Detecting anomalies in massive traffic with sketches

Abstract

Sketches have been considered as an efficient and scalable structure for processing massive data. In this work, we propose a sketch-based method for detecting anomalies in network traffic. The method divides an IP traffic stream into sub-streams using the sketches and detects anomalies in the sub-streams based on a time-frequency analysis of the sub-stream's entropies. The paper shows detection and false positive rates of the method that was evaluated with real-world 150 Mbps traffic collected at the United States and Japan transit link.