Daniela Brauckhoff Network Traffic Anomaly Detection and Evaluation ISBN: 978-3-8322-8977-5 Preis: 48,80 € / 97,60 SFR |
|
Rezension |
|
When working with large-scale network data from possibly multiple routers, the curse of dimensionality considerably complicates the problem of anomaly detection. Principal Component Analysis (PCA) has been proposed to deal with it. However, as subsequent work has discovered several deficiencies in the proposed PCA-method, there is room for improvement. A second challenge stems from the underlying assumption of anomaly detection mentioned above, which, unfortunately, does not always hold in practice. As a direct consequence of this circumstance, users are often overwhelmed with false alarms. To cope with high false alarm rates, one could either try to reduce the number of false alarms, or one could try to minimize the time that is required for resolving an alarm. This is where we see the largest discrepancy between research and practice, as the false alarm problem is broadly ignored by the scientific community. Finally, when a research field such as anomaly detection has reached a certain degree of maturity a sound evaluation of the proposed methods should be done. The major challenge with regard to evaluation is due to fact that there are practically no labeled real-world datasets available. Our contributions are the following. In the first part of this thesis, we revisit the PCA method and its underlying assumptions. We find that the assumption of independence between measurement points is not given as network traffic statistics typically exhibit strong temporal correlation. Therefore, we extend the PCA method to stochastic processes and include the temporal as well as spatial correlation in the model. With our extended method we achieve an improvement in accuracy of up to 20 percent. In the second part of this thesis, we address the false alarm problem. We introduce a method that uses histogram-based anomaly detectors and association rules to help administrators with the identification of anomalous ows and event root causes. With our approach we are able to reduce the time for alarm resolution from typically one hour to a few minutes. The third part of this thesis describes several realistic anomaly models for simulation that we have derived directly from ow traces. Moreover, we introduce FLAME, a tool for anomaly injection into real-world traces, which has been used by several researchers for assessing the false negative rates of their algorithms. | |
Quelle: | Zentralblatt MATH 1190 - 1|
weiter zum Buch ... |