TY - GEN
T1 - GAMPAL
T2 - 2nd International Conference on Machine Learning for Networking, MLN 2019
AU - Wakui, Taku
AU - Kondo, Takao
AU - Teraoka, Fumio
N1 - Publisher Copyright:
© 2020, IFIP International Federation for Information Processing.
PY - 2020
Y1 - 2020
N2 - This paper proposes a general-purpose anomaly detection mechanism for Internet backbone traffic named GAMPAL (General-purpose Anomaly detection Mechanism using Path Aggregate without Labeled data). GAMPAL does not require labeled data to achieve a general-purpose anomaly detection. For scalability to the number of entries in the BGP RIB (Routing Information Base), GAMPAL introduces path aggregates. The BGP RIB entries are classified into the path aggregates, each of which is identified with the first three AS numbers in the AS_PATH attribute. GAMPAL establishes a prediction model of traffic throughput based on past traffic throughput. It adopts the LSTM-RNN (Long Short-Term Memory Recurrent Neural Network) model focusing on periodicity in weekly scale of the Internet traffic pattern. The validity of GAMPAL is evaluated using the real traffic information and the BGP RIB exported from the WIDE backbone network (AS2500), a nation-wide backbone network for research and educational organizations in Japan. As a result, GAMPAL successfully detects traffic increases due to events and DDoS attacks targeted to a stub organization.
AB - This paper proposes a general-purpose anomaly detection mechanism for Internet backbone traffic named GAMPAL (General-purpose Anomaly detection Mechanism using Path Aggregate without Labeled data). GAMPAL does not require labeled data to achieve a general-purpose anomaly detection. For scalability to the number of entries in the BGP RIB (Routing Information Base), GAMPAL introduces path aggregates. The BGP RIB entries are classified into the path aggregates, each of which is identified with the first three AS numbers in the AS_PATH attribute. GAMPAL establishes a prediction model of traffic throughput based on past traffic throughput. It adopts the LSTM-RNN (Long Short-Term Memory Recurrent Neural Network) model focusing on periodicity in weekly scale of the Internet traffic pattern. The validity of GAMPAL is evaluated using the real traffic information and the BGP RIB exported from the WIDE backbone network (AS2500), a nation-wide backbone network for research and educational organizations in Japan. As a result, GAMPAL successfully detects traffic increases due to events and DDoS attacks targeted to a stub organization.
KW - General-Purpose Anomaly Detection
KW - Internet Backbone
KW - LSTM-RNN
KW - Network Traffic Analysis
UR - http://www.scopus.com/inward/record.url?scp=85084178615&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85084178615&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-45778-5_13
DO - 10.1007/978-3-030-45778-5_13
M3 - Conference contribution
AN - SCOPUS:85084178615
SN - 9783030457778
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 196
EP - 211
BT - Machine Learning for Networking - 2nd IFIP TC 6 International Conference, MLN 2019, Revised Selected Papers
A2 - Boumerdassi, Selma
A2 - Renault, Éric
A2 - Mühlethaler, Paul
PB - Springer
Y2 - 3 December 2019 through 5 December 2019
ER -