Home > Research > Publications & Outputs > Automatic detection of computer network traffic...

Associated organisational unit

Electronic data

  • WCCI_verReview1

    Rights statement: ©2018 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

    Accepted author manuscript, 679 KB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

Links

Text available via DOI:

View graph of relations

Automatic detection of computer network traffic anomalies based on eccentricity analysis

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Published
NullPointerException

Abstract

In this paper, we propose an approach to automatic detection of attacks on computer networks using data that combine the traffic generated with'live' intra-cloud virtual-machine (VM) migration. The method used in this work is the recently introduced typicality and eccentricity data analytics (TEDA) framework. We compare the results of applying TEDA with the traditionally used methods such as statistical analysis, such as k-means clustering. One of the biggest challenges in computer network analysis using statistical or numerical methods is the fact that the protocols information is composed of integer/string values and, thus, not easy to handle by traditional pattern recognition methods that deal with real values. In this study we consider as features the tuple {IP source, IP destination, Port source and Port destination} extracted from the network flow data in addition to the traditionally used real values that represent the number of packets per time or quantity of bytes per time. Using entropy of the IP data helps to convert the integer raw data into real valued signatures. The proposed solution permit to build a real-time anomaly detection system and reduce the number of information that is necessary for evaluation. In general, the systems based on traffic are fast and are used in real time but they do not produce good results in attacks that produce a flow hidden within the background traffic or within a high traffic that is produced by other application. We validate our approach an a dataset which includes attacks on the network port scan (NPS) and network scan (NS) that permit hidden flow within the normal traffic and see this attacks together with live migration which produces a higher traffic flow.

Bibliographic note

©2018 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.