Port-based traffic verification as a paradigm for anomaly detection

An anomaly is an activity that deviates from the wellknown behaviour of the system. Anomaly detection in networks is of interest from two perspectives: an organization´s perspective and an Internet Service Provider´s (ISP) perspective. Protection of its computer network infrastructure is an important task for all organizations. Organizations desire that their networks are robust and resilient to any kind of attack. Anomaly detection forms an important part of this network resiliency. Also the ISPs want to maximize the utilization of their resources. Hence an ISP would be interested to know any resource failure immediately so as to correct the problem. ISPs would also be interested in safeguarding their network from malicious activities. We describe here a Gaussian Mixture Model (GMM)-based traffic verification system as a paradigm for network anomaly detection. The traffic characteristics aggregated over a period of time is given to the model to verify the validity of the traffic. If the traffic does not obey the model then we raise an alarm flagging it as an anomaly. Our results show that the system performs with less than 1% misses and false alarms.