Anomaly detection through information sharing under different topologies

Anomaly detection through information sharing under different topologies

Gallos, Lazaros K. (Rutgers University)
Korczynski, M.T. (TU Delft Organisation & Governance)
Fefferman, Nina H. (Rutgers University)

2017

Early detection of traffic anomalies in networks increases the probability of effective intervention/mitigation actions, thereby improving the stability of system function. Centralized methods of anomaly detection are subject to inherent constraints: (1) they create a communication burden on the system, (2) they impose a delay in detection while information is being gathered, and (3) they require some trust and/or sharing of traffic information patterns. On the other hand, truly parallel, distributed methods are fast and private but can observe only local information. These methods can easily fail to see the “big picture” as they focus on only one thread in a tapestry. A recently proposed algorithm, Distributed Intrusion/Anomaly Monitoring for Nonparametric Detection (DIAMoND), addressed these problems by using parallel surveillance that included dynamic detection thresholds. These thresholds were functions of nonparametric information shared among network neighbors. Here, we explore the influence of network topology and patterns in normal traffic flow on the performance of the DIAMoND algorithm. We contrast performance to a truly parallel, independent surveillance system. We show that incorporation of nonparametric data improves anomaly detection capabilities in most cases, without incurring the practical problems of fully parallel network surveillance.

Anomaly detection
DDoS attack
Information sharing
Simulation

http://resolver.tudelft.nl/uuid:1b4b5527-4634-4c25-9eee-fc6874fe7cba

https://doi.org/10.1186/s13635-017-0056-5

1687-4161

Eurasip Journal on Information Security, 2017 (1)

Institutional Repository

journal article

© 2017 Lazaros K. Gallos, M.T. Korczynski, Nina H. Fefferman