Network Anomaly Detection

Tato diplomová práce se zabývá metodami detekce anomálií v sítovém provozu. Nejdříve práce rozebírá základní pojmy z oblasti detekce anomálií a již používané technologie. Dále jsou zde podrobněji popsány tři metody pro vyhledávání anomálií a některé typy anomálií. V druhé části této práce je popsána implementace všech tří metod a jsou prezentovány výsledky experimentování na reálných datech.This master thesis deals with detecting anomalies methods in network traffic. First of all this thesis analyzes the basic concepts of anomaly detection and already using technology. Next, there are also described in more detail three methods for anomalies search and some types of anomalies. In the second part of this thesis there is described implementation of all three methods and there are presented the results of experimentation using real data.

WAVE-CUSUM: Improving CUSUM performance in network anomaly detection by means of wavelet analysis

n/

New Methods for Network Traffic Anomaly Detection

In this thesis we examine the efficacy of applying outlier detection techniques to understand the behaviour of anomalies in communication network traffic. We have identified several shortcomings. Our most finding is that known techniques either focus on characterizing the spatial or temporal behaviour of traffic but rarely both. For example DoS attacks are anomalies which violate temporal patterns while port scans violate the spatial equilibrium of network traffic. To address this observed weakness we have designed a new method for outlier detection based spectral decomposition of the Hankel matrix. The Hankel matrix is spatio-temporal correlation matrix and has been used in many other domains including climate data analysis and econometrics. Using our approach we can seamlessly integrate the discovery of both spatial and temporal anomalies. Comparison with other state of the art methods in the networks community confirms that our approach can discover both DoS and port scan attacks. The spectral decomposition of the Hankel matrix is closely tied to the problem of inference in Linear Dynamical Systems (LDS). We introduce a new problem, the Online Selective Anomaly Detection (OSAD) problem, to model the situation where the objective is to report new anomalies in the system and suppress know faults. For example, in the network setting an operator may be interested in triggering an alarm for malicious attacks but not on faults caused by equipment failure. In order to solve OSAD we combine techniques from machine learning and control theory in a unique fashion. Machine Learning ideas are used to learn the parameters of an underlying data generating system. Control theory techniques are used to model the feedback and modify the residual generated by the data generating state model. Experiments on synthetic and real data sets confirm that the OSAD problem captures a general scenario and tightly integrates machine learning and control theory to solve a practical problem

Structural Analysis of Network Traffic Matrix via Relaxed Principal Component Pursuit

The network traffic matrix is widely used in network operation and management. It is therefore of crucial importance to analyze the components and the structure of the network traffic matrix, for which several mathematical approaches such as Principal Component Analysis (PCA) were proposed. In this paper, we first argue that PCA performs poorly for analyzing traffic matrix that is polluted by large volume anomalies, and then propose a new decomposition model for the network traffic matrix. According to this model, we carry out the structural analysis by decomposing the network traffic matrix into three sub-matrices, namely, the deterministic traffic, the anomaly traffic and the noise traffic matrix, which is similar to the Robust Principal Component Analysis (RPCA) problem previously studied in [13]. Based on the Relaxed Principal Component Pursuit (Relaxed PCP) method and the Accelerated Proximal Gradient (APG) algorithm, we present an iterative approach for decomposing a traffic matrix, and demonstrate its efficiency and flexibility by experimental results. Finally, we further discuss several features of the deterministic and noise traffic. Our study develops a novel method for the problem of structural analysis of the traffic matrix, which is robust against pollution of large volume anomalies.Comment: Accepted to Elsevier Computer Network

Network-Wide Traffic Anomaly Detection and Localization Based on Robust Multivariate Probabilistic Calibration Model

Network anomaly detection and localization are of great significance to network security. Compared with the traditional methods of host computer, single link and single path, the network-wide anomaly detection approaches have distinctive advantages with respect to detection precision and range. However, when facing the actual problems of noise interference or data loss, the network-wide anomaly detection approaches also suffer significant performance reduction or may even become unavailable. Besides, researches on anomaly localization are rare. In order to solve the mentioned problems, this paper presents a robust multivariate probabilistic calibration model for network-wide anomaly detection and localization. It applies the latent variable probability theory with multivariate t-distribution to establish the normal traffic model. Not only does the algorithm implement network anomaly detection by judging whether the sample’s Mahalanobis distance exceeds the threshold, but also it locates anomalies by contribution analysis. Both theoretical analysis and experimental results demonstrate its robustness and wider use. The algorithm is applicable when dealing with both data integrity and loss. It also has a stronger resistance over noise interference and lower sensitivity to the change of parameters, all of which indicate its performance stability

Electrocardiogram data collection under network attacks on the MAC platform

Increasing heart disease among human beings needs more precise treatment, which requires monitoring of electrocardiogram (ECG). In many cases, real time monitoring of ECG is needed via wireless or wireline networks. Use of network-connected computers for monitoring proposes can raise security issues, which can be created by viruses, worms, or external agents such as DoS attack traffic. Any alteration of this biomedical signal can lead to wrong diagnosis and wrong treatment. Furthermore, in healthcare industry, HIPAA rules require health information to be kept secure by providing confidentiality, integrity, and availability. This thesis investigates how integrity and availability of remotely monitored ECG signals can be affected silently due to adverse network conditions, hence raising false alarms. In this thesis, components of monitored ECG signals under adverse network conditions are measured and compared against normal ECG signals for detection of different heart diseases

Network Traffic Deviation Detection Based on Fractal Dimension

In this paper we examine aggregate network traffic for deviation detection. The precise and fast detection of network traffic deviation is crucial to improve the efficient operation of a network. It is often difficult to detect the time when the defects occur in a network. In this article, a new algorithm is bestowed to supervise the aggregate network traffic to fast detect the time deviation transpires in a network. This is performed by supervising the statistical attributes of the time series depicting the network conduct. The procedure examines the network conduct using fractal dimension and discrete stationary wavelet transform. In the suggested procedure, after implementing discrete stationary wavelet transform on the signal depicting the network traffic, the fractal dimension of the disintegrated signal is computed in a sliding window. Then, variations of signal fractal dimension are regarded for deviation detection. Performance of the suggested procedure is compared with that of three other existent procedures using artificial substance signal .The results show superiority of the suggested procedure in terms of preciseness compared to existent procedures