Detecting Traffic Anomalies Using an Equilibrium Property

Free registration required

Executive Summary

When many flows are multiplexed on a non-saturated link, their volume changes over short timescales tend to cancel each other out, making the average change across flows close to zero. This equilibrium property holds if the flows are nearly independent, and it is violated by traffic changes caused by several correlated flows. The authors exploit this empirical property to design a computationally simple anomaly detection method. A number of techniques have been proposed that detect traffic anomalies by analyzing network traffic. They all seek to expose anomalies by looking for deviations from some underlying model of normal traffic.

  • Format: PDF
  • Size: 128.8 KB