Improved anomaly detection using block-matching denoising

We present a new approach for network traffic anomaly detection based on a denoising algorithm that uses wavelet transforms. Using a block-matching technique and considering network traffic as noise, we suppress the traffic in order to detect anomalies. This approach is data-driven in the sense that samples of network traffic determine the amount of background traffic suppression. Therefore, the output of the algorithm is an anomaly that can be easily detected. To improve the performance, the block-matching technique is combined with a method that can detect very short attacks. Results show that attacks can be detected under a variety of conditions.