›› 2012, Vol. ›› Issue (2): 313-327.doi: 10.1007/s11390-012-1225-0

• Computer Network • Previous Articles     Next Articles

Diagnosing Traffic Anomalies Using a Two-Phase Model

Bin Zhang (张宾), Jia-Hai Yang (杨家海), Member, CCF, ACM, IEEE Jian-Ping Wu (吴建平), Fellow, IEEE, Member, CCF, ACM, and Ying-Wu Zhu (朱应武)   

  1. Network Research Center, Tsinghua University, Beijing 100084, China Tsinghua National Laboratory for Information Science and Technology (TNList) Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
  • Received:2011-07-11 Revised:2011-12-30 Online:2012-03-05 Published:2012-03-05
  • Supported by:

    This work is supported by the National Basic Research 973 Program of China under Grant No. 2009CB320505, the National Science and Technology Supporting Plan of China under Grant No. 2008BAH37B05, the National Natural Science Foundation of China under Grant No. 61170211, the Ph.D. Programs Foundation of Ministry of Education of China under Grant No. 20110002110056, and the National High Technology Research and Development 863 Program of China under Grant Nos. 2008AA01A303 and 2009AA01Z251.

Network traffic anomalies are unusual changes in a network, so diagnosing anomalies is important for network management. Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing packet header features. PCA-subspace method (Principal Component Analysis) has been verified as an efficient feature-based way in network-wide anomaly detection. Despite the powerful ability of PCA-subspace method for network-wide traffic detection, it cannot be effectively used for detection on a single link. In this paper, different from most works focusing on detection on flow-level traffic, based on observations of six traffic features for packet-level traffic, we propose a new approach B6-SVM to detect anomalies for packet-level traffic on a single link. The basic idea of B6-SVM is to diagnose anomalies in a multi-dimensional view of traffic features using Support Vector Machine (SVM). Through two-phase classification, B6-SVM can detect anomalies with high detection rate and low false alarm rate. The test results demonstrate the effectiveness and potential of our technique in diagnosing anomalies. Further, compared to previous feature-based anomaly detection approaches, B6-SVM provides a framework to automatically identify possible anomalous types. The framework of B6-SVM is generic and therefore, we expect the derived insights will be helpful for similar future research efforts.

[1] http://www.symantec.com/.

[2] Lakhina A, Crovella M, Diot C. Mining anomalies using trafficfeature distributions. In Proc. ACM SIGCOMM, Philadel-phia, USA, Aug. 22-26, 2005, pp.217-228.

[3] Ahmed T, Coates M, Lakhina A. Multivariate online anomalydetection using kernel recursive least squares. In Proc.IEEE INFOCOM, Anchorage, Alaska, USA, May 6-12, 2007,pp.625-633.

[4] Brauckhoff D, Salamatian K, May M. Applying PCA for traf-fic anomaly detection: Problems and solutions. In Proc. IN-FOCOM, Rio de Janeiro, Brazil, Apr. 19-25, 2009, pp.2866-2870.

[5] Li X, Bian F, Crovella M, Diot C, Govindan R, Iannaccone G,Lakhina A. Detection and identification of network anomaliesusing sketch subspaces. In Proc. IMC, Rio de Janeiro, Brazil,Oct. 25-27, 2006, pp.147-152.

[6] Liu Y, Zhang L, Guan Y. Sketch-based streaming PCA al-gorithm for network-wide traffic anomaly detection. In Proc.the 30th International Conference on Distributed ComputingSystems, Genova, Italy, Jun. 21-25, 2010, pp.807-816.

[7] Rubinstein B I P, Nelson B, Huang L et al. Antidote: Un-derstanding and defending against poisoning of anomaly de-tectors. In Proc. the 9th Internet Measurement Conference,Chicago, USA, Nov. 4-6, 2009, pp.1-14.

[8] Feinstein L, Schnackenberg D, Balupari R, Kindred D. Statis-tical approaches to DDos attack detection and response. InProc. DARPA Information Survivability Conference and Ex-position (DISCEX), Washington DC, USA, Apr. 22-24, 2003,pp.303-314.

[9] Nychis G, Sekar V, Andersen D G, Kim H, Zhang H. An em-pirical evaluation of entropy-based traffic anomaly detection.In Proc. the 8th IMC, Vouliagmeni, Greece, Oct. 20-22, 2008,pp.151-156.

[10] Vapnik V. The Nature of Statistical Learning Theory. NewYork: Springer, 1995.

[11] Burges C J C. A tutorial on support vector machines forpattern recognition. Data Mining and Knowledge Discovery,1998, 2(2): 121-167.

[12] Kim H, Claffy K, Fomenkov M et al. Internet traffic classi-fication demystified: Myths, caveats, and the best practices.In Proc. ACM CoNEXT, Madrid, Spain, Dec. 9-12, 2008,Article No.11.

[13] Scholkopf B, Platt J C, Shawe-Taylor J C et al. Estimat-ing the support of a high-dimensional distribution. NeuralComputation, 2001, 13(7): 1443-1471.

[14] Lin C H, Liu J C, Ho C H. Anomaly detection using LibSVMtraining tools. In Proc. International Conference on Infor-mation Security and Assurance, Busan, Korea, Apr. 24-26,2008, pp.166-171.

[15] Keerthi S S, Lin C. Asymptotic behaviors of support vectormachines with Gaussian kernel. Neural Computation, 2003,15(7): 1667-1689.

[16] Chang C C, Lin C J. LIBSVM: A library for support vectormachines, 2010, http://www.csie.ntu.edu.tw/?cjlin/libsvm/.

[17] Jung J, Paxson V, Berger A, Balakrishnan H. Fast portscandetection using sequential hypothesis testing. In Proc. IEEESymposium on Security and Privacy, Berkeley, CA, USA,May 9-12, 2004, pp.211-225.

[18] Li Z, Wang L, Chen Y, Fu Z. Network-based and attack-resilient length signature generation for zero-day polymorphicworms. In Proc. the 15th IEEE International Conference on Network Protocols (ICNP), Beijing, China, Oct. 16-19, 2007,pp.164-173.

[19] Liu Z, Shu G, Li N, Lee D. Defending against instant mes-saging worms. In Proc. GLOBECOM, San Francisco, USA,Nov. 27-Dec. 1, 2006.

[20] Zhong Z, Ramaswamy L, Li K. ALPACAS: A large-scaleprivacy-aware collaborative anti-spam system. In Proc. IEEEINFOCOM, Phoenix, USA, Apr. 13-18, 2008, pp.556-564.

[21] Luo X, Chang R. On a new class of pulsing denial-of-serviceattacks and the defense. In Proc. Network and DistributedSystem Security Symposium, San Diego, California, USA,Feb. 2005.

[22] Ning P, Liu A, Du W. Mitigating DoS attacks against broad-cast authentication in wireless sensor networks. ACM Trans-actions on Sensor Networks, 2008, 4(1): 1-31.

[23] Jung J, Krishnamurthy B, Rabinovich M. Flash crowds anddenial of service attacks: Characterization and implicationsfor CDNs and Web sites. In Proc. the 11th WWW, Hon-olulu, Hawaii, USA, May 7-11, 2002, pp.293-304.

[24] Krishnamurthy B, Sen S, Zhang Y, Chen Y. Sketch-basedchange detection: Methods, evaluation, and applications. InProc. the 3rd ACM IMC, Miami, Florida, USA, Oct. 27-29,2003, pp.234-247.

[25] Won Y J, Choi M J, Hong J W K, Kim M S, Hwang H, Lee JH, Lee S G. Fault detection and diagnosis in IP-base missioncritical industrial process control networks. IEEE Communi-cations Magazine, 2008, 46(5): 172-180.

[26] Barford P, Kline J, Plonka D, Ron A. A signal analysis of net-work traffic anomalies. In Proc. the 2nd ACM SIGCOMMInternet Measurement Workshop, Marseille, France, Nov. 6-8,2002, pp.71-82.

[27] Brutlag J D. Aberrant behavior detection in time series fornetwork monitoring. In Proc. the 14th Systems Administra-tion Conference, New Orleans, Dec. 3-8, 2000, pp.139-146.

[28] Zhang Y, Ge Z, Greenberg A, Roughan M. Network anomog-raphy. In Proc. the 5th ACM SIGCOMM Internet Mea-surement Conference, Berkeley, CA, USA, Oct. 19-21, 2005,pp.317-330.

[29] Gu Y, McCallum A, Towsley D. Detecting anomalies in net-work traffic using maximum entropy estimation. In Proc. In-ternet Measurement Conference, Berkeley, CA, USA, Oct. 19-21, 2005, pp.45-50.

[30] Wagner A, Plattner B. Entropy based worm and anomalydetection in fast IP networks. In Proc. the 14th IEEE In-ternational Workshops Enabling Technologies: InfrastructureCollaborative Enterprise, Washington DC, USA, June 13-15,2005, pp.172-177.

[31] Ringberg H, Soule A, Rexford J. Webclass: Adding rigor tomanual labeling of traffic anomalies. SIGCOMM Comput.Commun. Rev., 2008, 38(1): 35-38.

[32] Soule A, Larsen H, Silveira F, Rexford J, Diot C. Detectabilityof traffic anomalies in two adjacent networks. In Proc. the8th Int. Conf. Passive and Active Network Measurement,Louvain-la-neuve, Belgium, Apr. 5-6, 2007, pp.22-31.

[33] Brauckhoff D, Tellenbach B, Wagner A, May M, Lakhina A.Impact of packet sampling on anomaly detection metrics. InProc. the 6th ACM SIGCOMM Conference on Internet Mea-surement, ACM Press, Oct. 25-27, 2006, pp.159-164.

[34] Scherrer A, Larrieu N, Owezarski P, Borgnat P, Abry P. Non-Gaussian and long memory statistical characterizations forInternet traffic with anomalies. IEEE/ACM Trans. Depend-able and Secure Computing, 2007, 4(1): 56-70.

[35] Kind A, Stoecklin M P, Dimitropoulos X. Histogram-basedtraffic anomaly detection. IEEE Transactions on Networkand Service Management, 2009, 6(2): 110-121.

[36] Silveira F, Diot C, Taft N, Govindan R. Astute: Detectinga different class of traffic anomalies. In Proc. SIGCOMM,New-Delhi, India, Aug. 30-Sept. 3, 2010, pp.267-278.

[37] Lakhina A, Crovella M, Diot C. Diagnosing network-wide traf-fic anomalies. In Proc. SIGCOMM, Portland, OR, USA,Aug. 30-Sept. 3, 2004, pp.219-230.

[38] Ringberg H, Soule A, Rexford J, Diot C. Sensitivity of PCAfor traffic anomaly detection. In Proc. ACM SIGMETRICSInternational Conf. Measurement and Modeling of ComputerSystems, San Diego, CA, Jun. 12-16, 2007, pp.109-120.

[39] Ma J, Perkins S. Online novelty detection on temporal se-quences. In Proc. the 9th ACM SIGKDD International Con-ference on Knowledge Discovery and Data Mining, Washing-ton DC, USA, Aug. 24-27, 2003, pp.613-618.

[40] Li K, Teng G. Unsupervised SVM based on p-kernels foranomaly detection. In Proc. Innovative Computing, Infor-mation and Control, Beijing, China, Aug. 30-Sept. 1, 2006,pp.59-62.

[41] Brauckhoff D, Dimitropoulos X, Wagner A, Salamatian K.Anomaly extraction in backbone networks using associationrules. In Proc. the 9th IMC, Chicago, Illinois, USA, Nov. 4-6,2009, pp.28-34.

[42] Paredes-Oliva I, Dimitropoulos X, Molina M, Barlet-Ros P,Brauckhoff D. Automating root-cause analysis of networkanomalies using frequent itemset mining. In Proc. SIG-COMM (Poster), New Delhi, India, Aug. 30-Sep. 3, 2010,pp.467-468.

[43] Silveira F, Diot C. URCA: Pulling out anomalies by theirroot causes. In Proc. the 29th INFOCOM, San Diego, USA,Mar. 14-19, 2010, pp.722-730.
No related articles found!
Full text



[1] Liu Mingye; Hong Enyu;. Some Covering Problems and Their Solutions in Automatic Logic Synthesis Systems[J]. , 1986, 1(2): 83 -92 .
[2] Chen Shihua;. On the Structure of (Weak) Inverses of an (Weakly) Invertible Finite Automaton[J]. , 1986, 1(3): 92 -100 .
[3] Gao Qingshi; Zhang Xiang; Yang Shufan; Chen Shuqing;. Vector Computer 757[J]. , 1986, 1(3): 1 -14 .
[4] Chen Zhaoxiong; Gao Qingshi;. A Substitution Based Model for the Implementation of PROLOG——The Design and Implementation of LPROLOG[J]. , 1986, 1(4): 17 -26 .
[5] Huang Heyan;. A Parallel Implementation Model of HPARLOG[J]. , 1986, 1(4): 27 -38 .
[6] Min Yinghua; Han Zhide;. A Built-in Test Pattern Generator[J]. , 1986, 1(4): 62 -74 .
[7] Tang Tonggao; Zhao Zhaokeng;. Stack Method in Program Semantics[J]. , 1987, 2(1): 51 -63 .
[8] Min Yinghua;. Easy Test Generation PLAs[J]. , 1987, 2(1): 72 -80 .
[9] Zhu Hong;. Some Mathematical Properties of the Functional Programming Language FP[J]. , 1987, 2(3): 202 -216 .
[10] Li Minghui;. CAD System of Microprogrammed Digital Systems[J]. , 1987, 2(3): 226 -235 .

ISSN 1000-9000(Print)

CN 11-2296/TP

Editorial Board
Author Guidelines
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
E-mail: jcst@ict.ac.cn
  Copyright ©2015 JCST, All Rights Reserved