Compressible Traffic Features

Despite their diversity, it is well known that traffic anomalies share a common characteristic: they introduce changes in the traffic behavioral aspects defined by certain traffic features, i.e. packet header fields. To apply traffic features for anomaly detection and identification, one promising class of approaches, which were proposed recently [1] [2] [3], have their basis on some analysis of the distribution of the amount of traffic (or the number of flows) over the possible values of the chosen traffic features, namely feature histograms. However, all these approaches have to address the inherent challenge in feature histograms: while feature histograms offer a finer overview of traffic behavior than the classically used volume time series, they suffer from the curse of dimensionality issue. To address the dimensionality challenge in making use of feature histograms in anomaly detection, the authors of [1] proposed to use entropy as a compact representation of a feature histogram and make anomaly detection based on entropy time series. However, this entropy representation is so compact that a lot of detailed traffic information implied in the feature histogram is lost. To construct a fine-grained model that captures the details of feature histograms, the authors of [2] applied various aggregation strategies such as a hash function technique that reduces the dimensionality of feature histogram while keeping a lossless observation of the entire distribution. However there is a dilemma: a coarse aggregation results in a hard traffic tractability, while to provide better traffic tractability, the use of a finegrained aggregation results in an increase in memory consumption and processing overhead. Further investigation of feature histogram dimensionality reduction is found in [3] where the authors first restricted their analysis on the well known ports (0-1203) and then applied principal component analysis (PCA) and used the principal components to represent the obtained histograms. While in this way, the histogram dimensionality can