A Taxonomy and Comparative Evaluation of Algorithms for Parallel Anomaly Detection

Anomaly detection in network traffic is an important technique for identifying operation and security problems in networks. Numerous anomaly detection algorithms have been proposed and deployed in practice. The recent availability of high-performance embedded processors in network systems has made it possible to implement these algorithms to monitor traffic in real-time. Since it is unlikely that any single anomaly detection technique will ever be sufficient, we propose the use of multiple existing anomaly detection algorithms in parallel. In this paper, we develop a method of combining different classes of anomaly detection algorithms and address the question of which combination of existing anomaly detection algorithms achieves the best detection accuracy. We also present a taxonomy of anomaly detection algorithms and evaluate six specific algorithms on a common evaluation platform. Based on this evaluation, we identify the combination of anomaly detection algorithms that achieve the highest detection accuracy and derive a few rules that can be used when deciding on combining and aggregating multiple algorithms.