Revisit network anomaly ranking in datacenter network using re-ranking

With the continuous growth of modern datacenter networks in recent years, network intrusions targeting those datacenters have also been growing rapidly. In this situation, system monitoring and intrusion detection become essential to control the risks of such networks. There are many network anomaly detection systems being used to identify significant anomalies in datacenter networks. However, they often focus on detecting significant anomalies, while ignoring insignificant anomalies oftentimes. Existing anomaly ranking models are not accurate in detecting insignificant anomalies. This becomes an issue when attacks are from insignificant anomaly traffic. In this paper, we revisit the network anomaly ranking problem and propose a re-ranking model based on a commonly used unsupervised network anomaly ranking method. We introduce several new features into the re-ranking model to capture extra information about outliers. Our experimental results based on real datacenter network data demonstrate that the proposed re-ranking model improves the ranking quality over the unsupervised method, especially for insignificant outliers.