Evaluation of an Online Parallel Anomaly Detection System

The rapid and accurate detection of anomalies in network traffic has always been a challenging task, and is absolutely critical to the efficient operation of the network. The availability of numerous different detection algorithms makes it difficult to choose a suitable configuration. An algorithm may have a high detection rate for high rate attacks, but might behave unfavorably when faced with attacks with gradually increasing rates. This paper proposes an online parallel anomaly detection system that implements multiple anomaly detection algorithms in parallel to detect anomalies in real-time. The main idea is to aggregate the detection data from multiple algorithms to come up with a single anomaly metric. We evaluate this system with realistic attacks on the DETER testbed. Our results show improved true positive and false negative rates for both high intensity and slow-rise ramped floods. Furthermore, the system is able to detect attacks separated by as little as 15 seconds with a high true positive rate.