Optimal volume anomaly detection in network traffic flows

Author

Fillatre, Lionel ; Nikiforov, Igor ; Casas, Pedro ; Vaton, Sandrine

Author_Institution

LM2S, Univ. de Technol. de Troyes, Troyes, France

fYear

2008

fDate

25-29 Aug. 2008

Firstpage

1

Lastpage

5

Abstract

Optimal detection of unusual and significant changes in network Origin-Destination (OD) traffic volumes from simple link load measurements is considered in the paper. The ambient traffic, i.e. the OD traffic matrix corresponding to the non-anomalous network state, is unknown and it is considered here as a nuisance parameter because it can mask the anomalies. Since the OD traffic matrix is not recoverable from simple link load measurements, the anomaly detection is an ill-posed decision-making problem. The method proposed in this paper consists of finding a linear parsimonious model of ambient traffic (nuisance parameter) and detecting anomalies by using an invariant detection algorithm based on a separation of the measurement space into disjoint subspaces corresponding to normal and anomalous network traffic. The method´s ability to detect anomalies is evaluated in real traffic from Abilene, a United States backbone network. The theoretically expected results are confirmed.

Keywords

computer network management; decision making; matrix algebra; telecommunication traffic; OD traffic matrix; ambient traffic; anomalous network traffic; disjoint subspace; ill-posed decision making problem; invariant detection algorithm; linear parsimonious model; link load measurements; measurement space separation; network traffic flow; non-anomalous network state; optimal volume anomaly detection; origin-destination traffic volume; Gravity; Principal component analysis; Signal processing; Splines (mathematics); Testing; Time measurement; Vectors;

fLanguage

English

Publisher

ieee

Conference_Titel

Signal Processing Conference, 2008 16th European

Conference_Location

Lausanne

ISSN

2219-5491

Type

conf

Filename

7080664