prevent potential hazards. Furthermore, its performance is highly effective in providing a colorized visualization chart to network analysts in the presence of bursty network traffic.
  • Keywords
    Gaussian processes; Internet; Wiener filters; autoregressive moving average processes; computer network security; filtering theory; Fisher linear discriminant; Gaussian-like distributions; Internet; adaptive Wiener filtering; anomaly estimation; anomaly visualization; auto regressive moving average modeling; color enhanced datagram; network traffic information; predictive network anomaly detection; real-time network traffic data; stochastic clustering; stochastic filtering; time averaged entropy; time averaging statistics; Auto-regressive moving average (ARMA) modeling; Fisher discriminant; Wiener filtering; entropy; network anomaly;
  • fLanguage
    English
  • Journal_Title
    Information Forensics and Security, IEEE Transactions on
  • Publisher
    ieee
  • ISSN
    1556-6013
  • Type

    jour

  • DOI
    10.1109/TIFS.2010.2041808
  • Filename
    5411760