For Full-Text PDF, please login, if you are a member of IEICE,|
or go to Pay Per View on menu list, if you are a nonmember of IEICE.
A Traffic Decomposition and Prediction Method for Detecting and Tracing Network-Wide Anomalies
Ping DU Shunji ABE Yusheng JI Seisho SATO Makio ISHIGURO
IEICE TRANSACTIONS on Information and Systems
Publication Date: 2009/05/01
Online ISSN: 1745-1361
Print ISSN: 0916-8532
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Internet Security
anomaly detection, anomaly tracing, autoregressive (AR) model, Kalman filter,
Full Text: PDF>>
Traffic volume anomalies refer to apparently abrupt changes in the time series of traffic volume, which can propagate through the network. Detecting and tracing these anomalies is a critical and difficult task for network operators. In this paper, we first propose a traffic decomposition method, which decomposes the traffic into three components: the trend component, the autoregressive (AR) component, and the noise component. A traffic volume anomaly is detected when the AR component is outside the prediction band for multiple links simultaneously. Then, the anomaly is traced using the projection of the detection result matrices for the observed links which are selected by a shortest-path-first algorithm. Finally, we validate our detection and tracing method by using the real traffic data from the third-generation Science Information Network (SINET3) and show the detected and traced results.