TY - GEN
T1 - SENATUS
T2 - 2nd Cyber Security in Networking Conference, CSNet 2018
AU - Abdelkefi, Atef
AU - Jiang, Yuming
AU - Sharma, Sachin
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2019/1/4
Y1 - 2019/1/4
N2 - In this paper, we propose a novel approach, called SENATUS, for joint anomaly detection and root-cause analysis. Inspired from the concept of a senate, the key idea of the proposed approach is divided into three stages: election, voting and decision. At the election stage, a small number of traffic flow sets (termed as senator flows) are chosen based on the K-sparse approximation technique, which can be used to represent approximately the total (usually huge) set of traffic flows. In the voting stage, Principal Component Pursuit (PCP) analysis is used for anomaly detection on the senator flows. In addition, the detected anomalies are correlated across traffic features to identify the most possible anomalous time bins. Finally, in the decision stage, a machine learning (ML) technique is applied to the senator flows of anomalous time bins to find the root cause of the anomalies. The performance of SENATUS is evaluated using real traffic traces collected from a Pan European network, GEANT, and compared against another approach which detects anomalies using lossless compression of traffic histograms. The evaluation shows that SENATUS has higher effectiveness in diagnosing traffic anomalies.
AB - In this paper, we propose a novel approach, called SENATUS, for joint anomaly detection and root-cause analysis. Inspired from the concept of a senate, the key idea of the proposed approach is divided into three stages: election, voting and decision. At the election stage, a small number of traffic flow sets (termed as senator flows) are chosen based on the K-sparse approximation technique, which can be used to represent approximately the total (usually huge) set of traffic flows. In the voting stage, Principal Component Pursuit (PCP) analysis is used for anomaly detection on the senator flows. In addition, the detected anomalies are correlated across traffic features to identify the most possible anomalous time bins. Finally, in the decision stage, a machine learning (ML) technique is applied to the senator flows of anomalous time bins to find the root cause of the anomalies. The performance of SENATUS is evaluated using real traffic traces collected from a Pan European network, GEANT, and compared against another approach which detects anomalies using lossless compression of traffic histograms. The evaluation shows that SENATUS has higher effectiveness in diagnosing traffic anomalies.
KW - K-sparse Approximation
KW - Network Traffic Anomaly Detection
KW - Principal Component Pursuit
KW - Random Decision Tree
UR - http://www.scopus.com/inward/record.url?scp=85061775401&partnerID=8YFLogxK
U2 - 10.1109/CSNET.2018.8602689
DO - 10.1109/CSNET.2018.8602689
M3 - Conference contribution
AN - SCOPUS:85061775401
T3 - 2018 2nd Cyber Security in Networking Conference, CSNet 2018
BT - 2018 2nd Cyber Security in Networking Conference, CSNet 2018
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 24 October 2018 through 26 October 2018
ER -