By Topic

A flow-based anomaly detection method using sketch and combinations of traffic features

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Shuying Chang ; State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, China ; Xuesong Qiu ; Zhipeng Gao ; Ke Liu
more authors

With the development of high-speed networks, the challenge of effectively analyzing the massive data source for anomaly detection and diagnosis is yet to be resolved. This paper proposes a new flow-based anomaly detection method based on summary data structures and combinations of traffic features. Using IPFIX flow records as input, parallel sketches are established for chosen traffic features respectively. For each sketch, we use Holt-Winters forecasting technique to achieve their forecast sketches and deviation matrixes. When the deviation exceeds a certain threshold, sub-alarms will be generated. According to the characteristics of various attacks and combinations of traffic features, sub-alarms can be merged into final alarms. While sketches of flows are being constructed, destination addresses are recorded in linked lists which are used to locate victims by a series of set operations. This method can not only detect the existence of anomalies in near real time, but can roughly indicate the anomaly types and locate abnormal addresses.

Published in:

2010 International Conference on Network and Service Management

Date of Conference:

25-29 Oct. 2010