Tracking Normality in Networks

Tuesday, November 8, 2005 - 9:30am - 10:30am
EE/CS 3-180
Mark Coates (McGill University)
Many anomalous network events do not manifest themselves as abrupt,
easily-detectable changes in the volume of traffic at a single switch.
Rather, the footprint they leave is a modification of the pattern of traffic
at a number of routers in this network. Anomaly detection is then a question
of whether the current traffic pattern is sufficiently divergent from
normal traffic patterns. In this talk, I will describe a technique for
sequentially constructing a sparse kernel dictionary that forms a map of
network normality and illustrate how this map can be used to identify
anomalous events.
MSC Code: