Anomaly Detection and Attribution in Networks With Temporally Correlated Traffic

Anomaly detection in communication networks is the first step in the challenging task of securing a network, as anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting the anomalous events but also of attrib...

Full description

Saved in:
Bibliographic Details
Published inIEEE/ACM transactions on networking Vol. 26; no. 1; pp. 131 - 144
Main Authors Nevat, Ido, Divakaran, Dinil Mon, Nagarajan, Sai Ganesh, Zhang, Pengfei, Su, Le, Ko, Li Ling, Thing, Vrizlynn L. L.
Format Journal Article
LanguageEnglish
Published New York IEEE 01.02.2018
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Algorithms
Anomalies
Anomaly detection
Combinatorial analysis
Communication networks
Communications traffic
cross entropy method
Cybersecurity
Decision theory
Detection algorithms
Entropy
Entropy (Information theory)
Feature extraction
Light rail systems
Likelihood ratio
likelihood ratio test
Malfunctions
Markov chain
Markov chains
Markov processes
network traffic
Testing
Traffic information
Online AccessGet full text
ISSN1063-6692
1558-2566
DOI10.1109/TNET.2017.2765719

Cover

Abstract Anomaly detection in communication networks is the first step in the challenging task of securing a network, as anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting the anomalous events but also of attributing the anomaly to the flows causing it. To this end, we develop a new statistical decision theoretic framework for temporally correlated traffic in networks via Markov chain modeling. We first formulate the optimal anomaly detection problem via the generalized likelihood ratio test (GLRT) for our composite model. This results in a combinatorial optimization problem which is prohibitively expensive. We then develop two low-complexity anomaly detection algorithms. The first is based on the cross entropy (CE) method, which detects anomalies as well as attributes anomalies to flows. The second algorithm performs anomaly detection via GLRT on the aggregated flows transformation-a compact low-dimensional representation of the raw traffic flows. The two algorithms complement each other and allow the network operator to first activate the flow aggregation algorithm in order to quickly detect anomalies in the system. Once an anomaly has been detected, the operator can further investigate which specific flows are anomalous by running the CE-based algorithm. We perform extensive performance evaluations and experiment our algorithms on synthetic and semi-synthetic data, as well as on real Internet traffic data obtained from the MAWI archive, and finally make recommendations regarding their usability.
AbstractList Anomaly detection in communication networks is the first step in the challenging task of securing a network, as anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting the anomalous events but also of attributing the anomaly to the flows causing it. To this end, we develop a new statistical decision theoretic framework for temporally correlated traffic in networks via Markov chain modeling. We first formulate the optimal anomaly detection problem via the generalized likelihood ratio test (GLRT) for our composite model. This results in a combinatorial optimization problem which is prohibitively expensive. We then develop two low-complexity anomaly detection algorithms. The first is based on the cross entropy (CE) method, which detects anomalies as well as attributes anomalies to flows. The second algorithm performs anomaly detection via GLRT on the aggregated flows transformation-a compact low-dimensional representation of the raw traffic flows. The two algorithms complement each other and allow the network operator to first activate the flow aggregation algorithm in order to quickly detect anomalies in the system. Once an anomaly has been detected, the operator can further investigate which specific flows are anomalous by running the CE-based algorithm. We perform extensive performance evaluations and experiment our algorithms on synthetic and semi-synthetic data, as well as on real Internet traffic data obtained from the MAWI archive, and finally make recommendations regarding their usability.
Author Thing, Vrizlynn L. L.
Nagarajan, Sai Ganesh
Su, Le
Nevat, Ido
Zhang, Pengfei
Divakaran, Dinil Mon
Ko, Li Ling
Author_xml – sequence: 1
  givenname: Ido
  surname: Nevat
  fullname: Nevat, Ido
  organization: TUM CREATE, Singapore
– sequence: 2
  givenname: Dinil Mon
  orcidid: 0000-0001-8706-432X
  surname: Divakaran
  fullname: Divakaran, Dinil Mon
  email: comdmd@nus.edu.sg
  organization: Cyber Security and Intelligence Department, ASTAR Institute for Infocomm Research, Singapore
– sequence: 3
  givenname: Sai Ganesh
  orcidid: 0000-0001-9821-432X
  surname: Nagarajan
  fullname: Nagarajan, Sai Ganesh
  organization: Cyber Security and Intelligence Department, ASTAR Institute for Infocomm Research, Singapore
– sequence: 4
  givenname: Pengfei
  surname: Zhang
  fullname: Zhang, Pengfei
  organization: Department of Engineering Science, University of Oxford, Oxford, U.K
– sequence: 5
  givenname: Le
  surname: Su
  fullname: Su, Le
  organization: Cyber Security and Intelligence Department, ASTAR Institute for Infocomm Research, Singapore
– sequence: 6
  givenname: Li Ling
  surname: Ko
  fullname: Ko, Li Ling
  organization: Department of Mathematics, University of Notre Dame, Notre Dame, IN, USA
– sequence: 7
  givenname: Vrizlynn L. L.
  surname: Thing
  fullname: Thing, Vrizlynn L. L.
  organization: Cyber Security and Intelligence Department, ASTAR Institute for Infocomm Research, Singapore
BookMark eNp9kE1LAzEQhoNUsK3-APGy4HlrPnbzcSy1VaFUDyseQ5oPTN1uajZF-u_dtcWDB08zA-8zwzwjMGhCYwG4RnCCEBR31WpeTTBEbIIZLRkSZ2CIypLnuKR00PWQkpxSgS_AqG03ECICMR2Cl2kTtqo-ZPc2WZ18aDLVmGyaUvTr_c_sm2xl01eIH2325tN7VtntLkRVd9QsxGhrlazJqqic8_oSnDtVt_bqVMfgdTGvZo_58vnhaTZd5hoLkvLCOWcIQyWnXBdrTRhDBcNCOEUYIYYjZDTuopgxA51ZKwuVEdzAwmHuCjIGt8e9uxg-97ZNchP2selOSoxY0b1ectil0DGlY2jbaJ3cRb9V8SARlL042YuTvTh5Etcx7A-jfVK9ihSVr_8lb46kt9b-XuKIQSwg-QaJlH00
CODEN IEANEP
CitedBy_id crossref_primary_10_1109_LWC_2022_3167827
crossref_primary_10_1587_transfun_2022EAP1161
crossref_primary_10_1109_TKDE_2021_3050400
crossref_primary_10_1109_TMLCN_2024_3388973
crossref_primary_10_1109_ACCESS_2019_2926518
crossref_primary_10_1155_2022_5113725
crossref_primary_10_3390_s22197436
crossref_primary_10_1016_j_comcom_2020_04_019
crossref_primary_10_1109_JIOT_2021_3051480
crossref_primary_10_1016_j_comnet_2020_107645
crossref_primary_10_1109_ACCESS_2018_2854842
crossref_primary_10_1016_j_comcom_2020_01_028
crossref_primary_10_1109_TMC_2022_3200059
crossref_primary_10_1007_s41745_021_00224_6
crossref_primary_10_1109_ACCESS_2019_2958068
crossref_primary_10_1109_TIFS_2019_2933731
crossref_primary_10_3390_app13169087
crossref_primary_10_1088_1755_1315_693_1_012054
crossref_primary_10_1109_ACCESS_2019_2891933
crossref_primary_10_2139_ssrn_3281021
crossref_primary_10_1109_TPDS_2020_2991007
crossref_primary_10_1109_ACCESS_2020_2972640
crossref_primary_10_1109_TPDS_2020_3001593
crossref_primary_10_1109_ACCESS_2020_2973214
crossref_primary_10_1109_JIOT_2021_3055937
crossref_primary_10_2478_amns_2024_1261
crossref_primary_10_1109_ACCESS_2019_2940816
crossref_primary_10_1016_j_ins_2021_04_056
crossref_primary_10_1109_TDSC_2024_3418906
crossref_primary_10_3390_s22249626
crossref_primary_10_1145_3450286
crossref_primary_10_1109_TNSM_2021_3051381
Cites_doi 10.1109/TSP.2013.2293970
10.1214/aoms/1177707039
10.1109/TDSC.2011.14
10.1145/1851182.1851215
10.1109/INFCOM.2009.5061979
10.1016/j.comnet.2013.07.028
10.1145/1330107.1330148
10.1214/aoms/1177700150
10.1145/584091.584093
10.1007/s10994-014-5473-9
10.1109/JSTSP.2012.2233713
10.1109/TNET.2008.2001468
10.1109/TIT.2004.826687
10.1109/TNET.2010.2070845
10.1145/1851275.1851220
10.1109/18.149515
10.1214/ss/1042727940
10.1214/aoms/1177732144
10.1016/j.orl.2006.11.005
10.1023/A:1010091220143
10.1007/978-0-387-76544-0
10.1016/j.comcom.2005.02.012
10.1109/TCNS.2014.2378631
10.1002/ett.1432
10.1145/2677046.2677050
10.1109/JIOT.2016.2535165
10.1109/18.108249
10.1109/18.2636
10.1109/CDC.2015.7402811
ContentType Journal Article
Copyright Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2018
Copyright_xml – notice: Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2018
DBID 97E
RIA
RIE
AAYXX
CITATION
7SC
7SP
8FD
JQ2
L7M
L~C
L~D
DOI 10.1109/TNET.2017.2765719
DatabaseName IEEE All-Society Periodicals Package (ASPP) 2005–Present
IEEE All-Society Periodicals Package (ASPP) 1998–Present
IEEE Xplore digital library
CrossRef
Computer and Information Systems Abstracts
Electronics & Communications Abstracts
Technology Research Database
ProQuest Computer Science Collection
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
DatabaseTitle CrossRef
Technology Research Database
Computer and Information Systems Abstracts – Academic
Electronics & Communications Abstracts
ProQuest Computer Science Collection
Computer and Information Systems Abstracts
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts Professional
DatabaseTitleList
Technology Research Database
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE/IET Electronic Library (IEL)
  url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
EISSN 1558-2566
EndPage 144
ExternalDocumentID 10_1109_TNET_2017_2765719
8170290
Genre orig-research
GrantInformation_xml – fundername: Singapore National Research Foundation
  grantid: NRF2014NCR-NCR001-034
  funderid: 10.13039/501100001381
GroupedDBID -DZ
-~X
.DC
0R~
29I
4.4
5GY
5VS
6IK
85S
8US
97E
9M8
AAJGR
AAKMM
AALFJ
AARMG
AASAJ
AAWTH
AAWTV
ABAZT
ABPPZ
ABQJQ
ABVLG
ACGFS
ACGOD
ACIWK
ACM
ADBCU
ADL
AEBYY
AEFXT
AEJOY
AENSD
AETEA
AETIX
AFWIH
AFWXC
AGQYO
AGSQL
AHBIQ
AI.
AIBXA
AIKLT
AKJIK
AKQYR
AKRVB
ALLEH
ALMA_UNASSIGNED_HOLDINGS
ATWAV
BDXCO
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CCLIF
CS3
D0L
EBS
EJD
FEDTE
GUFHI
HF~
HGAVV
HZ~
H~9
I07
ICLAB
IEDLZ
IES
IFIPE
IFJZH
IPLJI
JAVBF
LAI
LHSKQ
M43
MVM
O9-
OCL
P1C
P2P
PQQKQ
RIA
RIE
RNS
ROL
TN5
UPT
UQL
VH1
XOL
YR2
ZCA
AAYXX
CITATION
7SC
7SP
8FD
JQ2
L7M
L~C
L~D
ID FETCH-LOGICAL-c293t-4fffd3715868c4bc377147299fa3733d811dc2293277d0fdbae0ad98d04f28f43
IEDL.DBID RIE
ISSN 1063-6692
IngestDate Sun Oct 05 00:29:22 EDT 2025
Wed Oct 01 02:31:57 EDT 2025
Thu Apr 24 22:51:26 EDT 2025
Wed Aug 27 02:52:40 EDT 2025
IsPeerReviewed true
IsScholarly true
Issue 1
Language English
License https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c293t-4fffd3715868c4bc377147299fa3733d811dc2293277d0fdbae0ad98d04f28f43
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0000-0001-9821-432X
0000-0001-8706-432X
PQID 2174558580
PQPubID 32020
PageCount 14
ParticipantIDs crossref_primary_10_1109_TNET_2017_2765719
ieee_primary_8170290
crossref_citationtrail_10_1109_TNET_2017_2765719
proquest_journals_2174558580
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 2018-Feb.
2018-2-00
20180201
PublicationDateYYYYMMDD 2018-02-01
PublicationDate_xml – month: 02
  year: 2018
  text: 2018-Feb.
PublicationDecade 2010
PublicationPlace New York
PublicationPlace_xml – name: New York
PublicationTitle IEEE/ACM transactions on networking
PublicationTitleAbbrev TNET
PublicationYear 2018
Publisher IEEE
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Publisher_xml – name: IEEE
– name: The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
References ref13
ref34
ref12
ref37
ref15
ref14
ref31
ref30
ref33
ref32
ref10
ref2
iglesias (ref5) 2014; 101
ref1
ref39
ref17
van trees (ref8) 1968
ref38
ref16
ref18
markov (ref27) 1906; 15
markov (ref28) 1971; 1
bolton (ref4) 2002; 17
(ref36) 2016
ref24
ref23
ref25
ref20
wald (ref19) 1947
ref21
(ref35) 2016
kay (ref9) 1998; 2
ref7
guo (ref26) 2001
neyman (ref29) 1928; 20a
ref3
ref6
ref40
rubinstein (ref11) 2013
dembo (ref22) 2009; 38
zhang (ref41) 2017
References_xml – ident: ref2
  doi: 10.1109/TSP.2013.2293970
– ident: ref34
  doi: 10.1214/aoms/1177707039
– ident: ref16
  doi: 10.1109/TDSC.2011.14
– ident: ref39
  doi: 10.1145/1851182.1851215
– ident: ref38
  doi: 10.1109/INFCOM.2009.5061979
– volume: 15
  start-page: 18
  year: 1906
  ident: ref27
  article-title: Rasprostranenie zakona bol'shih chisel na velichiny, zavisyaschie drug ot druga
  publication-title: Izvestiya Fiziko-matematicheskogo obschestva pri Kazanskom universitete
– ident: ref21
  doi: 10.1016/j.comnet.2013.07.028
– year: 1968
  ident: ref8
  publication-title: Detection Estimation and Modulation Theory Part I
– ident: ref14
  doi: 10.1145/1330107.1330148
– ident: ref12
  doi: 10.1214/aoms/1177700150
– ident: ref13
  doi: 10.1145/584091.584093
– volume: 2
  year: 1998
  ident: ref9
  publication-title: Fundamentals of Statistical Signal Processing Detection Theory
– volume: 101
  start-page: 59
  year: 2014
  ident: ref5
  article-title: Analysis of network traffic features for anomaly detection
  publication-title: Mach Learn
  doi: 10.1007/s10994-014-5473-9
– year: 2016
  ident: ref36
  publication-title: WIDE Project
– ident: ref18
  doi: 10.1109/JSTSP.2012.2233713
– year: 2017
  ident: ref41
  publication-title: Statistical anomaly detection via composite hypothesis testing for Markov models
– ident: ref6
  doi: 10.1109/TNET.2008.2001468
– ident: ref40
  doi: 10.1109/TIT.2004.826687
– ident: ref17
  doi: 10.1109/TNET.2010.2070845
– ident: ref1
  doi: 10.1145/1851275.1851220
– ident: ref30
  doi: 10.1109/18.149515
– volume: 17
  start-page: 235
  year: 2002
  ident: ref4
  article-title: Statistical fraud detection: A review
  publication-title: Stat Sci
  doi: 10.1214/ss/1042727940
– start-page: 215
  year: 2001
  ident: ref26
  article-title: How does TCP generate pseudo-self-similarity?
  publication-title: Proc MASCOTS
– ident: ref15
  doi: 10.1214/aoms/1177732144
– ident: ref33
  doi: 10.1016/j.orl.2006.11.005
– ident: ref10
  doi: 10.1023/A:1010091220143
– ident: ref23
  doi: 10.1007/978-0-387-76544-0
– ident: ref25
  doi: 10.1016/j.comcom.2005.02.012
– ident: ref7
  doi: 10.1109/TCNS.2014.2378631
– ident: ref20
  doi: 10.1002/ett.1432
– ident: ref37
  doi: 10.1145/2677046.2677050
– ident: ref3
  doi: 10.1109/JIOT.2016.2535165
– ident: ref32
  doi: 10.1109/18.108249
– volume: 1
  start-page: 552
  year: 1971
  ident: ref28
  article-title: Extension of the limit theorems of probability theory to a sum of variables connected in a chain
  publication-title: Dynamic Probabilistic Systems Markov Models
– year: 1947
  ident: ref19
  publication-title: Sequential Analysis
– year: 2016
  ident: ref35
  publication-title: MAWI working group traffic archive
– year: 2013
  ident: ref11
  publication-title: The Cross-Entropy Method A Unified Approach to Combinatorial Optimization Monte-Carlo Simulation and Machine Learning
– ident: ref31
  doi: 10.1109/18.2636
– volume: 20a
  start-page: 175
  year: 1928
  ident: ref29
  article-title: On the use and interpretation of certain test criteria for purposes of statistical inference: Part I
  publication-title: Biometrika
– volume: 38
  year: 2009
  ident: ref22
  publication-title: Large Deviations Techniques and Applications
– ident: ref24
  doi: 10.1109/CDC.2015.7402811
SSID ssj0013026
Score 2.455558
Snippet Anomaly detection in communication networks is the first step in the challenging task of securing a network, as anomalies may indicate suspicious behaviors,...
SourceID proquest
crossref
ieee
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 131
SubjectTerms Algorithms
Anomalies
Anomaly detection
Combinatorial analysis
Communication networks
Communications traffic
cross entropy method
Cybersecurity
Decision theory
Detection algorithms
Entropy
Entropy (Information theory)
Feature extraction
Light rail systems
Likelihood ratio
likelihood ratio test
Malfunctions
Markov chain
Markov chains
Markov processes
network traffic
Testing
Traffic information
Title Anomaly Detection and Attribution in Networks With Temporally Correlated Traffic
URI https://ieeexplore.ieee.org/document/8170290
https://www.proquest.com/docview/2174558580
Volume 26
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVIEE
  databaseName: IEEE/IET Electronic Library (IEL)
  customDbUrl:
  eissn: 1558-2566
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0013026
  issn: 1063-6692
  databaseCode: RIE
  dateStart: 19930101
  isFulltext: true
  titleUrlDefault: https://ieeexplore.ieee.org/
  providerName: IEEE
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV07T8MwELZKJxh4FUShIA9MiLTO8-yxKq0QEhVDK7pFjh-ioqSIpgP8emwnLRUgxJbhnFg-J3df7vN3CF2CAglKaE8EYABKBonHAqU8LjNgWlASc0eQHSa34-huEk9q6Hp9FkYp5chnqm0vXS1fzsXS_irrWDG5gBmAvgU0Kc9qfVUMiGutZhBO6CUJC6oKpk9YZzTsjyyJC9oBJDFYUZ2NGOSaqvz4ErvwMthD96uJlayS5_ayyNri45tm439nvo92qzwTd8uNcYBqKj9EOxvqgw30YKD_C5-94xtVOEJWjnkucbdYN8HC0xwPS574Aj9Oiyc8KpWsZmZUz_b1mJlUVWIT8KwSxREaD_qj3q1XNVgwnmFh4UVaaxmCH9OEiigTIYAfmWybaR5CGErq-1IExjQAkETLjCvCJaOSRDqgOgqPUT2f5-oEYU59InyiQfMokkRyBdxkU9w8SBtr2URkteSpqNTHbROMWepQCGGp9VJqvZRWXmqiq_WQ11J64y_jhl31tWG14E3UWvk1rV7ORWpRWGxgEiWnv486Q9vm3rQkZ7dQvXhbqnOTexTZhdt0n7Pz1hI
linkProvider IEEE
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1LT9wwEB4hOEAPPFuxPH3ghJrFSZyMfUQ8tFBYcQiCW-T4oaIuAUH2AL8e28luEUUVtxzGsjXjZOaLP38DsIcGNRplI5WgAygV5pFIjImkrlBYxWkmA0F2mA-u2fltdjsDP6d3YYwxgXxm-v4xnOXrBzX2v8oOvJhcIhxAn8sYY1l7W-vvmQENzdUcxkmjPBdJd4YZU3FQDE8KT-PCfoJ5hl5W510WCm1V_vkWhwRzugSXk6W1vJI__XFT9dXrB9XGr659GRa7SpMctltjBWZMvQrf3ukPrsGVA__3cvRCjk0TKFk1kbUmh820DRa5q8mwZYo_k5u75jcpWi2rkRt15Dt7jFyxqolLeV6L4jtcn54UR4Ooa7HgYiPSJmLWWp1inPGcK1apFDFmrt4WVqaYpprHsVaJM00QNbW6koZKLbimzCbcsvQHzNYPtVkHInlMVUwtWsmYploalK6ekm4i66x1D-jE5aXq9Md9G4xRGXAIFaWPUumjVHZR6sH-dMhjK77xP-M17_WpYefwHmxN4lp2r-dz6XFY5oASpxufj9qF-UFxeVFenA1_bcKCm4e3VO0tmG2exmbbVSJNtRM24BsTpdlf
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Anomaly+Detection+and+Attribution+in+Networks+With+Temporally+Correlated+Traffic&rft.jtitle=IEEE%2FACM+transactions+on+networking&rft.au=Nevat%2C+Ido&rft.au=Dinil+Mon+Divakaran&rft.au=Sai+Ganesh+Nagarajan&rft.au=Zhang%2C+Pengfei&rft.date=2018-02-01&rft.pub=The+Institute+of+Electrical+and+Electronics+Engineers%2C+Inc.+%28IEEE%29&rft.issn=1063-6692&rft.eissn=1558-2566&rft.volume=26&rft.issue=1&rft.spage=131&rft_id=info:doi/10.1109%2FTNET.2017.2765719&rft.externalDBID=NO_FULL_TEXT
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1063-6692&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1063-6692&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1063-6692&client=summon