162 research outputs found
Comparing anomaly detection methods in computer networks
This work in progress outlines a comparison of anomaly detection methods that we are undertaking. We are comparing different types of anomaly detection methods with the purpose of achieving results covering a broad spectrum of anomalies. We also outline the datasets that we will be using and the metrics that we will use for our evaluation
Robust control tools for traffic monitoring in TCP/AQM networks
Several studies have considered control theory tools for traffic control in
communication networks, as for example the congestion control issue in IP
(Internet Protocol) routers. In this paper, we propose to design a linear
observer for time-delay systems to address the traffic monitoring issue in
TCP/AQM (Transmission Control Protocol/Active Queue Management) networks. Due
to several propagation delays and the queueing delay, the set TCP/AQM is
modeled as a multiple delayed system of a particular form. Hence, appropriate
robust control tools as quadratic separation are adopted to construct a delay
dependent observer for TCP flows estimation. Note that, the developed mechanism
enables also the anomaly detection issue for a class of DoS (Denial of Service)
attacks. At last, simulations via the network simulator NS-2 and an emulation
experiment validate the proposed methodology
Distributed Change Detection via Average Consensus over Networks
Distributed change-point detection has been a fundamental problem when
performing real-time monitoring using sensor-networks. We propose a distributed
detection algorithm, where each sensor only exchanges CUSUM statistic with
their neighbors based on the average consensus scheme, and an alarm is raised
when local consensus statistic exceeds a pre-specified global threshold. We
provide theoretical performance bounds showing that the performance of the
fully distributed scheme can match the centralized algorithms under some mild
conditions. Numerical experiments demonstrate the good performance of the
algorithm especially in detecting asynchronous changes.Comment: 15 pages, 8 figure
Contamination Estimation via Convex Relaxations
Identifying anomalies and contamination in datasets is important in a wide
variety of settings. In this paper, we describe a new technique for estimating
contamination in large, discrete valued datasets. Our approach considers the
normal condition of the data to be specified by a model consisting of a set of
distributions. Our key contribution is in our approach to contamination
estimation. Specifically, we develop a technique that identifies the minimum
number of data points that must be discarded (i.e., the level of contamination)
from an empirical data set in order to match the model to within a specified
goodness-of-fit, controlled by a p-value. Appealing to results from large
deviations theory, we show a lower bound on the level of contamination is
obtained by solving a series of convex programs. Theoretical results guarantee
the bound converges at a rate of , where p is the size of
the empirical data set.Comment: To appear, ISIT 201
Why (and How) Networks Should Run Themselves
The proliferation of networked devices, systems, and applications that we
depend on every day makes managing networks more important than ever. The
increasing security, availability, and performance demands of these
applications suggest that these increasingly difficult network management
problems be solved in real time, across a complex web of interacting protocols
and systems. Alas, just as the importance of network management has increased,
the network has grown so complex that it is seemingly unmanageable. In this new
era, network management requires a fundamentally new approach. Instead of
optimizations based on closed-form analysis of individual protocols, network
operators need data-driven, machine-learning-based models of end-to-end and
application performance based on high-level policy goals and a holistic view of
the underlying components. Instead of anomaly detection algorithms that operate
on offline analysis of network traces, operators need classification and
detection algorithms that can make real-time, closed-loop decisions. Networks
should learn to drive themselves. This paper explores this concept, discussing
how we might attain this ambitious goal by more closely coupling measurement
with real-time control and by relying on learning for inference and prediction
about a networked application or system, as opposed to closed-form analysis of
individual protocols
Towards a Theoretical Analysis of PCA for Heteroscedastic Data
Principal Component Analysis (PCA) is a method for estimating a subspace
given noisy samples. It is useful in a variety of problems ranging from
dimensionality reduction to anomaly detection and the visualization of high
dimensional data. PCA performs well in the presence of moderate noise and even
with missing data, but is also sensitive to outliers. PCA is also known to have
a phase transition when noise is independent and identically distributed;
recovery of the subspace sharply declines at a threshold noise variance.
Effective use of PCA requires a rigorous understanding of these behaviors. This
paper provides a step towards an analysis of PCA for samples with
heteroscedastic noise, that is, samples that have non-uniform noise variances
and so are no longer identically distributed. In particular, we provide a
simple asymptotic prediction of the recovery of a one-dimensional subspace from
noisy heteroscedastic samples. The prediction enables: a) easy and efficient
calculation of the asymptotic performance, and b) qualitative reasoning to
understand how PCA is impacted by heteroscedasticity (such as outliers).Comment: Presented at 54th Annual Allerton Conference on Communication,
Control, and Computing (Allerton
- âŠ