A Traffic Decomposition and Prediction Method for Detecting and Tracing Network-Wide Anomalies

Ping DU  Shunji ABE  Yusheng JI  Seisho SATO  Makio ISHIGURO  

IEICE TRANSACTIONS on Information and Systems   Vol.E92-D   No.5   pp.929-936
Publication Date: 2009/05/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.E92.D.929
Print ISSN: 0916-8532
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Internet Security
anomaly detection,  anomaly tracing,  autoregressive (AR) model,  Kalman filter,  

Full Text: PDF>>
Buy this Article

Traffic volume anomalies refer to apparently abrupt changes in the time series of traffic volume, which can propagate through the network. Detecting and tracing these anomalies is a critical and difficult task for network operators. In this paper, we first propose a traffic decomposition method, which decomposes the traffic into three components: the trend component, the autoregressive (AR) component, and the noise component. A traffic volume anomaly is detected when the AR component is outside the prediction band for multiple links simultaneously. Then, the anomaly is traced using the projection of the detection result matrices for the observed links which are selected by a shortest-path-first algorithm. Finally, we validate our detection and tracing method by using the real traffic data from the third-generation Science Information Network (SINET3) and show the detected and traced results.