Automated Classification of Network Traffic Anomalies [chapter]

Guilherme Fernandes, Philippe Owezarski
2009 Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering  
Network traffic anomalies detection and characterization has been a hot topic of research for many years. Although the field is very advanced in the detection of network traffic anomalies, accurate automated classification is still a very challenging and unmet problem. This paper presents a new algorithm for automated classification of network traffic anomalies. The algorithm relies on three steps: (i) after an anomaly has been detected, identify all (or most) related packets or flow records;
more » ... i) use these packets or flow records to derive several distinct metrics directly related to the anomaly; and (iii) classify the anomaly using these metrics in a signature-based approach. We show how this approach can act as a filter to reduce the false positive rate of detection algorithms, while providing network operators with (additional) valuable information about detected anomalies. We validate our algorithm on two different datasets: the METROSEC project database and the MAWI traffic repository.
doi:10.1007/978-3-642-05284-2_6 fatcat:c5echqmsibasdnh377sfewrshm