Analysis of EWMA and Holt-Winters Estimators for Anomaly Detection in IP Traffic Based on Entropy Measurements

  • Sidney C. de Lucena UNIRIO
  • Alex Soares de Moura RNP

Abstract


To detect anomalies in wide-area network traffic is a relatively complex task. Most promising propositions are based in time series of entropy measurements to describe traffic patterns. This present work evaluates the use of traditional predictors of simple implementation, applied to entropy measurements, to signalize events that may compromise the well behavior of the network and that cannot be easily detected by commonly used network management tools. Experimental results, obtained for traffic samples of Rede Ipê, show the use of EWMA and Holt-Winters estimators on signalizing artificially injected anomalies in the traffic samples.

References

Bogaerdt, A. V. D. (2008) “RRD Tutorial”, [link], acessado em 08/04/2009.

Brutlag, J. D. (2000) “Aberrant Behavior Detection in Time Series for Network Monitoring”, Proceedings of the 14th Systems Administration Conference (LISA 2000).

Cacti (2007) “The Complete RRDtool-based Graphing Solution”, [link], acessado em 08/04/2009.

CEO-RNP (2008) “Operação do Backone RNP”, [link], acessado em 08/04/2009.

Cisco Systems, Inc. (2008) “Netflow Services Solution Guide”, [link], acessado em 08/04/2009.

Claise, B. Ed. (2004) “RFC 3954 - Cisco Systems NetFlow Services Export Version 9”, [link], acessado em 08/04/2009.

Estevez-Tapiador, J. M., Garcia-Teodoro, P., Diaz-Verdejo, J. E. (2004) “Anomaly Detection Methods in Wired Networks: a Survey and Taxonomy”, Computer Comunications, 27, 1569-1584.

Haag, P. (2005) “Watch your Flows with Nfsen and Nfdump”, 50th RIPE Meeting, Stockholm, [link], acessado em 08/04/2009.

Koehler, A. B., Snyder, R. D., and Ord, J. K. (1999) “Forecasting Models and Prediction Intervals for the Multiplicative Holt-Winters Method”, [link], acessado em 08/04/2009.

Lakhina, A., Crovella, M., and Diot, C. (2005) “Mining anomalies using traffic feature distributions”, Proceedings of the ACM SIGCOMM'2005, Philadelphia, PA, USA.

Leinen, S. (2004) “RFC 3955 - Evaluation of Candidate Protocols for IP Flow Information Export (IPFIX)”, [link], acessado em 08/04/2009.

MacKey, D. J. C. (2003) “Information Theory, Inference, and Learning Algorithms”, Cambridge University Press, Cambridge, UK.

Monsores, M. L., Ziviani, A., Rodrigues, P. S. S. (2006) “Detecção de Anomalias de Tráfego usando Entropia Não-Extensiva”, Anais do XXIV Simpósio Brasileiro de Redes de Computadores – SBRC'2006.

Nfdump (2007) “NFDUMP”, [link], acessado em 08/04/2009.

Phaal, P., Panchen, S., McKee, N. (2001) “RFC 3176 - InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks”, [link], acessado em 08/04/2009.

RRDtool (2008) “Aberrant Behavior Detection with Holt-Winters Forecasting”, [link], acessado em 08/04/2009.

Shannon, C. E. (1948) “A mathematical theory of communication”, Bell System Technical Journal, 27:379-423 and 623-656.

Silveira, F., Diot, C., Taft, N., Govindan, R. (2008) “Empirical Evaluation of Network-Wide Anomaly Detection”, Thomsom Technical Report, [link], acessado em 08/04/2009.

Ward, A., Glynn, P., Richardson, K. (1998) “Internet Service Performance Failure Detection”, ACM SIGMETRICS Performance Evaluation Review, Volume 26, number 3.

Zhang, Y., Ge, Z., Greenberg, A., Roughan, M. (2005) “Network Anomography”, Proceedings of the IMC’05, Berkeley, CA, USA.
Published
2009-07-20
How to Cite

Select a Format
LUCENA, Sidney C. de; MOURA, Alex Soares de. Analysis of EWMA and Holt-Winters Estimators for Anomaly Detection in IP Traffic Based on Entropy Measurements. In: WORKSHOP ON PERFORMANCE OF COMPUTER AND COMMUNICATION SYSTEMS (WPERFORMANCE), 8. , 2009, Bento Gonçalves/RS. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2009 . p. 2177-2192. ISSN 2595-6167.