Online Detection of Network Traffic Anomalies Using Degree Distributions
Wuzuo WANG, Weidong WU
DOI: 10.4236/ijcns.2010.32025   PDF    HTML     6,166 Downloads   11,722 Views   Citations


Diagnosing traffic anomalies rapidly and accurately is critical to the efficient operation of large computer networks. However, it is still a challenge for network administrators. One problem is that the amount of traffic data does not allow real-time analysis of details. Another problem is that some generic detection metrics possess lower capabilities on diagnosing anomalies. To overcome these problems, we propose a system model with an explicit algorithm to perform on-line traffic analysis. In this scheme, we first make use of degree distributions to effectively profile traffic features, and then use the entropy to determine and report changes of degree distributions, which changes of entropy values can accurately differentiate a massive network event, normal or anomalous by adaptive threshold. Evaluations of this scheme demonstrate that it is feasible and efficient for on-line anomaly detection in practice via simulations, using traffic trace collected at high-speed link.

Share and Cite:

W. WANG and W. WU, "Online Detection of Network Traffic Anomalies Using Degree Distributions," International Journal of Communications, Network and System Sciences, Vol. 3 No. 2, 2010, pp. 177-182. doi: 10.4236/ijcns.2010.32025.

Conflicts of Interest

The authors declare no conflicts of interest.


[1] A. Lakhina, M. Crovella, and C. Diot, “Characterization of network-wide anomalies in traffic flows (short paper),” In IMC, 2004.
[2] D. Brauckhoff, B. Tellenbach, A. Wagner, A. Lakhina, and M. May, “Impact of traffic sampling on anomaly detection metrics,” In Proceeding of ACM/USENIX IMC, 2006.
[3] P. Barford, J. Kline, D. Plonka, and A. Ron, “A signal analysis of network traffic anomalies,” In Proceeding of IMW, 2002.
[4] A. Wagner, and B. Platter, “Entropy based worm and anomaly detection in fast IP networks,” In Proceeding IEEE WETICE, 2005.
[5] A. Lakhina, M. Crovella, and C. Diot, “Mining anomalies using traffic feature distributions,” In Proceeding of ACM SIGCOMM, 2005.
[6] G. Nychis, V. Sekar, D. G. Andersen, H. Kim, and H. Zhang, “An empirical evaluation of entropy-based traffic anomaly detection,” In IMC, 2008.
[7] “Arbor networks,” At
[8] A. Lakhina, M. Crovella, and C. Diot, “Characterization of network-wide anomalies in traffic flows (Short Paper),” In IMC, 2004.
[9] “Riverhead networks,” At
[10] L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, “Statistical approaches to DDoS attack detection and response,” In Proceedings of the DARPA Information Survivability Conference and Exposition, 2003.
[11] V. Karamcheti, D. Geiger, Z. Kedem, and S. Muthukri- Shnan, “Detecting malicious network traffic using inverse distributions of packet contents,” In Proceeding of ACM SIGCOMM MineNet, 2005.
[12] M. Thottan, and C. Ji, “Anomaly detection in IP networks,” In IEEE TRANSACTIONS ON SIGNAL PROCESSING, August 2003.
[13] Y. Gu, A. McCallum, and D. Towsley, “Detecting anom- alies in network traffic using maximum entropy estimation,” In IMC, 2005.
[14] K. Xu, F. Wang, S. Bhattacharyya, and Z.-L. Zhang, “A real-time network traffic profiling system,” In DSN, 2007.
[15] “FlowMatrix,” At php.
[16] M. Roesch, “Snort: Lightweight intrusion detection for networks,” In USENIX LISA, 1999.
[17] T Karagiannis, K Papagiannaki, and M Faloutsos, “BLINC: Multilevel traffic classification in the dark,” In Proceeding of ACM SIGCOMM, 2005.
[18] “CiscoNetflow,” At 812/tsd_technology_support_technical_references_list.html.

Copyright © 2024 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.