Research Article
Automated Classification of Network Traffic Anomalies
@INPROCEEDINGS{10.1007/978-3-642-05284-2_6, author={Guilherme Fernandes and Philippe Owezarski}, title={Automated Classification of Network Traffic Anomalies}, proceedings={Security and Privacy in Communication Networks. 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2012}, month={5}, keywords={}, doi={10.1007/978-3-642-05284-2_6} }- Guilherme Fernandes
Philippe Owezarski
Year: 2012
Automated Classification of Network Traffic Anomalies
SECURECOMM
Springer
DOI: 10.1007/978-3-642-05284-2_6
Abstract
Network traffic anomalies detection and characterization has been a hot topic of research for many years. Although the field is very advanced in the detection of network traffic anomalies, accurate automated classification is still a very challenging and unmet problem. This paper presents a new algorithm for automated classification of network traffic anomalies. The algorithm relies on three steps: (i) after an anomaly has been detected, identify all (or most) related packets or flow records; (ii) use these packets or flow records to derive several distinct metrics directly related to the anomaly; and (iii) classify the anomaly using these metrics in a signature-based approach. We show how this approach can act as a filter to reduce the false positive rate of detection algorithms, while providing network operators with (additional) valuable information about detected anomalies. We validate our algorithm on two different datasets: the METROSEC project database and the MAWI traffic repository.