Spatio-Temporal Network Anomaly Detection by Assessing Deviations of Empirical Measures
The authors introduce an Internet traffic anomaly detection mechanism based on large deviations results for empirical measures. Using past traffic traces they characterize network traffic during various time-of-day intervals, assuming that it is anomaly-free. They present two different approaches to characterize traffic: a model-free approach based on the method of types and Sanov's theorem, and a model-based approach modeling traffic using a Markov modulated process. Using these characterizations as a reference they continuously monitor traffic and employ large deviations and decision theory results to "Compare" the empirical measure of the monitored traffic with the corresponding reference characterization, thus, identifying traffic anomalies in real-time.