IMC '05, 2005 Internet Measurement Conference Abstract
Pp. 331344 of the Proceedings
Combining Filtering and Statistical Methods for Anomaly Detection
Augustin Soule and Kavé Salamatian, LIP6-UPMC; Nina Taft, Intel Research
Abstract
In this work we develop an approach for anomaly detection for large scale networks such as that of an enterprize
or an ISP. The traffic patterns we focus on for analysis are
that of a network-wide view of the traffic state, called the
traffic matrix. In the first step a Kalman filter is used to filter out the "normal" traffic. This is done by comparing our
future predictions of the traffic matrix state to an inference
of the actual traffic matrix that is made using more recent
measurement data than those used for prediction. In the
second step the residual filtered process is then examined
for anomalies. We explain here how any anomaly detection
method can be viewed as a problem in statistical hypothesis testing. We study and compare four different methods
for analyzing residuals, two of which are new. These methods focus on different aspects of the traffic pattern change.
One focuses on instantaneous behavior, another focuses on
changes in the mean of the residual process, a third on
changes in the variance behavior, and a fourth examines
variance changes over multiple timescales. We evaluate
and compare all of these methods using ROC curves that
illustrate the full tradeoff between false positives and false
negatives for the complete spectrum of decision thresholds.
- View the full text of this paper in PDF.
The Proceedings are published as a collective work, © 2005 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
|