Traffic Anomaly Detection at Fine Time Scales With Bayes Nets

Traffic anomaly detection using high performance measurement systems offers the possibility of improving the speed of detection and enabling detection of important, short-lived anomalies. In this paper the authors investigate the problem of detecting anomalies using traffic measurements with fine-grained timestamps. They develop a new detection algorithm (Called S3) that utilizes a Bayes Net to efficiently consider multiple input signals and to explicitly define what is considered "Anomalous". The input signals considered by S3 are traffic volumes and correlations between ingress/egress packet and bit rates. These complementary signals enable identification of an expanded range of anomalies.