Download presentation
Presentation is loading. Please wait.
Published byGwen Holmes Modified over 8 years ago
1
1 Distributed Detection of Network-Wide Traffic Anomalies Ling Huang* XuanLong Nguyen* Minos Garofalakis § Joe Hellerstein* Michael Jordan* Anthony Joseph* Nina Taft § *UC Berkeley § Intel Research
2
Detection of Network-wide Anomalies A volume anomaly is a sudden change in an Origin-Destination flow: example Given link traffic measurements, diagnose the volume anomalies PCA approach to separate normal from anomalous traffic Normal traffic is well approximated as occupying a low dimensional subspace
3
Traffic vector of all links at a particular point in time Normal traffic vector Residual traffic vector The Subspace Method Normal Subspace : space spanned by the first k principal components Anomalous Subspace : space spanned by the remaining principal components Then, decompose traffic on all links by projecting onto and to obtain: Where P is the matrix of top K eigenvectors
4
Detection Illustration Value of over time (all traffic) over time (SPE) Value of SPE at anomaly time points clearly stand out
5
Capture size of vector using squared prediction error: Assuming Gaussian data, we can find bounds which SPE should only exceed 1- % of the time Result due to [Jackson and Mudholkar, 1979] Detection Traffic on Link 1 Traffic on Link 2
6
Distributed Detection aintain 1 accurate PCA decomposition 2 -accurate detection via distributed triggers
7
The Tracking Framework
8
Background: Matrix Norm
9
Background: Matrix Perturbation Theory Perturbation bound on eigenvalues
10
Background: Matrix Perturbation Theory II
11
For orthogonal projection, we have:
12
The Root Mean Square of Eigen Error
13
Individual Eigen Errors
14
Filtering Error and Δ Recall that monitors have the distributed m x n matrix
15
Filtering Error and Eigen Error Recall that
16
The F-Norm of Perturbation Error I The assumptions: Lemma:
17
The F-Norm of Perturbation Error II Lemma
18
The F-Norm of Perturbation Error III
19
Lemma
20
How Good is The Model? Slack
21
Application to Network Anomaly Detection
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.