Internet Anomaly Detection Based on Complex Network Path

Jinfa WANG  Siyuan JIA  Hai ZHAO  Jiuqiang XU  Chuan LIN  

IEICE TRANSACTIONS on Communications   Vol.E101-B   No.12   pp.2397-2408
Publication Date: 2018/12/01
Online ISSN: 1745-1345
DOI: 10.1587/transcom.2017EBP3392
Type of Manuscript: PAPER
Category: Internet
Internet,  anomaly detection,  complex network,  network diameter,  network effective path,  network mean shortest path,  

Full Text: PDF(2.8MB)
>>Buy this Article

Detecting anomalies, such as network failure or intentional attack in Internet, is a vital but challenging task. Although numerous techniques have been developed based on Internet traffic, detecting anomalies from the perspective of Internet topology structure is going to be possible because the anomaly detection of structured datasets based on complex network theory has become a focus of attention recently. In this paper, an anomaly detection method for the large-scale Internet topology is proposed to detect local structure crashes caused by the cascading failure. In order to quantify the dynamic changes of Internet topology, the network path changes coefficient (NPCC) is put forward which highlights the Internet abnormal state after it is attacked continuously. Furthermore, inspired by Fibonacci Sequence, we proposed the decision function that can determine whether the Internet is abnormal or not. That is the current Internet is abnormal if its NPCC is out of the normal domain calculated using the previous k NPCCs of Internet topology. Finally the new Internet anomaly detection method is tested against the topology data of three Internet anomaly events. The results show that the detection accuracy of all events are over 97%, the detection precision for three events are 90.24%, 83.33% and 66.67%, when k=36. According to the experimental values of index F1, larger values of k offer better detection performance. Meanwhile, our method has better performance for the anomaly behaviors caused by network failure than those caused by intentional attack. Compared with traditional anomaly detection methods, our work is more simple and powerful for the government or organization in items of detecting large-scale abnormal events.