Detecting Anomalies in Massive Traffic Streams Based on S-Transform Analysis of Summarized Traffic Entropies


IEICE TRANSACTIONS on Information and Systems   Vol.E98-D   No.3   pp.588-595
Publication Date: 2015/03/01
Publicized: 2014/12/11
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2014NTP0006
Type of Manuscript: Special Section PAPER (Special Section on the Architectures, Protocols, and Applications for the Future Internet)
Category: Internet Operation and Management
anomaly detection,  sketch,  entropy,  time-frequency analysis,  S-transform,  

Full Text: PDF>>
Buy this Article

Detecting traffic anomalies is an indispensable component of overall security architecture. As Internet and traffic data with more sophisticated attacks grow exponentially, preserving security with signature-based traffic analyzers or analyzers that do not support massive traffic are not sufficient. In this paper, we propose a novel method based on combined sketch technique and S-transform analysis for detecting anomalies in massive traffic streams. The method does not require any prior knowledge such as attack patterns and models representing normal traffic behavior. To detect anomalies, we summarize the entropy of traffic data over time and maintain the summarized data in sketches. The entropy fluctuation of the traffic data aggregated to the same bucket is observed by S-transform to detect spectral changes referred to as anomalies in this work. We evaluated the performance of the method with real-world backbone traffic collected at the United States and Japan transit link in terms of both accuracy and false positive rates. We also explored the method parameters' influence on detection performance. Furthermore, we compared the performance of our method to S-transform-based and Wavelet-based methods. The results demonstrated that our method was capable of detecting anomalies and overcame both methods. We also found that our method was not sensitive to its parameter settings.