Abstract

Unwanted events such as attacks, misconfigurations and failures can cause significant disruptions in day-to-day network operations. Effective management and mitigation of these events is predicated on fast and accurate identification. One way to identify these events is to apply an anomaly detection algorithm to network traffic streams. In this talk, I will describe the basic framework for anomaly detection in network traffic, and provide perspective on standard anomaly detection methods and why they have not been widely deployed. I will then describe a new flexible but precise anomaly detection method that we have recently developed called BasisDetect. Using a small dataset with labeled anomalies, our framework uses a novel basis pursuit algorithm to enable detection of a large class of anomalies in different types of network data, both from single source and a network wide perspective. Using a combination of synthetic and real world data, I will show that BasisDetect significantly reduces false alarms versus other anomaly detection methods.