Journal of IKEEE (전기전자학회논문지)

Institute of Korean Electrical and Electronics Engineers (한국전기전자학회)
권호 표지

Traffic Anomaly Detection for Campus Networks using Fisher Linear Discriminant

Fisher 선형 분류법을 이용한 비정상 트래픽 탐지

  • 박현희 (고려대학교 전자컴퓨터공학부) ;
  • 김미정 (고려대학교 정보통신기술연구소) ;
  • 강철희 (고려대학교 전자컴퓨터공학부)
  • Published : 2009.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Traffic anomaly detection is one of important technology that should be considered in network security and administration. In this paper, we propose an abnormal traffic detection mechanism that includes traffic monitoring and traffic analysis. We develop analytical passive monitoring system called WISE-Mon which can inspect traffic behavior. We establish a criterion by analyzing the characteristics of a traffic training set. To detect abnormal traffic, we derive a hyperplane by using Fisher linear discriminant and chi-square distribution as well as the analyzed characteristics of traffic. Our mechanism can support reliable results for traffic anomaly detection and is compatible to real-time detection. In addition, since the trend of traffic can be changed as time passes, the hyperplane has to be updated periodically to reflect the changes. Accordingly, we consider the self-learning algorithm which reflects the trend of the traffic and so enables to increase the pliability of detection probability. Numerical results are presented to validate the accuracy of proposed mechanism. It shows that the proposed mechanism is reliable and relevant for traffic anomaly detection.

최근 인터넷을 통한 각종 침해사고 및 트래픽 폭주와 같은 현상이 급격하게 증가함에 따라 네트워크의 비정상적 상황을 조기에 탐지하기 위한 보다 능동적이고 진보적인 기술이 요구되고 있다. 본 논문에서는 캠퍼스 네트워크와 같이 트래픽이 주기적인 특성을 띠는 환경에서 Fisher 선형 분류법(FLD)을 사용하여 트래픽을 두 개의 그룹으로 분류하고, 네트워크에 유입되는 트래픽이 어떤 그룹에 속하는지를 판별하는 기법을 제안한다. 이를 위해 WISE-Mon이라 불리는 트래픽 분석 시스템을 개발하여 캠퍼스 네트워크의 트래픽을 수집하고 이를 모니터링해서 분석을 수행한다. 생성된 트래픽의 training set을 이용하여 비정상 트래픽의 범위를 판단하기 위한 chi-square distribution을 유도하고, FLD를 적용하여 유입되는 트래픽을 두 그룹으로 분리하기 위한 초평면 (hyperplane)을 만든다. 또한 네트워크 내의 트래픽 패턴이 시간이 지남에 따라 계속적으로 변하는 상황을 반영하기 위하여 self-learning 알고리즘을 적용한다. 캠퍼스 네트워크의 트래픽을 적용한 수학적 결과를 통하여 제안하는 기법의 정확성과 신뢰도를 보여준다.

Keywords

References

  1. M. Thottan and C. Ji, "Anomaly Detection in IP Networks," IEEE Transaction on Signal Processing, vol. 52, no. 8, pp. 2191-2204, August 2003.
  2. S. S. Kim and A. L. N. Reddy, "Statistical Techniques for Detecting Traffic Anomalies Through Packet Header Data," IEEE/ACM Transaction on Networking, vol. 16, no. 3, pp. 562-575, January 2008. https://doi.org/10.1109/TNET.2007.902685
  3. R. Ahmed and R. Boutaba, "Distributed Pattern Matching: A Key to Flexible and Efficient P2P Search," IEEE Journal on Selected Areas in Communications, vol. 25, no. 1, pp. 73-83, January 2007. https://doi.org/10.1109/JSAC.2007.070108
  4. Y. W. Chen, "Traffic behavior analysis and modeling of sub-networks," International Journal of Network Management, vol. 12, pp. 323-330, September 2002. https://doi.org/10.1002/nem.451
  5. H. Hajji, "Statistical analysis of network traffic for adaptive faults detection," IEEE Transactions on Neural Networks, vol. 16, pp. 1053-1063, September 2005. https://doi.org/10.1109/TNN.2005.853414
  6. G. Androulidakis and S. Papavassiliou, "Intelligent Flow-Based Sampling for Effective Network Anomaly Detection," in Proc. IEEE GLOBECOM 2007, pp. 1948-1953, November 2007.
  7. Z. Zhang and H. Shen "Online Training of SVMs for Real-time Intrusion Detection," in Proc. AINA 2004, pp. 568-573, March 2004.
  8. T. Hamada, K. Chujo, T. Chujo, and X. Yang, "Peer-to-peer traffic in metro networks: analysis, modeling, and policies," in Proc. IEEE/IETF NOMS 2004, pp. 425-438, April 2004.
  9. A. Shashua, "On the Relationship Between the Support Vector Machine for Classification and Sparsified Fisher's Linear Discriminant," Neural Processing Letters, vol. 9, pp. 129-139, April 1999. https://doi.org/10.1023/A:1018677409366
  10. R. Johnson, and D.Wichern, Applied Multivariate Statistical Analysis, 6th ed., Prentice-Hall, 2007, pp. 576-593, 623-633.
  11. K. Trivedi, Probability and Statistics with Reliability, Queuing, and Computer Science Applications, 2nd ed., John Wiley and Sons, 2002, pp. 658-664.
  12. P. Barford and D. Plonka, "Characteristics of Network Traffic Flow Anomalies," in Proc. ACM SIGCOMM 2001, pp. 69-73, August 2001.
  13. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer worm," IEEE Security & Privacy Magazine 1(4), pp.33-39, July/Aug. 2003.
  14. K. H. Ramah, H. Ayari, and F. Kamoun, "Traffic Anomaly Detection and Characterization in the Tunisian National University Network," in Proc. NETWORKING 2006, LNCS 3976, pp.136-147, May 2006.