Nine years of observing traffic anomalies: Trending analysis in backbone networks

Author

Youngjoon Won ; Fontugne, Romain ; Cho, Kun ; Esaki, Hiroshi ; Fukuda, Kenji

Author_Institution

Hanyang Univ., Seoul, South Korea

fYear

2013

fDate

27-31 May 2013

Firstpage

636

Lastpage

642

Abstract

We present the longitudinal trending analysis of traffic anomalies on a trans-Pacific backbone network over nine years. Throughout our analysis, we try to answer several questions: how frequent do such anomalies appear and how long do they last? Does a set of anomalous hosts occur correspondingly? We answer these by applying the state-of-the-art anomaly detectors to (un)anonymized packet traces and look into interesting insights from the long-term analysis. The key observations are as follow. The sources of anomalies are decreasing over the recent years, but take a significant portion of traffic volume during the measurement period (i.e., 0.03% of all IP addresses take up to 30% of traffic volume). The frequency analysis reveals that there is a clear periodicity of anomalies and anomalous host occurrences in various durations. Finally, we find the influences of anomaly detectors to the overall trending and how they differ from each other.

Keywords

Internet; computer network security; telecommunication traffic; Internet traffic; anomalous host occurrences; anomaly detectors; anomaly periodicity; anonymized packet traces; frequency analysis; long-term analysis; longitudinal trending analysis; time 9 year; traffic anomaly; traffic volume; trans-Pacific backbone network; Correlation; Detectors; Grippers; IP networks; Ports (Computers); Principal component analysis; Servers;

fLanguage

English

Publisher

ieee

Conference_Titel

Integrated Network Management (IM 2013), 2013 IFIP/IEEE International Symposium on

Conference_Location

Ghent

Print_ISBN

978-1-4673-5229-1

Type

conf

Filename

6573044