Open Access  Subscription Access

The evolution of network at tacks becomes unpredictable due to the prevalence of the Internet and the increasing of network bandwidth. From our network logs, we can observe that many anomalies do not target at a specific port and new anomalies are arising swiftly without specific signatures. Thus, the approaches of monitoring some specific ports and inspecting packet content for detection of anomaly signatures, adopted in our current campus network anomaly detection systems, is insufficient. This paper proposes a network anomaly diagnosis mechanism that is aimed at detecting suspicious host behaviors before the breakout of the attacks/or anomalies. It employs four levels of attributes to describe the network traffic characteristics of the hosts. This mechanism successfully detects and separates anomaly traffic such as P2P applications, network attacks, and stealthy backdoors, which fail to be detected by current port based traffic monitoring systems commonly deployed in campus network. The proposed mechanism successfully complements the current campus-wide network anomaly detection systems.

Network anomaly detection; Clustering; Anomaly-based detection; P2P pattern detection