BasisDetect: A model-based network event detection framework

Brian Eriksson; Paul Barford; Rhys Bowden; Nick Duffield; Joel Sommers; Matthew Roughan

doi:10.1145/1879141.1879200

BasisDetect: A model-based network event detection framework

Brian Eriksson, Paul Barford, Rhys Bowden, Nick Duffield, Joel Sommers, Matthew Roughan

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

26 Citations (Scopus)

Abstract

The ability to detect unexpected events in large networks can be a significant benefit to daily network operations. A great deal of work has been done over the past decade to develop effective anomaly detection tools, but they remain virtually unused in live network operations due to an unacceptably high false alarm rate. In this paper, we seek to improve the ability to accurately detect unexpected network events through the use of BasisDetect, a flexible but precise modeling framework. Using a small dataset with labeled anomalies, the BasisDetect framework allows us to define large classes of anomalies and detect them in different types of network data, both from single sources and from multiple, potentially diverse sources. Network anomaly signal characteristics are learned via a novel basis pursuit based methodology. We demonstrate the feasibility of our Basis-Detect framework method and compare it to previous detection methods using a combination of synthetic and realworld data. In comparison with previous anomaly detection methods, our BasisDetect methodology results show a 50% reduction in the number of false alarms in a single node dataset, and over 65% reduction in false alarms for synthetic network-wide data.

Original language	English
Title of host publication	IMC'10 - Proceedings of the 2010 ACM Internet Measurement Conference
Place of Publication	United States
Publisher	Association for Computing Machinery (ACM)
Pages	451-464
Number of pages	14
ISBN (Print)	9781450300575
DOIs	https://doi.org/10.1145/1879141.1879200
Publication status	Published - Nov 2010
Externally published	Yes
Event	Internet Measurement Conference, IMC 2010 - Melbourne, Australia Duration: 1 Nov 2010 → 3 Nov 2010 Conference number: 10th https://dl.acm.org/doi/proceedings/10.1145/1879141

Conference

Conference	Internet Measurement Conference, IMC 2010
Abbreviated title	IMC 2010
Country/Territory	Australia
City	Melbourne
Period	1/11/10 → 3/11/10
Internet address	https://dl.acm.org/doi/proceedings/10.1145/1879141

Keywords

Anomaly detection

Access to Document

10.1145/1879141.1879200

Cite this

@inproceedings{ffdc9e82a4454f3b95cbba6079129a31,

title = "BasisDetect: A model-based network event detection framework",

abstract = "The ability to detect unexpected events in large networks can be a significant benefit to daily network operations. A great deal of work has been done over the past decade to develop effective anomaly detection tools, but they remain virtually unused in live network operations due to an unacceptably high false alarm rate. In this paper, we seek to improve the ability to accurately detect unexpected network events through the use of BasisDetect, a flexible but precise modeling framework. Using a small dataset with labeled anomalies, the BasisDetect framework allows us to define large classes of anomalies and detect them in different types of network data, both from single sources and from multiple, potentially diverse sources. Network anomaly signal characteristics are learned via a novel basis pursuit based methodology. We demonstrate the feasibility of our Basis-Detect framework method and compare it to previous detection methods using a combination of synthetic and realworld data. In comparison with previous anomaly detection methods, our BasisDetect methodology results show a 50% reduction in the number of false alarms in a single node dataset, and over 65% reduction in false alarms for synthetic network-wide data.",

keywords = "Anomaly detection",

author = "Brian Eriksson and Paul Barford and Rhys Bowden and Nick Duffield and Joel Sommers and Matthew Roughan",

year = "2010",

month = nov,

doi = "10.1145/1879141.1879200",

language = "English",

isbn = "9781450300575",

pages = "451--464",

booktitle = "IMC'10 - Proceedings of the 2010 ACM Internet Measurement Conference",

publisher = "Association for Computing Machinery (ACM)",

address = "United States of America",

note = "Internet Measurement Conference, IMC 2010, IMC 2010 ; Conference date: 01-11-2010 Through 03-11-2010",

url = "https://dl.acm.org/doi/proceedings/10.1145/1879141",

}

Eriksson, B, Barford, P, Bowden, R, Duffield, N, Sommers, J & Roughan, M 2010, BasisDetect: A model-based network event detection framework. in IMC'10 - Proceedings of the 2010 ACM Internet Measurement Conference. Association for Computing Machinery (ACM), United States, pp. 451-464, Internet Measurement Conference, IMC 2010, Melbourne, Victoria, Australia, 1/11/10. https://doi.org/10.1145/1879141.1879200

BasisDetect: A model-based network event detection framework. / Eriksson, Brian; Barford, Paul; Bowden, Rhys et al.
IMC'10 - Proceedings of the 2010 ACM Internet Measurement Conference. United States: Association for Computing Machinery (ACM), 2010. p. 451-464.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - BasisDetect

T2 - Internet Measurement Conference, IMC 2010

AU - Eriksson, Brian

AU - Barford, Paul

AU - Bowden, Rhys

AU - Duffield, Nick

AU - Sommers, Joel

AU - Roughan, Matthew

N1 - Conference code: 10th

PY - 2010/11

Y1 - 2010/11

N2 - The ability to detect unexpected events in large networks can be a significant benefit to daily network operations. A great deal of work has been done over the past decade to develop effective anomaly detection tools, but they remain virtually unused in live network operations due to an unacceptably high false alarm rate. In this paper, we seek to improve the ability to accurately detect unexpected network events through the use of BasisDetect, a flexible but precise modeling framework. Using a small dataset with labeled anomalies, the BasisDetect framework allows us to define large classes of anomalies and detect them in different types of network data, both from single sources and from multiple, potentially diverse sources. Network anomaly signal characteristics are learned via a novel basis pursuit based methodology. We demonstrate the feasibility of our Basis-Detect framework method and compare it to previous detection methods using a combination of synthetic and realworld data. In comparison with previous anomaly detection methods, our BasisDetect methodology results show a 50% reduction in the number of false alarms in a single node dataset, and over 65% reduction in false alarms for synthetic network-wide data.

AB - The ability to detect unexpected events in large networks can be a significant benefit to daily network operations. A great deal of work has been done over the past decade to develop effective anomaly detection tools, but they remain virtually unused in live network operations due to an unacceptably high false alarm rate. In this paper, we seek to improve the ability to accurately detect unexpected network events through the use of BasisDetect, a flexible but precise modeling framework. Using a small dataset with labeled anomalies, the BasisDetect framework allows us to define large classes of anomalies and detect them in different types of network data, both from single sources and from multiple, potentially diverse sources. Network anomaly signal characteristics are learned via a novel basis pursuit based methodology. We demonstrate the feasibility of our Basis-Detect framework method and compare it to previous detection methods using a combination of synthetic and realworld data. In comparison with previous anomaly detection methods, our BasisDetect methodology results show a 50% reduction in the number of false alarms in a single node dataset, and over 65% reduction in false alarms for synthetic network-wide data.

KW - Anomaly detection

UR - http://www.scopus.com/inward/record.url?scp=78650894357&partnerID=8YFLogxK

U2 - 10.1145/1879141.1879200

DO - 10.1145/1879141.1879200

M3 - Conference Paper

AN - SCOPUS:78650894357

SN - 9781450300575

SP - 451

EP - 464

BT - IMC'10 - Proceedings of the 2010 ACM Internet Measurement Conference

PB - Association for Computing Machinery (ACM)

CY - United States

Y2 - 1 November 2010 through 3 November 2010

ER -

BasisDetect: A model-based network event detection framework

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this