4. Motivation for detecting
anomaly
Notice something out of ordinary
• network traffic is heavier than usual
• number of login try is obviously larger
• a colleague is strangely gracious today
→ Unusual behaviors; Indications of fault.
Such info helps
preventing service degrading in advance!!
but rule/threshold vary with service, host, client, time…
5. key to detect anomaly
usual unusual
Watch differences b/w
7. Superimpose 24 hour plot
Traffic at 15:00 on workday
is about 1.2 Gbps
traffic
time
Periodicity!!
8. mean
mean - 3σ
mean + 3σ
amount of dispersion from mean
Acceptable “range”
→ e.g. Acceptable range of traffic at 15:00 on workday is
1.01 to 1.38 Gbps
13. downloading large files
mass e-mail sending
“Traffic spike” happens so frequently
Frequent false-positive alerting will be
“cry-wolf” system…
14. heuristic filtering
In usual, traffic gets cool down
within 15 minutes
notify engineers
if anomaly continues more than 15 minutes
Engineers’ knowledge is gold mine
for better algorithm
→ one practical example: