Anomaly detection through information sharing under different topologies

Lazaros Gallos, Maciej Korczyński, Nina H. Fefferman

Research output: Contribution to journalArticle

3 Citations (Scopus)

Abstract

Early detection of traffic anomalies in networks increases the probability of effective intervention/mitigation actions, thereby improving the stability of system function. Centralized methods of anomaly detection are subject to inherent constraints: (1) they create a communication burden on the system, (2) they impose a delay in detection while information is being gathered, and (3) they require some trust and/or sharing of traffic information patterns. On the other hand, truly parallel, distributed methods are fast and private but can observe only local information. These methods can easily fail to see the “big picture” as they focus on only one thread in a tapestry. A recently proposed algorithm, Distributed Intrusion/Anomaly Monitoring for Nonparametric Detection (DIAMoND), addressed these problems by using parallel surveillance that included dynamic detection thresholds. These thresholds were functions of nonparametric information shared among network neighbors. Here, we explore the influence of network topology and patterns in normal traffic flow on the performance of the DIAMoND algorithm. We contrast performance to a truly parallel, independent surveillance system. We show that incorporation of nonparametric data improves anomaly detection capabilities in most cases, without incurring the practical problems of fully parallel network surveillance.

Original languageEnglish (US)
Article number5
JournalEurasip Journal on Information Security
Volume2017
Issue number1
DOIs
StatePublished - Dec 1 2017

Fingerprint

Topology
Monitoring
Parallel algorithms
Communication

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Computer Science Applications

Cite this

@article{8a0b6d90ae98494488d8274637570259,
title = "Anomaly detection through information sharing under different topologies",
abstract = "Early detection of traffic anomalies in networks increases the probability of effective intervention/mitigation actions, thereby improving the stability of system function. Centralized methods of anomaly detection are subject to inherent constraints: (1) they create a communication burden on the system, (2) they impose a delay in detection while information is being gathered, and (3) they require some trust and/or sharing of traffic information patterns. On the other hand, truly parallel, distributed methods are fast and private but can observe only local information. These methods can easily fail to see the “big picture” as they focus on only one thread in a tapestry. A recently proposed algorithm, Distributed Intrusion/Anomaly Monitoring for Nonparametric Detection (DIAMoND), addressed these problems by using parallel surveillance that included dynamic detection thresholds. These thresholds were functions of nonparametric information shared among network neighbors. Here, we explore the influence of network topology and patterns in normal traffic flow on the performance of the DIAMoND algorithm. We contrast performance to a truly parallel, independent surveillance system. We show that incorporation of nonparametric data improves anomaly detection capabilities in most cases, without incurring the practical problems of fully parallel network surveillance.",
author = "Lazaros Gallos and Maciej Korczyński and Fefferman, {Nina H.}",
year = "2017",
month = "12",
day = "1",
doi = "https://doi.org/10.1186/s13635-017-0056-5",
language = "English (US)",
volume = "2017",
journal = "Eurasip Journal on Information Security",
issn = "1687-4161",
publisher = "Springer Publishing Company",
number = "1",

}

Anomaly detection through information sharing under different topologies. / Gallos, Lazaros; Korczyński, Maciej; Fefferman, Nina H.

In: Eurasip Journal on Information Security, Vol. 2017, No. 1, 5, 01.12.2017.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Anomaly detection through information sharing under different topologies

AU - Gallos, Lazaros

AU - Korczyński, Maciej

AU - Fefferman, Nina H.

PY - 2017/12/1

Y1 - 2017/12/1

N2 - Early detection of traffic anomalies in networks increases the probability of effective intervention/mitigation actions, thereby improving the stability of system function. Centralized methods of anomaly detection are subject to inherent constraints: (1) they create a communication burden on the system, (2) they impose a delay in detection while information is being gathered, and (3) they require some trust and/or sharing of traffic information patterns. On the other hand, truly parallel, distributed methods are fast and private but can observe only local information. These methods can easily fail to see the “big picture” as they focus on only one thread in a tapestry. A recently proposed algorithm, Distributed Intrusion/Anomaly Monitoring for Nonparametric Detection (DIAMoND), addressed these problems by using parallel surveillance that included dynamic detection thresholds. These thresholds were functions of nonparametric information shared among network neighbors. Here, we explore the influence of network topology and patterns in normal traffic flow on the performance of the DIAMoND algorithm. We contrast performance to a truly parallel, independent surveillance system. We show that incorporation of nonparametric data improves anomaly detection capabilities in most cases, without incurring the practical problems of fully parallel network surveillance.

AB - Early detection of traffic anomalies in networks increases the probability of effective intervention/mitigation actions, thereby improving the stability of system function. Centralized methods of anomaly detection are subject to inherent constraints: (1) they create a communication burden on the system, (2) they impose a delay in detection while information is being gathered, and (3) they require some trust and/or sharing of traffic information patterns. On the other hand, truly parallel, distributed methods are fast and private but can observe only local information. These methods can easily fail to see the “big picture” as they focus on only one thread in a tapestry. A recently proposed algorithm, Distributed Intrusion/Anomaly Monitoring for Nonparametric Detection (DIAMoND), addressed these problems by using parallel surveillance that included dynamic detection thresholds. These thresholds were functions of nonparametric information shared among network neighbors. Here, we explore the influence of network topology and patterns in normal traffic flow on the performance of the DIAMoND algorithm. We contrast performance to a truly parallel, independent surveillance system. We show that incorporation of nonparametric data improves anomaly detection capabilities in most cases, without incurring the practical problems of fully parallel network surveillance.

UR - http://www.scopus.com/inward/record.url?scp=85014725780&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85014725780&partnerID=8YFLogxK

U2 - https://doi.org/10.1186/s13635-017-0056-5

DO - https://doi.org/10.1186/s13635-017-0056-5

M3 - Article

VL - 2017

JO - Eurasip Journal on Information Security

JF - Eurasip Journal on Information Security

SN - 1687-4161

IS - 1

M1 - 5

ER -