Detecting Anomalies in Massive Traffic Streams Based on S-Transform Analysis of Summarized Traffic Entropies
Summary :
Detecting traffic anomalies is an indispensable component of overall security architecture. As Internet and traffic data with more sophisticated attacks grow exponentially, preserving security with signature-based traffic analyzers or analyzers that do not support massive traffic are not sufficient. In this paper, we propose a novel method based on combined sketch technique and S-transform analysis for detecting anomalies in massive traffic streams. The method does not require any prior knowledge such as attack patterns and models representing normal traffic behavior. To detect anomalies, we summarize the entropy of traffic data over time and maintain the summarized data in sketches. The entropy fluctuation of the traffic data aggregated to the same bucket is observed by S-transform to detect spectral changes referred to as anomalies in this work. We evaluated the performance of the method with real-world backbone traffic collected at the United States and Japan transit link in terms of both accuracy and false positive rates. We also explored the method parameters' influence on detection performance. Furthermore, we compared the performance of our method to S-transform-based and Wavelet-based methods. The results demonstrated that our method was capable of detecting anomalies and overcame both methods. We also found that our method was not sensitive to its parameter settings.
- Publication
- IEICE TRANSACTIONS on Information Vol.E98-D No.3 pp.588-595
- Publication Date
- 2015/03/01
- Publicized
- 2014/12/11
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.2014NTP0006
- Type of Manuscript
- Special Section PAPER (Special Section on the Architectures, Protocols, and Applications for the Future Internet)
- Category
- Internet Operation and Management
Authors
Sirikarn PUKKAWANNA
Nara Institute of Science and Technology
Hiroaki HAZEYAMA
Nara Institute of Science and Technology
Youki KADOBAYASHI
Nara Institute of Science and Technology
Suguru YAMAGUCHI
Nara Institute of Science and Technology
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Sirikarn PUKKAWANNA, Hiroaki HAZEYAMA, Youki KADOBAYASHI, Suguru YAMAGUCHI, "Detecting Anomalies in Massive Traffic Streams Based on S-Transform Analysis of Summarized Traffic Entropies" in IEICE TRANSACTIONS on Information,
vol. E98-D, no. 3, pp. 588-595, March 2015, doi: 10.1587/transinf.2014NTP0006.
Abstract: Detecting traffic anomalies is an indispensable component of overall security architecture. As Internet and traffic data with more sophisticated attacks grow exponentially, preserving security with signature-based traffic analyzers or analyzers that do not support massive traffic are not sufficient. In this paper, we propose a novel method based on combined sketch technique and S-transform analysis for detecting anomalies in massive traffic streams. The method does not require any prior knowledge such as attack patterns and models representing normal traffic behavior. To detect anomalies, we summarize the entropy of traffic data over time and maintain the summarized data in sketches. The entropy fluctuation of the traffic data aggregated to the same bucket is observed by S-transform to detect spectral changes referred to as anomalies in this work. We evaluated the performance of the method with real-world backbone traffic collected at the United States and Japan transit link in terms of both accuracy and false positive rates. We also explored the method parameters' influence on detection performance. Furthermore, we compared the performance of our method to S-transform-based and Wavelet-based methods. The results demonstrated that our method was capable of detecting anomalies and overcame both methods. We also found that our method was not sensitive to its parameter settings.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2014NTP0006/_p
Copy
@ARTICLE{e98-d_3_588,
author={Sirikarn PUKKAWANNA, Hiroaki HAZEYAMA, Youki KADOBAYASHI, Suguru YAMAGUCHI, },
journal={IEICE TRANSACTIONS on Information},
title={Detecting Anomalies in Massive Traffic Streams Based on S-Transform Analysis of Summarized Traffic Entropies},
year={2015},
volume={E98-D},
number={3},
pages={588-595},
abstract={Detecting traffic anomalies is an indispensable component of overall security architecture. As Internet and traffic data with more sophisticated attacks grow exponentially, preserving security with signature-based traffic analyzers or analyzers that do not support massive traffic are not sufficient. In this paper, we propose a novel method based on combined sketch technique and S-transform analysis for detecting anomalies in massive traffic streams. The method does not require any prior knowledge such as attack patterns and models representing normal traffic behavior. To detect anomalies, we summarize the entropy of traffic data over time and maintain the summarized data in sketches. The entropy fluctuation of the traffic data aggregated to the same bucket is observed by S-transform to detect spectral changes referred to as anomalies in this work. We evaluated the performance of the method with real-world backbone traffic collected at the United States and Japan transit link in terms of both accuracy and false positive rates. We also explored the method parameters' influence on detection performance. Furthermore, we compared the performance of our method to S-transform-based and Wavelet-based methods. The results demonstrated that our method was capable of detecting anomalies and overcame both methods. We also found that our method was not sensitive to its parameter settings.},
keywords={},
doi={10.1587/transinf.2014NTP0006},
ISSN={1745-1361},
month={March},}
Copy
TY - JOUR
TI - Detecting Anomalies in Massive Traffic Streams Based on S-Transform Analysis of Summarized Traffic Entropies
T2 - IEICE TRANSACTIONS on Information
SP - 588
EP - 595
AU - Sirikarn PUKKAWANNA
AU - Hiroaki HAZEYAMA
AU - Youki KADOBAYASHI
AU - Suguru YAMAGUCHI
PY - 2015
DO - 10.1587/transinf.2014NTP0006
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E98-D
IS - 3
JA - IEICE TRANSACTIONS on Information
Y1 - March 2015
AB - Detecting traffic anomalies is an indispensable component of overall security architecture. As Internet and traffic data with more sophisticated attacks grow exponentially, preserving security with signature-based traffic analyzers or analyzers that do not support massive traffic are not sufficient. In this paper, we propose a novel method based on combined sketch technique and S-transform analysis for detecting anomalies in massive traffic streams. The method does not require any prior knowledge such as attack patterns and models representing normal traffic behavior. To detect anomalies, we summarize the entropy of traffic data over time and maintain the summarized data in sketches. The entropy fluctuation of the traffic data aggregated to the same bucket is observed by S-transform to detect spectral changes referred to as anomalies in this work. We evaluated the performance of the method with real-world backbone traffic collected at the United States and Japan transit link in terms of both accuracy and false positive rates. We also explored the method parameters' influence on detection performance. Furthermore, we compared the performance of our method to S-transform-based and Wavelet-based methods. The results demonstrated that our method was capable of detecting anomalies and overcame both methods. We also found that our method was not sensitive to its parameter settings.
ER -
English
