Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Parametric methods for anomaly detection in aggregate traffic
Thatte G., Mitra U., Heidemann J. IEEE/ACM Transactions on Networking19 (2):512-525,2011.Type:Article
Date Reviewed: Feb 10 2012

The effective and efficient detection of network anomalies is still a challenging task. The authors’ proposed “bivariate parametric detection mechanism (bPDM) uses a sequential probability ratio test [SPRT], allowing for control over the false positive rate.”

The introductory section presents three key features of the approach. First, “detection operates on aggregate traffic, without flow separation or deep-packet inspection”--that is, it considers only packet headers and timing information. Second, the method automates training--that is, the key algorithmic parameters are automatically calculated. Finally, “both the packet rate and the sample entropy of the packet-size distribution statistics [are used] to ensure robustness against false positives.”

Section 2 provides a systematic overview of the related work, covering methods requiring flow separation as well as nonparametric and spectral methods. The authors outline how each group of methods differs from their approach. The following section gives background on sequential detection methods, posing the anomaly detection problem as a statistical hypothesis test and using the likelihood ratio to implement the SPRT.

Section 4 “derive[s] the SPRTs for the packet-rate and packet-size features”; proposes a generalized likelihood ratio test; and highlights the central features of the bPDM algorithm, which combines the two SPRTs. This theoretical section is very well and very carefully done. Unfortunately, though, there are many references to the appendices in a technical report by the authors, which makes this paper not fully self-contained.

In the last part of the paper, section 5, the authors present a performance evaluation and analysis of the proposed method. For the evaluation, they use controlled synthetic traces, emulated Iperf attacks, and real and proxy-real network attacks, as well as the bit-rate signal-to-noise ratio (SNR) metric. This extensive evaluation covers more than 50 percent of the paper. However, what the reader might miss is a thorough interpretation and discussion of the section’s many valuable results. Nevertheless, it is a very useful paper that is well structured and presented.
Reviewer:  G. Haring Review #: CR139846 (1207-0703)
Bookmark and Share
 
Network Monitoring (C.2.3 ... )
 
 
Data Communications (C.2.0 ... )
 
 
General (C.2.0 )
 
 
Performance of Systems (C.4 )
 
Would you recommend this review?
yes
no
Other reviews under "Network Monitoring": Date
Network monitoring explained: design and application
Chiu D., Sudama R., Ellis Horwood, Upper Saddle River, NJ, 1992. Type: Book (9780136147107)		 Jun 1 1993
The art of testing network systems
Robert W. J., John Wiley & Sons, Inc., New York, NY, 1996. Type: Book (9780471132233)		 Aug 1 1997
RMON
Perkins D., Prentice Hall PTR, Upper Saddle River, NJ, 1999. Type: Book (9780130961631)		 Oct 1 1999
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy