A Hough-transform-based anomaly detector with an adaptive time interval

Fontugne, Romain; Fukuda, Kensuke

doi:10.1145/2034594.2034598

Cited by 19 publications

(13 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Further- Table 1: Heuristics labelling the traffic corresponding to a set of alarms into three categories ("Attack", "Special", and "Unknown"). These are originated from the anomalies previously reported [3,9] more, the majority of points are close to the "normal" reference point, and thus, far from the "abnormal" one. In order to understand where anomalies are located in the space, we then perform a breakdown of MAWILab anomalies regarding a heuristic-based classification.…”

Section: Scann Combination Methods Analysismentioning

confidence: 68%

“…This technique has been applied to several domains including anomaly detection of backbone traffic [9]. The approach proposed in [9] consists of first, monitoring the traffic in a 2-D scatter plot where the anomalous traffic appears as "lines", and second, identifies the anomalies with the Hough transform. The original data is retrieved from the identified plots, and the alarms reported by this method are aggregated sets of flows.…”

Section: Hough Transformmentioning

confidence: 99%

“…Consequently, the evaluation of a detector with simulated anomalies is restricted to certain kinds of anomaly, and thus, is insufficient for measuring the detector performance [20]. With real anomalies, researchers evaluate anomaly detectors by manually checking the reported alarms [4,6,13,14], or by comparing them to those reported by other anomaly detectors [9,[12][13][14]. Sometimes researchers also construct ground truth data by manually inspecting the analysed traffic [1].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

Mazel¹,

Esaki

Fontugne

et al. 2012

Proceedings of the Asian Internet Engineeering Conference on - AINTEC '12

Self Cite

View full text Add to dashboard Cite

Network anomaly detection is a crucial task in traffic monitoring. Tools targeting this particular problematic need to be thoroughly evaluated to assess their efficiency. Such evaluation needs reliable ground truth data to be effective. The goal of the present article is to assist researchers in the evaluation of detectors by providing them with labelled anomaly traffic traces. One of the promising strategies to provide reliable ground truth data is to combine the output of the multiple anomaly detectors with different theoretical background. In this paper, we provide an in-depth analysis of the Singular Value Decomposition (SVD) based combination strategy that has been recently applied to anomaly detectors (MAWILab). This analysis highlights the key drawback of the method to efficiently discriminate the anomalous traffic from the harmless one. We then propose several techniques to overcome this drawback and improve the discrimination power of the combination strategy. Our evaluation using four anomaly detectors and four years of real backbone traffic traces (MAWI) emphasizes the accuracy gain of the proposed techniques over the original study.

show abstract

Section: Scann Combination Methods Analysismentioning

confidence: 68%

Section: Hough Transformmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

Mazel¹,

Esaki

Fontugne

et al. 2012

Proceedings of the Asian Internet Engineeering Conference on - AINTEC '12

Self Cite

View full text Add to dashboard Cite

show abstract

“…Recently there are a few studies on tuning specific models online [5,8,15]. The work in [15] examined the sensitivity of PCA to parameter settings and found that minor changes to the parameter settings increased the false positive rate by a factor of three or more.…”

Section: Related Workmentioning

confidence: 99%

“…A method for automatically learning optimal parameter setting and dynamically adapting the learning period was proposed. Fontugne et al described a Hugh transform method for anomaly detection that also automatically adjusts a parameter set in regards to the traffic fluctuations [5].…”

Section: Related Workmentioning

confidence: 99%

A self-tuning self-optimizing approach for automated network anomaly detection systems

Ippoliti

Zhou

2012

Proceedings of the 9th International Conference on Autonomic Computing

View full text Add to dashboard Cite

Parameter tuning in network anomaly detection systems is typically accomplished off-line and in an ad-hoc fashion. For operational deployment in a variety of conditions, it is important but challenging for a system to adaptively tune itself meeting performance goals and constraints. We propose and develop a self-tuning self-optimizing approach for automated network anomaly detection systems. Operators set performance expectations and priorities on a collection of metrics. A controller based on reinforcement learning and neural networks automatically performs control actions to meet expectations according to defined priorities. Tuning is accomplished without requiring direct operator access to system parameters. We examine the approach on AGHSOM anomaly detection system. We validate its effectiveness using a dataset consisting of both live trace and simulated network events. Experimental results show that the approach can self-calibrate its control parameters to meet operator performance requirements. It can self-optimize itself by maximizing individual performance metrics subject to the operator defined constraints. This work is a significant step towards building automated anomaly detection systems.

show abstract

Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection

et al. 2015

Self Cite

View full text Add to dashboard Cite

Summary Network anomalies and attacks represent a serious challenge to ISPs, who need to cope with an increasing number of unknown events that put their networks' integrity at risk. Most of the network anomaly detection systems proposed so far employ a supervised strategy to accomplish their task, using either signature‐based detection methods or supervised‐learning techniques. The former fails to detect unknown anomalies, exposing the network to severe consequences; the latter requires labeled traffic, which is difficult and expensive to produce. In this paper, we introduce a powerful unsupervised approach to detect and characterize network anomalies in the dark, that is, without relying on signatures or labeled traffic. Unsupervised detection is accomplished by means of robust clustering techniques, combining subspace clustering with correlation analysis to blindly identify anomalies. To alleviate network operator's post‐processing tasks and to speed up the deployment of effective countermeasures, anomaly ranking and characterization are automatically performed on the detected events. The system is extensively tested with real traffic from the Widely Integrated Distributed Environment backbone network, spanning 6years of flows captured from a trans‐Pacific link between Japan and the USA, using the MAWILab framework for ground‐truth generation. We additionally evaluate the proposed approach with synthetic data, consisting of traffic from an operational network with synthetic attacks. Finally, we compare the performance of the unsupervised detection against different previously used unsupervised detection techniques, as well as against multiple anomaly detectors used in MAWILab. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

A Hough-transform-based anomaly detector with an adaptive time interval

Cited by 19 publications

References 21 publications

Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

A self-tuning self-optimizing approach for automated network anomaly detection systems

Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection

Contact Info

Product

Resources

About