URCA: Pulling out Anomalies by their Root Causes

13 years 3 months ago
URCA: Pulling out Anomalies by their Root Causes
—Traffic anomaly detection has received a lot of attention over recent years, but understanding the nature of these anomalies and identifying the flows involved is still a manual task, in most cases. We introduce Unsupervised Root Cause Analysis (URCA) which isolates anomalous traffic and classifies alarms with minimal manual assistance and high accuracy. URCA proceeds by successive reduction of the anomalous space, eliminating normal traffic based on feedback from the anomaly detection method. Classification is done by clustering a new anomaly with previously labeled events. We validate URCA using manually analyzed real anomalies as well as synthetic anomaly injection. Our validation shows that URCA can accurately diagnose a large range of anomaly types, including network scans, DDoS attacks, and major routing changes.
Fernando Silveira, Christophe Diot
Added 28 Jan 2011
Updated 28 Jan 2011
Type Journal
Year 2010
Authors Fernando Silveira, Christophe Diot
Comments (0)