{"id":24,"date":"2009-09-15T14:26:46","date_gmt":"2009-09-15T21:26:46","guid":{"rendered":"http:\/\/ant.isi.edu\/blog\/?p=24"},"modified":"2020-10-19T10:44:03","modified_gmt":"2020-10-19T17:44:03","slug":"new-tech-report-parametric-methods-for-anomaly-detection-in-aggregate-traffic","status":"publish","type":"post","link":"https:\/\/ant.isi.edu\/blog\/?p=24","title":{"rendered":"new tech report \u201cParametric Methods for Anomaly Detection in Aggregate Traffic\u201d"},"content":{"rendered":"<p>We just posted a tech report \u201cParametric Methods for Anomaly Detection in Aggregate Traffic\u201d at &lt;<a href=\"ftp:\/\/ftp.isi.edu\/isi-pubs\/tr-663.pdf\">ftp:\/\/ftp.isi.edu\/isi-pubs\/tr-663.pdf<\/a>&gt;.  This paper represents quite a bit of work looking at how to apply parametric detection as part of the NSF-sponsored <a href=\"http:\/\/www.isi.edu\/ant\/madcat\/\">MADCAT<\/a> project.<\/p>\n<p>From the abstract:<\/p>\n<blockquote><p>This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic.\u00a0 By adopting simple statistical models for anomalous and background traffic in the time-domain, one can estimate model parameters in real-time, thus obviating the need for a long training phase or manual parameter tuning.\u00a0 The detection mechanism uses a sequential probability ratio test, allowing for control over the false positive rate while examining the trade-off between detection time and the strength of an anomaly.\u00a0 Additionally, it uses both traffic-rate and packet-size statistics, yielding a bivariate model that eliminates most false positives.\u00a0 The method is analyzed using the bitrate SNR metric, which is shown to be an effective metric for anomaly detection.\u00a0 The performance of the bPDM is evaluated in three ways:\u00a0 first, synthetically generated traffic provides for a controlled comparison of detection time as a function of the anomalous level of traffic.\u00a0 Second, the approach is shown to be able to detect controlled artificial attacks over the USC campus network in varying real traffic mixes.\u00a0 Third, the proposed algorithm achieves rapid detection of real denial-of-service attacks as determined by the replay of previously captured network traces.\u00a0 The method developed in this paper is able to detect all attacks in these scenarios in a few seconds or less.<\/p><\/blockquote>\n<p>\nCitation: Gautam Thatte, Urbashi Mitra, and John Heidemann. Parametric Methods for Anomaly Detection in Aggregate Traffic. Technical Report N. ISI-TR-2009-663, USC\/Information Sciences Institute, August, 2009. http:\/\/www.isi.edu\/~johnh\/PAPERS\/Thatte09a.html.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We just posted a tech report \u201cParametric Methods for Anomaly Detection in Aggregate Traffic\u201d at &lt;ftp:\/\/ftp.isi.edu\/isi-pubs\/tr-663.pdf&gt;. This paper represents quite a bit of work looking at how to apply parametric detection as part of the NSF-sponsored MADCAT project. From the abstract: This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[282,283],"tags":[17,5,18],"class_list":["post-24","post","type-post","status-publish","format-standard","hentry","category-publications","category-technical-report","tag-anomaly-detection","tag-papers","tag-security"],"_links":{"self":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24"}],"version-history":[{"count":7,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":1677,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/24\/revisions\/1677"}],"wp:attachment":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}