Traffic Anomaly Detection at Fine Time Scales with Bayes Nets

Traffic anomaly detection using high performance measurement systems offers the possibility of improving the speed of detection and enabling detection of important, short-lived anomalies. In this paper we investigate the problem of detecting anomalies using traffic measurements with fine-grained timestamps. We develop a new detection algorithm (called S3) that utilizes a Bayes Net to efficiently consider multiple input signals and to explicitly define what is considered "anomalous\´\´. The input signals considered by S3 are traffic volumes and correlations between ingress/egress packet and bit rates. These complementary signals enable identification of an expanded range of anomalies. Using a set of high precision traffic measurements collected at our campus border router over a 10 month period and an annotated anomaly log supplied by our network operators, we show that S3 is highly accurate, identifying 86% of the anomalies listed in the log. Compared with well known time series-based and wavelet-based detectors, this represents over a 20% improvement inaccuracy. Investigation of events identified by S3 that did not appear in the operator log indicate many are, in fact, true positives. Deployment of S3 in an operational environment supports this by showing zero false positives during initial tests.