Distributed detection/localization of network anomalies using rank tests

We propose an efficient and decentralized method for detecting change-points in high-dimensional data. This issue is of growing concern to the network security community since, in this context, network anomalies such as denial of service (DoS) attacks are likely to lead to statistical changes in Internet traffic. Our method proposes a way of distributing a centralized approach called TopRank, which consists of a data reduction stage based on record filtering, followed by a nonparametric change-point detection test based on U-statistics. The key point is to aggregate censored time series built locally and to perform a nonparametric test for doubly censored time series resulting from this aggregation. With this new approach, called distributed TopRank in the following, we can address massive data streams and perform network anomaly detection and localization on the fly while limiting the quantity of data exchanged within the network.