Parametric Methods for Anomaly Detection in Aggregate Traffic. Thatte, G., Mitra, U., & Heidemann, J. ACM/IEEE Transactions on Networking, 19(2):512–525, August, 2010. (Appeared in print April 2011)![Parametric Methods for Anomaly Detection in Aggregate Traffic [link]](https://bibbase.org/img/filetypes/link.svg "link")
Paper doi abstract bibtex This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics, in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic. By adopting simple statistical models for anomalous and background traffic in the time-domain, one can estimate model parameters in real-time, thus obviating the need for a long training phase or manual parameter tuning. The proposed bivariate Parametric Detection Mechanism (bPDM) uses a sequential probability ratio test, allowing for control over the false positive rate while examining the trade-off between detection time and the strength of an anomaly. Additionally, it uses both traffic-rate and packet-size statistics, yielding a bivariate model that eliminates most false positives. The method is analyzed using the bitrate SNR metric, which is shown to be an effective metric for anomaly detection. The performance of the bPDM is evaluated in three ways: first, synthetically-generated traffic provides for a controlled comparison of detection time as a function of the anomalous level of traffic. Second, the approach is shown to be able to detect controlled artificial attacks over the USC campus network in varying real traffic mixes. Third, the proposed algorithm achieves rapid detection of real denial-of-service attacks as determined by the replay of previously captured network traces. The method developed in this paper is able to detect all attacks in these scenarios in a few seconds or less.
@Article{Thatte10a,
author = "Gautam Thatte and Urbashi Mitra and John Heidemann",
title = "Parametric Methods for Anomaly Detection in Aggregate Traffic",
journal = "ACM/IEEE Transactions on Networking",
year = 2010,
sortdate = "2010-08-01",
project = "ant, lacrend, lander, madcat",
jsubject = "network_security",
pages = "512--525",
volume = 19,
number = 2,
month = aug,
note = "(Appeared in print April 2011)",
jlocation = "johnh: pafile",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Thatte10a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Thatte10a.pdf",
doi = "http://dx.doi.org/10.1109/TNET.2010.2070845",
myorganization = "USC/Information Sciences Institute",
usessoftware = "stream_merger",
abstract = "This paper develops parametric methods to detect network anomalies
using only aggregate traffic statistics, in contrast to other works
requiring flow separation, even when the anomaly is a small fraction
of the total traffic. By adopting simple statistical models for
anomalous and background traffic in the time-domain, one can estimate
model parameters in real-time, thus obviating the need for a long
training phase or manual parameter tuning. The proposed bivariate
Parametric Detection Mechanism (bPDM) uses a sequential probability
ratio test, allowing for control over the false positive rate while
examining the trade-off between detection time and the strength of an
anomaly. Additionally, it uses both traffic-rate and packet-size
statistics, yielding a bivariate model that eliminates most false
positives. The method is analyzed using the bitrate SNR metric, which
is shown to be an effective metric for anomaly detection. The
performance of the bPDM is evaluated in three ways: first,
synthetically-generated traffic provides for a controlled comparison
of detection time as a function of the anomalous level of traffic.
Second, the approach is shown to be able to detect controlled
artificial attacks over the USC campus network in varying real traffic
mixes. Third, the proposed algorithm achieves rapid detection of real
denial-of-service attacks as determined by the replay of previously
captured network traces. The method developed in this paper is able
to detect all attacks in these scenarios in a few seconds or less.",
}
Downloads: 0
{"_id":"Leq5nrjqeP6g9muaz","bibbaseid":"thatte-mitra-heidemann-parametricmethodsforanomalydetectioninaggregatetraffic-2010","author_short":["Thatte, G.","Mitra, U.","Heidemann, J."],"bibdata":{"bibtype":"article","type":"article","author":[{"firstnames":["Gautam"],"propositions":[],"lastnames":["Thatte"],"suffixes":[]},{"firstnames":["Urbashi"],"propositions":[],"lastnames":["Mitra"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Parametric Methods for Anomaly Detection in Aggregate Traffic","journal":"ACM/IEEE Transactions on Networking","year":"2010","sortdate":"2010-08-01","project":"ant, lacrend, lander, madcat","jsubject":"network_security","pages":"512–525","volume":"19","number":"2","month":"August","note":"(Appeared in print April 2011)","jlocation":"johnh: pafile","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte10a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte10a.pdf","doi":"http://dx.doi.org/10.1109/TNET.2010.2070845","myorganization":"USC/Information Sciences Institute","usessoftware":"stream_merger","abstract":"This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics, in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic. By adopting simple statistical models for anomalous and background traffic in the time-domain, one can estimate model parameters in real-time, thus obviating the need for a long training phase or manual parameter tuning. The proposed bivariate Parametric Detection Mechanism (bPDM) uses a sequential probability ratio test, allowing for control over the false positive rate while examining the trade-off between detection time and the strength of an anomaly. Additionally, it uses both traffic-rate and packet-size statistics, yielding a bivariate model that eliminates most false positives. The method is analyzed using the bitrate SNR metric, which is shown to be an effective metric for anomaly detection. The performance of the bPDM is evaluated in three ways: first, synthetically-generated traffic provides for a controlled comparison of detection time as a function of the anomalous level of traffic. Second, the approach is shown to be able to detect controlled artificial attacks over the USC campus network in varying real traffic mixes. Third, the proposed algorithm achieves rapid detection of real denial-of-service attacks as determined by the replay of previously captured network traces. The method developed in this paper is able to detect all attacks in these scenarios in a few seconds or less.","bibtex":"@Article{Thatte10a,\n\tauthor = \t\"Gautam Thatte and Urbashi Mitra and John Heidemann\",\n\ttitle = \t\"Parametric Methods for Anomaly Detection in Aggregate Traffic\",\n\tjournal = \t\"ACM/IEEE Transactions on Networking\",\n\tyear = \t\t2010,\n\tsortdate = \t\t\"2010-08-01\", \n\tproject = \"ant, lacrend, lander, madcat\",\n\tjsubject = \"network_security\",\n\tpages = \t\"512--525\",\n\tvolume = 19,\n\tnumber = 2,\n\tmonth = \taug,\n\tnote = \t\"(Appeared in print April 2011)\",\n\tjlocation = \t\"johnh: pafile\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte10a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte10a.pdf\",\n\tdoi = \"http://dx.doi.org/10.1109/TNET.2010.2070845\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tusessoftware = \"stream_merger\",\n\tabstract = \"This paper develops parametric methods to detect network anomalies\nusing only aggregate traffic statistics, in contrast to other works\nrequiring flow separation, even when the anomaly is a small fraction\nof the total traffic. By adopting simple statistical models for\nanomalous and background traffic in the time-domain, one can estimate\nmodel parameters in real-time, thus obviating the need for a long\ntraining phase or manual parameter tuning. The proposed bivariate\nParametric Detection Mechanism (bPDM) uses a sequential probability\nratio test, allowing for control over the false positive rate while\nexamining the trade-off between detection time and the strength of an\nanomaly. Additionally, it uses both traffic-rate and packet-size\nstatistics, yielding a bivariate model that eliminates most false\npositives. The method is analyzed using the bitrate SNR metric, which\nis shown to be an effective metric for anomaly detection. The\nperformance of the bPDM is evaluated in three ways: first,\nsynthetically-generated traffic provides for a controlled comparison\nof detection time as a function of the anomalous level of traffic.\nSecond, the approach is shown to be able to detect controlled\nartificial attacks over the USC campus network in varying real traffic\nmixes. Third, the proposed algorithm achieves rapid detection of real\ndenial-of-service attacks as determined by the replay of previously\ncaptured network traces. The method developed in this paper is able\nto detect all attacks in these scenarios in a few seconds or less.\",\n}\n\n","author_short":["Thatte, G.","Mitra, U.","Heidemann, J."],"bibbaseid":"thatte-mitra-heidemann-parametricmethodsforanomalydetectioninaggregatetraffic-2010","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte10a.html"},"metadata":{"authorlinks":{}}},"bibtype":"article","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":[],"search_terms":["parametric","methods","anomaly","detection","aggregate","traffic","thatte","mitra","heidemann"],"title":"Parametric Methods for Anomaly Detection in Aggregate Traffic","year":2010}