Evaluation of Anomaly Detection Method Based on Pattern Recognition

Romain FONTUGNE  Yosuke HIMURA  Kensuke FUKUDA  

IEICE TRANSACTIONS on Communications   Vol.E93-B   No.2   pp.328-335
Publication Date: 2010/02/01
Online ISSN: 1745-1345
DOI: 10.1587/transcom.E93.B.328
Print ISSN: 0916-8516
Type of Manuscript: PAPER
Category: Internet
anomaly detection,  pattern recognition,  Internet traffic,  

Full Text: PDF(837.7KB)>>
Buy this Article

The number of threats on the Internet is rapidly increasing, and anomaly detection has become of increasing importance. High-speed backbone traffic is particularly degraded, but their analysis is a complicated task due to the amount of data, the lack of payload data, the asymmetric routing and the use of sampling techniques. Most anomaly detection schemes focus on the statistical properties of network traffic and highlight anomalous traffic through their singularities. In this paper, we concentrate on unusual traffic distributions, which are easily identifiable in temporal-spatial space (e.g., time/address or port). We present an anomaly detection method that uses a pattern recognition technique to identify anomalies in pictures representing traffic. The main advantage of this method is its ability to detect attacks involving mice flows. We evaluate the parameter set and the effectiveness of this approach by analyzing six years of Internet traffic collected from a trans-Pacific link. We show several examples of detected anomalies and compare our results with those of two other methods. The comparison indicates that the only anomalies detected by the pattern-recognition-based method are mainly malicious traffic with a few packets.