A framework for detection of traffic anomalies based on IP aggregation

Marat Zhanikeev; Yoshiaki Tanaka

doi:10.1587/transinf.E92.D.16

A framework for detection of traffic anomalies based on IP aggregation

Marat Zhanikeev^*, Yoshiaki Tanaka

^*Corresponding author for this work

School of Fundamental Science and Engineering

Research output: Contribution to journal › Article › peer-review

1 Citation (Scopus)

Abstract

Traditional traffic analysis is can be performed online only when detection targets are well specified and are fairly primitive. Local processing at measurement point is discouraged as it would considerably affect major functionality of a network device. When traffic is analyzed at flow level, the notion of flow timeout generates differences in flow lifespan and impedes unbiased monitoring, where only n-top flows ordered by a certain metric are considered. This paper proposes an alternative manner of traffic analysis based on source IP aggregation. The method uses flows as basic building blocks but ignores timeouts, using short monitoring intervals instead. Multidimensional space of metrics obtained through IP aggregation, however, enhances capabilities of traffic analysis by facilitating detection of various anomalous conditions in traffic simultaneously.

Original language	English
Pages (from-to)	16-23
Number of pages	8
Journal	IEICE Transactions on Information and Systems
Volume	E92-D
Issue number	1
DOIs	https://doi.org/10.1587/transinf.E92.D.16
Publication status	Published - 2009

Keywords

Anomaly detection
IP aggregation
Network management
Performance monitoring
Traffic analysis

ASJC Scopus subject areas

Software
Hardware and Architecture
Computer Vision and Pattern Recognition
Electrical and Electronic Engineering
Artificial Intelligence

Access to Document

10.1587/transinf.E92.D.16

Cite this

@article{5f97602600df411390bb5dce7be11892,

title = "A framework for detection of traffic anomalies based on IP aggregation",

abstract = "Traditional traffic analysis is can be performed online only when detection targets are well specified and are fairly primitive. Local processing at measurement point is discouraged as it would considerably affect major functionality of a network device. When traffic is analyzed at flow level, the notion of flow timeout generates differences in flow lifespan and impedes unbiased monitoring, where only n-top flows ordered by a certain metric are considered. This paper proposes an alternative manner of traffic analysis based on source IP aggregation. The method uses flows as basic building blocks but ignores timeouts, using short monitoring intervals instead. Multidimensional space of metrics obtained through IP aggregation, however, enhances capabilities of traffic analysis by facilitating detection of various anomalous conditions in traffic simultaneously.",

keywords = "Anomaly detection, IP aggregation, Network management, Performance monitoring, Traffic analysis",

author = "Marat Zhanikeev and Yoshiaki Tanaka",

year = "2009",

doi = "10.1587/transinf.E92.D.16",

language = "English",

volume = "E92-D",

pages = "16--23",

journal = "IEICE Transactions on Information and Systems",

issn = "0916-8532",

publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",

number = "1",

}

TY - JOUR

T1 - A framework for detection of traffic anomalies based on IP aggregation

AU - Zhanikeev, Marat

AU - Tanaka, Yoshiaki

PY - 2009

Y1 - 2009

N2 - Traditional traffic analysis is can be performed online only when detection targets are well specified and are fairly primitive. Local processing at measurement point is discouraged as it would considerably affect major functionality of a network device. When traffic is analyzed at flow level, the notion of flow timeout generates differences in flow lifespan and impedes unbiased monitoring, where only n-top flows ordered by a certain metric are considered. This paper proposes an alternative manner of traffic analysis based on source IP aggregation. The method uses flows as basic building blocks but ignores timeouts, using short monitoring intervals instead. Multidimensional space of metrics obtained through IP aggregation, however, enhances capabilities of traffic analysis by facilitating detection of various anomalous conditions in traffic simultaneously.

AB - Traditional traffic analysis is can be performed online only when detection targets are well specified and are fairly primitive. Local processing at measurement point is discouraged as it would considerably affect major functionality of a network device. When traffic is analyzed at flow level, the notion of flow timeout generates differences in flow lifespan and impedes unbiased monitoring, where only n-top flows ordered by a certain metric are considered. This paper proposes an alternative manner of traffic analysis based on source IP aggregation. The method uses flows as basic building blocks but ignores timeouts, using short monitoring intervals instead. Multidimensional space of metrics obtained through IP aggregation, however, enhances capabilities of traffic analysis by facilitating detection of various anomalous conditions in traffic simultaneously.

KW - Anomaly detection

KW - IP aggregation

KW - Network management

KW - Performance monitoring

KW - Traffic analysis

UR - http://www.scopus.com/inward/record.url?scp=77950235590&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77950235590&partnerID=8YFLogxK

U2 - 10.1587/transinf.E92.D.16

DO - 10.1587/transinf.E92.D.16

M3 - Article

AN - SCOPUS:77950235590

SN - 0916-8532

VL - E92-D

SP - 16

EP - 23

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

IS - 1

ER -

A framework for detection of traffic anomalies based on IP aggregation

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this