A framework for detection of traffic anomalies based on IP aggregation

Marat Zhanikeev, Yoshiaki Tanaka

    Research output: Contribution to journalArticle

    1 Citation (Scopus)

    Abstract

    Traditional traffic analysis is can be performed online only when detection targets are well specified and are fairly primitive. Local processing at measurement point is discouraged as it would considerably affect major functionality of a network device. When traffic is analyzed at flow level, the notion of flow timeout generates differences in flow lifespan and impedes unbiased monitoring, where only n-top flows ordered by a certain metric are considered. This paper proposes an alternative manner of traffic analysis based on source IP aggregation. The method uses flows as basic building blocks but ignores timeouts, using short monitoring intervals instead. Multidimensional space of metrics obtained through IP aggregation, however, enhances capabilities of traffic analysis by facilitating detection of various anomalous conditions in traffic simultaneously.

    Original languageEnglish
    Pages (from-to)16-23
    Number of pages8
    JournalIEICE Transactions on Information and Systems
    VolumeE92-D
    Issue number1
    DOIs
    Publication statusPublished - 2009

    Fingerprint

    Agglomeration
    Monitoring
    Target tracking
    Processing

    Keywords

    • Anomaly detection
    • IP aggregation
    • Network management
    • Performance monitoring
    • Traffic analysis

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Software
    • Artificial Intelligence
    • Hardware and Architecture
    • Computer Vision and Pattern Recognition

    Cite this

    A framework for detection of traffic anomalies based on IP aggregation. / Zhanikeev, Marat; Tanaka, Yoshiaki.

    In: IEICE Transactions on Information and Systems, Vol. E92-D, No. 1, 2009, p. 16-23.

    Research output: Contribution to journalArticle

    @article{5f97602600df411390bb5dce7be11892,
    title = "A framework for detection of traffic anomalies based on IP aggregation",
    abstract = "Traditional traffic analysis is can be performed online only when detection targets are well specified and are fairly primitive. Local processing at measurement point is discouraged as it would considerably affect major functionality of a network device. When traffic is analyzed at flow level, the notion of flow timeout generates differences in flow lifespan and impedes unbiased monitoring, where only n-top flows ordered by a certain metric are considered. This paper proposes an alternative manner of traffic analysis based on source IP aggregation. The method uses flows as basic building blocks but ignores timeouts, using short monitoring intervals instead. Multidimensional space of metrics obtained through IP aggregation, however, enhances capabilities of traffic analysis by facilitating detection of various anomalous conditions in traffic simultaneously.",
    keywords = "Anomaly detection, IP aggregation, Network management, Performance monitoring, Traffic analysis",
    author = "Marat Zhanikeev and Yoshiaki Tanaka",
    year = "2009",
    doi = "10.1587/transinf.E92.D.16",
    language = "English",
    volume = "E92-D",
    pages = "16--23",
    journal = "IEICE Transactions on Information and Systems",
    issn = "0916-8532",
    publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
    number = "1",

    }

    TY - JOUR

    T1 - A framework for detection of traffic anomalies based on IP aggregation

    AU - Zhanikeev, Marat

    AU - Tanaka, Yoshiaki

    PY - 2009

    Y1 - 2009

    N2 - Traditional traffic analysis is can be performed online only when detection targets are well specified and are fairly primitive. Local processing at measurement point is discouraged as it would considerably affect major functionality of a network device. When traffic is analyzed at flow level, the notion of flow timeout generates differences in flow lifespan and impedes unbiased monitoring, where only n-top flows ordered by a certain metric are considered. This paper proposes an alternative manner of traffic analysis based on source IP aggregation. The method uses flows as basic building blocks but ignores timeouts, using short monitoring intervals instead. Multidimensional space of metrics obtained through IP aggregation, however, enhances capabilities of traffic analysis by facilitating detection of various anomalous conditions in traffic simultaneously.

    AB - Traditional traffic analysis is can be performed online only when detection targets are well specified and are fairly primitive. Local processing at measurement point is discouraged as it would considerably affect major functionality of a network device. When traffic is analyzed at flow level, the notion of flow timeout generates differences in flow lifespan and impedes unbiased monitoring, where only n-top flows ordered by a certain metric are considered. This paper proposes an alternative manner of traffic analysis based on source IP aggregation. The method uses flows as basic building blocks but ignores timeouts, using short monitoring intervals instead. Multidimensional space of metrics obtained through IP aggregation, however, enhances capabilities of traffic analysis by facilitating detection of various anomalous conditions in traffic simultaneously.

    KW - Anomaly detection

    KW - IP aggregation

    KW - Network management

    KW - Performance monitoring

    KW - Traffic analysis

    UR - http://www.scopus.com/inward/record.url?scp=77950235590&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=77950235590&partnerID=8YFLogxK

    U2 - 10.1587/transinf.E92.D.16

    DO - 10.1587/transinf.E92.D.16

    M3 - Article

    AN - SCOPUS:77950235590

    VL - E92-D

    SP - 16

    EP - 23

    JO - IEICE Transactions on Information and Systems

    JF - IEICE Transactions on Information and Systems

    SN - 0916-8532

    IS - 1

    ER -