Detecting Network-Wide Traffic Anomalies Based on Spatial HMM

Author

Li, Min ; Yu, Shunzheng ; He, Li

Author_Institution

Dept. of Electron. & Commun. Eng., Sun Yat-Sen Univ., Guangzhou

fYear

2008

fDate

18-21 Oct. 2008

Firstpage

198

Lastpage

203

Abstract

In contrast to many techniques exploiting temporal patterns of traffic from a single network element, network-wide traffic analysis mainly focuses on the spatial behavior across the whole network. This paper proposes a spatial hidden Markov model (SHMM) to learn the normal patterns of network-wide traffic. Combined with topology information, SHMM models traffic volumes on links as probabilistic outputs of underlying interactions between routers. Based on a trained SHMM, a nonparametric CUSUM algorithm is used to track the change of entropy of observation sequences in different sliding windows for anomaly detection. Background traffic collected from real network and synthetic anomalies are used for validation of the detection method. The results prove our method effective for network-wide traffic anomaly detection.

Keywords

Internet; hidden Markov models; security of data; telecommunication network topology; telecommunication traffic; anomaly detection; network-wide traffic analysis; network-wide traffic anomalies; single network element; spatial hidden Markov model; topology information; traffic temporal patterns; traffic volumes; Change detection algorithms; Communication system traffic control; Helium; Hidden Markov models; Network topology; Parallel processing; Pattern analysis; Sun; Telecommunication traffic; Traffic control; HMM; anomaly detection; network-wide;

fLanguage

English

Publisher

ieee

Conference_Titel

Network and Parallel Computing, 2008. NPC 2008. IFIP International Conference on

Conference_Location

Shanghai

Print_ISBN

978-0-7695-3354-4

Type

conf

DOI

10.1109/NPC.2008.89

Filename

4663324