Network Anomaly Detection Through IP Traffic Analysis With Variable Granularity

A network anomaly detection method is proposed for large-scale, wide-range Internet Protocol (IP) networks. Because network behavior is projected onto communication traffic, anomaly detection can be achieved by properly analyzing the communication traffic flows. However, in wide-area IP networks, communication traffic flows are encapsulated by headers assigned by communication carriers and thus are observed as more macroscopic information. Therefore, accurately detecting the occurrence of anomalies in individual communication flows is difficult because the flow observation results obtained by flow measurement protocols such as IP Flow Information Export (IPFIX) are the result of superimposing various communication flows with different characteristics. In this study, we propose an anomaly-detection method based on time-series traffic flows. First, we decompose superimposed traffic flows into individual flows using our implemented system called the Fast xFlow Proxy, which can decompose traffic flows to a fine granularity. Our method detects anomalies in the decomposed flows based on a simple correlation analysis and dynamic threshold configuration. Our extensive simulation shows that, if we observe individual flows using the Fast xFlow Proxy, our method can detect anomalies caused by service failures with almost 100% accuracy. Our method can achieve an accuracy of approximately 80%–90% even in more difficult detection cases, such as small traffic fluctuations or noisy situations.