A Multi-Scale Tomographic Algorithm for Detecting and Classifying Traffic Anomalies

The occurrence of a traffic anomaly is always responsible for a degradation of performance. The anomaly can be observable, at some scale, in different ways: an increase in the number of packets, an increase in the number of bytes, a concentration of packets around a port number, etc. In this paper we propose an anomaly independent methodology for detecting such traffic anomalies and to classify them. To accomplish that, we integrate previous work in a multi-criteria tomographic analysis process, criteria being bytes, packets or flow rate, port number or address distribution, etc. As a demarcation from this inspiring work, this new methodology is based on a multi-scale analysis, which always permits the exhibition of anomalies on at least one parameter at one time scale. The motivation for using simple parameters deals with making the interpretation of anomalies simpler, and mitigation mechanisms obvious. In addition, this methodology associates to each anomaly a set of parameters that is able to characterize the anomaly and will serve as a signature for it. This paper presents this methodology, the related algorithm for anomaly detection, and its application on several real traffic traces captured on several networks: Auckland university, GEANT and Renater.