Paper Info
Title
Challenging the supremacy of traffic matrices in anomaly detection
Abstract
Multiple network-wide anomaly detection techniques proposed in the literature define an anomaly as a statistical outlier in aggregated network traffic. The most popular way to aggregate the traffic is as a Traffic Matrix, where the traffic is divided according to its ingress and egress points in the network. However, the reasons for choosing traffic matrices instead of any other formalism have not been studied yet. In this paper we compare three network-driven traffic aggregation formalisms: ingress routers, input links and origin-destination pairs (i.e. traffic matrices). Each formalism is computed on data collected from two research backbones. Then, a network-wide anomaly detection method is applied to each formalism. All anomalies are manually labeled, as a true or false positive. Our results show that the traffic aggregation level has asignificant impact on the number of anomalies detected and on the false positive rate. We show that aggregating by OD pairs is indeed the most appropriate choice for the data sets and the detection method we consider. We correlate our observations with time series statistics in order to explain how aggregation impacts anomaly detection.
Year
DOI
Venue
2007
10.1145/1298306.1298320
Internet Measurement Comference
Keywords
Field
DocType
anomaly detection,multiple network-wide anomaly detection,detection method,network-driven traffic aggregation formalisms,traffic aggregation level,traffic matrix,aggregation impact,aggregated network traffic,network-wide anomaly detection method
Anomaly detection,Data mining,False positive rate,Data set,Computer science,Computer security,Matrix (mathematics),Outlier,Computer network,Formalism (philosophy),Rotation formalisms in three dimensions
Conference
Citations 
PageRank 
References 
5
0.60
8
Authors
4
Name
Order
Citations
PageRank
Augustin Soule158435.76
Fernando Silveira2191.43
Haakon Ringberg3975.69
Christophe Diot47831590.69