The identification of anomalies in network traffic is still a challenging task. The authors investigate this issue by measuring traffic at the flow level and collecting flow statistics through packet sampling. They use an analytical model they developed for quantitatively evaluating traffic conditions, such as the ratio of anomalous traffic volume to normal traffic volume, to investigate, in detail, “the effect of packet sampling on the detection accuracy of network anomalies.” Furthermore, the authors propose “a method of spatially partitioning monitored traffic into groups to increase the detection accuracy,” even for low sampling rates. For this case, they “further propose a method of determining an appropriate number of partitioned groups.” This paper is an extension of the authors’ previous work, which was presented at the 2007 IEEE Global Communications Conference (GLOBECOM) and at a 2007 IEEE International Symposium on Applications and the Internet (SAINT) workshop. Unfortunately, the authors did not update the references--the most recent one is from 2008.

After an introduction to the problem in the first section, a brief survey of related work is given in section 2. In the next section, the authors use “a link connecting the Science Information Network and one of the large commercial Internet exchanges in Japan” to show that anomaly detection becomes difficult when packet sampling is performed.

Section 4 presents the “analytical model and the effects of packet sampling rate and ... traffic [conditions] on detection accuracy.” First, the model itself is outlined, showing that the false positive rate (FPR)--the rate of misidentifying anomalies--is independent of the sampling rate, but the false negative rate (FNR)--the rate of missing anomalies--is not. The authors use a threshold-based anomaly detection method in their approach. This part of the paper lacks detailed explanations, and the justification for the model assumptions is rather scarce. Experimentally, the approach is supported by data from scientific traffic at the National Laboratory for Applied Network Research. The authors present a method for analyzing FNR as a function of the sampling rate; it is evaluated using data from the scientific traffic. It can be seen that FNR depends not only on the sampling rate, but also on the anomalous traffic volume. Next, the impact of commercial network traffic on the proposed evaluation model is presented (using measurement data from 2009), showing that the proposed approach can also cope with network traffic with different characteristics. Finally, the factors degrading detection accuracy are discussed, showing that detection accuracy can be improved if the ratio of anomalous to normal flows is increased.

In section 5, the authors propose a spatial partitioning method for improving detection accuracy. The approach, as well as a method for determining the number of partitioned groups, is experimentally validated. The paper ends with a concluding section (6).

From both the theoretical and experimental sides, this is a well-done paper; it is well organized and very readable.