Multi-dimensional traffic anomaly detection based on ICA

Some network anomalous events caused by same reason (e.g., DDoS, link failure) tend to present similar unusual change on multiple traffic observations, and this part of traffic usually exhibits anomalous features either on time or frequency domain. Motivated by this fact, this paper introduces a multidimensional traffic anomaly detection method based on independent component analysis (ICA). Considering traffic observation as a mixture of normal and anomaly that respectively generated by different reasons, we generalize ICA technology of blind sources separation problem to separate the potentially anomalous part from characteristics of individual traffic signal on time and frequent domain. We show that how principle component analysis is combined with sliding window analysis, to measure the degree of similarity among multiple abnormal parts with fine granularity. The evaluation using Abilene trace shows that our method is useful to detect anomalous traffic with small volume, and performs better than previous method.