An adaptive method for anomaly detection in symmetric network traffic

Symmetry is an obvious phenomenon in two-way communications. In this paper, we present an adaptive nonparametric method that can be used for anomaly detection in symmetric network traffic. Two important features are emphasized in this method: (i) automatic adjustment of the detection threshold according to the traffic conditions; and (ii) timely detection of the end of an anomalous event. Source-end defense against SYN flooding attacks is used to illustrate the efficacy of this method. Experiments on real traffic traces show that this method has high detection accuracy and low detection delays, and excels at detecting low intensity attacks.