BibTeX Entry


@inproceedings{ChhabraEtAl:Infocom08,
  author	= {Chhabra, Parminder and Scott, Clayton and Kolaczyk, Eric D. and Crovella, Mark},
  title		= {Distributed Spatial Anomaly Detection},
  booktitle	= {Proceedings of Infocom 2008},
  location	= {Phoenix, AZ},
  month		= apr,
  year		= {2008},
  URL		= {http://www.cs.bu.edu/faculty/crovella/paper-archive/infocom08-distributed-ad.pdf},
  abstract	= {Detection of traffic anomalies is an important problem that has been the focus of considerable research. Recent work has shown the utility of spatial detection of anomalies via cross-link traffic comparisons. In this paper we identify three advances that are needed to make such methods more useful and practical for network operators. First, anomaly detection methods should avoid global communication and centralized decision making. Second, nonparametric anomaly detection methods are needed to augment current parametric approaches. And finally, such methods should not just identify possible anomalies, but should also annotate each detection with some probabilistic qualifier of its importance. We propose a framework that simultaneously advances the current state of the art on all three fronts. We show that routers can effectively identify volume anomalies through cross-link comparison of traffic observed only on the router's own links. Second, we show that generalized quantile estimators are an effective way to identify high-dimensional sets of local traffic patterns that are potentially anomalous; such methods can be either parametric or nonparametric, and we evaluate both. Third, through the use of false discovery rate as a detection metric, we show that candidate anomalous patterns can be equipped with an estimate of a probability that they truly are anomalous. Overall, our framework provides network operators with an anomaly detection methodology that is distributed, effective, and easily interpretable. Part of the underlying statistical framework, which merges aspects of nonparametric set estimation and multiple hypothesis testing, is novel in itself, although the derivation of that framework is necessarily given elsewhere.}
}