Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Network anomaly detection based on statistical

1,941 views

Published on

Network Anomaly Detection Based on Statistical

Published in: Technology, Economy & Finance
  • Be the first to comment

Network anomaly detection based on statistical

  1. 1. Network Anomaly Detection: Based on Statistical Approach and Time Series Analysis Huang Kai Qi Zhengwei Liu Bo Shanghai Jiao Tong University .
  2. 2. Outline <ul><li>Problem description </li></ul><ul><li>Data flow statistical characteristic </li></ul><ul><li>Statistical Analysis </li></ul><ul><li>Time Series Analysis </li></ul><ul><li>Conclusion </li></ul>5/18/2009 FINA'09
  3. 3. Problem description <ul><li>Why statistical approach? </li></ul><ul><ul><li>Network anomaly signature based approach.(DPI) </li></ul></ul><ul><ul><ul><li>Privacy problem. </li></ul></ul></ul><ul><ul><li>Machining learning based approach. </li></ul></ul><ul><ul><ul><li>Hard to be real time. </li></ul></ul></ul>5/18/2009 FINA'09
  4. 4. Problem description <ul><li>Why our approach? </li></ul><ul><ul><li>Users’ different definition of network anomaly. </li></ul></ul><ul><ul><li>Adaptability to the developing network. </li></ul></ul>5/18/2009 FINA'09
  5. 5. Data flow statistical characteristic <ul><li>Complicated statistical characteristics! </li></ul><ul><ul><li>Poisson process </li></ul></ul><ul><ul><ul><li>Telnet connection </li></ul></ul></ul><ul><ul><ul><li>Ftp control connection </li></ul></ul></ul><ul><ul><li>Exponential process </li></ul></ul><ul><ul><ul><li>Telnet package </li></ul></ul></ul><ul><ul><li>Self-similar process </li></ul></ul><ul><ul><ul><li>WAN arrival process </li></ul></ul></ul><ul><ul><li>Heavy-tail process </li></ul></ul><ul><ul><ul><li>Ftp data connection </li></ul></ul></ul><ul><ul><ul><li>Ftp data transfer </li></ul></ul></ul>5/18/2009 FINA'09
  6. 6. Statistical Analysis <ul><li>Gaussian or not? </li></ul>5/18/2009 FINA'09 <ul><li>No!!!!!!!! </li></ul>
  7. 7. Statistical Analysis <ul><li>Gaussian mixture model </li></ul><ul><li>EM Algorism </li></ul>5/18/2009 FINA'09
  8. 8. Statistical Analysis <ul><li>EM Algorism </li></ul><ul><ul><li>E-step </li></ul></ul><ul><ul><li>M-step </li></ul></ul>5/18/2009 FINA'09
  9. 9. Statistical Analysis 5/18/2009 FINA'09
  10. 10. Statistical Analysis <ul><li>Amount of Gaussian in the model? </li></ul>5/18/2009 FINA'09 Gaussian 25 Gaussian 10 Gaussian 5
  11. 11. Statistical Analysis <ul><li>Tome cost related with the amount of Gaussian in the model </li></ul>5/18/2009 FINA'09 Not necessarily the more the better
  12. 12. Time Series Analysis <ul><li>Up Bound Low Bound Approach(for comparison) </li></ul><ul><li>Cross indicator approach with k line and d line </li></ul><ul><li>Moving Average Convergence and Divergence </li></ul>5/18/2009 FINA'09
  13. 13. Time Series Analysis <ul><li>Up Bound Low Bound Approach(for compare) </li></ul>5/18/2009 FINA'09
  14. 14. Time Series Analysis <ul><li>Cross indicator approach with k line and d line </li></ul>5/18/2009 FINA'09
  15. 15. Time Series Analysis <ul><li>Moving Average Convergence and Divergence </li></ul>5/18/2009 FINA'09
  16. 16. Time Series Analysis <ul><li>Experiment result comparison </li></ul>5/18/2009 FINA'09
  17. 17. Conclusion <ul><li>Gaussian mixture model match the distribution of network traffic </li></ul><ul><li>The Gaussian mixture model with Gaussian amount 10 is a good tradeoff between the performance and time cost </li></ul><ul><li>K line and D line approach with low time cost but too sensitive to the fluctuation </li></ul><ul><li>Moving Average Convergence and Diverge approach has the best performance but cost more than the K line and D line approach </li></ul>5/18/2009 FINA'09
  18. 18. Future Work <ul><li>Analysis the relation between the result and different kinds of attack and anomaly </li></ul><ul><ul><li>Distinguish the anomaly type </li></ul></ul><ul><li>An auto-adaptable approach with </li></ul><ul><ul><li>no need to configure the parameter of the model </li></ul></ul><ul><li>An model applicable for the wireless network </li></ul><ul><ul><li>To meet the hybrid, unstable and wireless network with the changing topology </li></ul></ul>5/18/2009 FINA'09
  19. 19. <ul><li>Thanks for Your </li></ul><ul><li>Attention </li></ul>5/18/2009 FINA'09

×