Networking

ASTUTE: Detecting a Different Class of Traffic Anomalies

Free registration required

Executive Summary

When many flows are multiplexed on a non-saturated link, their volume changes over short timescales tend to cancel each other out, making the average change across flows close to zero. This equilibrium property holds if the flows are nearly independent, and it is violated by traffic changes caused by several, potentially small, correlated flows. Many traffic anomalies (both malicious and benign) fit this description. Based on this observation, the authors exploit equilibrium to design a computationally simple detection method for correlated anomalous flows. They compare their new method to two well-known techniques on three network links.

  • Format: PDF
  • Size: 477.7 KB