This dissertation presents and evaluates two detection methods: a packet loss detector for TCP, and a network anomaly detector based on a new model of traffic as symbol sequences.;For the first problem, we use a binary Bayes detector framework for the packet loss detector because (a) there are only two hypotheses to test (i.e. either a packet is lost or not), and (b) by using a Bayesian framework we can overcome the limited amount of training data available within a TCP connection (due to short-lived connections and small loss rates) through the use of prior knowledge about the stochastic process of packet losses. We evaluate our detector with real network data, and a model of TCP throughput that we have adapted. Using this model, we show that under realistic scenarios on the Internet our method can improve TCP throughput by up to 20%.;The second half of the thesis puts forward a new perspective of network traffic, namely, as symbol sequences. We show that such sequences contain a new kind of memory called Long Range Mutual Information (LRMI). LRMI implies that the content of two packets are dependent even if there are many packets between them in the sequence; furthermore, LRMI implies that a low-order Markov model is insufficient to model traffic as symbol sequences. Hence, the thesis presents a new network traffic model in terms of symbol sequences. The model has a small set of parameters which have simple interpretations in terms of traffic properties, for example, the distribution of flow sizes. We argue that characterization and modeling of traffic with consideration to packet content can open doors to new methods and applications in networks. In particular, the last part of the thesis presents one application of our traffic model to anomaly detection. This anomaly detector is based on an optimal Neyman-Pearson approach. This approach has the benefit that it provides a reasonable model for anomaly-free traffic, a key element missing in most anomaly detection methods to date.
展开▼
