TY - GEN
T1 - Fast anomaly detection for large data centers
AU - Li, Ang
AU - Gu, Lin
AU - Xu, Kuai
PY - 2010
Y1 - 2010
N2 - Recent spates of cyber attacks towards cloud computing services running in large data centers have made it imperative to develop effective techniques to detect anomalous behaviors in the "clouds". In this paper, we propose to use the distributions of IP address octets and centroid based measures to characterize the inherent IP structure in high-volume data center traffic, and subsequently design a simple yet effective algorithm to detect abnormal traffic patterns caused by network attacks such as worms, virus, and denial of service attacks. We evaluate the effectiveness and efficiency of this algorithm with synthetic traffic that combines real data center traffic collected from a large Internet content provider with worm traces and denial of service attacks. The experiment results show that our algorithm consistently diagnoses the abnormal traffic from normal ones, and does so in a short time with a low false alarm rate. We believe that the proposed approach could be potentially deployed in real-time data center environments to enhance the security and high availability of cloud computing.
AB - Recent spates of cyber attacks towards cloud computing services running in large data centers have made it imperative to develop effective techniques to detect anomalous behaviors in the "clouds". In this paper, we propose to use the distributions of IP address octets and centroid based measures to characterize the inherent IP structure in high-volume data center traffic, and subsequently design a simple yet effective algorithm to detect abnormal traffic patterns caused by network attacks such as worms, virus, and denial of service attacks. We evaluate the effectiveness and efficiency of this algorithm with synthetic traffic that combines real data center traffic collected from a large Internet content provider with worm traces and denial of service attacks. The experiment results show that our algorithm consistently diagnoses the abnormal traffic from normal ones, and does so in a short time with a low false alarm rate. We believe that the proposed approach could be potentially deployed in real-time data center environments to enhance the security and high availability of cloud computing.
UR - http://www.scopus.com/inward/record.url?scp=79551630853&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79551630853&partnerID=8YFLogxK
U2 - 10.1109/GLOCOM.2010.5683551
DO - 10.1109/GLOCOM.2010.5683551
M3 - Conference contribution
AN - SCOPUS:79551630853
SN - 9781424456383
T3 - GLOBECOM - IEEE Global Telecommunications Conference
BT - 2010 IEEE Global Telecommunications Conference, GLOBECOM 2010
T2 - 53rd IEEE Global Communications Conference, GLOBECOM 2010
Y2 - 6 December 2010 through 10 December 2010
ER -