Network anomaly detection using IP flows with Principal Component Analysis and Ant Colony Optimization

It is remarkable how proactive network management is in such demand nowadays, since networks are growing in size and complexity and Information Technology services cannot be stopped. In this manner, it is necessary to use an approach which proactively identifies traffic behavior patterns which may harm the network's normal operations. Aiming an automated management to detect and prevent potential problems, we present and compare two novel anomaly detection mechanisms based on statistical procedure Principal Component Analysis and the Ant Colony Optimization metaheuristic. These methods generate a traffic profile, called Digital Signature of Network Segment using Flow analysis (DSNSF), which is adopted as normal network behavior. Then, this signature is compared with the real network traffic by using a modification of the Dynamic Time Warping metric in order to recognize anomalous events. Thus, a seven-dimensional analysis of IP flows is performed, allowing the characterization of bits, packets and flows traffic transmitted per second, and the extraction of descriptive flow attributes, like source IP address, destination IP address, source TCP/UDP port and destination TCP/UDP port. The systems were evaluated using a real network environment and showed promising results. Moreover, the correspondence between true-positive and false-positive rates demonstrates that the systems are able to enhance the detection of anomalous behavior by maintaining a satisfactory false-alarm rate. (C) 2016 Elsevier Ltd. All rights reserved.