URCA: Pulling Out Anomalies by Their Root Causes

Free registration required

Executive Summary

Traffic anomaly detection has received a lot of attention over recent years, but understanding the nature of these anomalies and identifying the flows involved is still a manual task, in most cases. The authors introduce Unsupervised Root Cause Analysis (URCA) which isolates anomalous traffic and classifies alarms with minimal manual assistance and high accuracy. URCA proceeds by successive reduction of the anomalous space, eliminating normal traffic based on feedback from the anomaly detection method. Classification is done by clustering a new anomaly with previously labeled events. They validate URCA using manually analyzed real anomalies as well as synthetic anomaly injection.

  • Format: PDF
  • Size: 331.43 KB