Packet Flow Anomaly Detection

Packet flow anomaly refers to presence of unusual packet flows in a network. The anomaly can be a " strong signal ", meaning disproportional surge of certain measurable traffic flow indicators. This kind of anomaly represents unfair use of the network bandwidth, and they can occur at any protocol layer. The most well known packet flow anomaly is Denial of Service (DoS) SYN flooding. Unsolicited bulk emails can also be considered anomalous traffic. An anomaly can also have " weak signal ", e.g., a (compromised) user host attempts to create a covert communication channel.

In our recent work we showed that it is important to take network dynamics into consideration of the denial of service (DoS) detection when packet throttling is engaged, and the Sliding Mode Control is ideally suited for this purpose. A similar observation is made in detection of shared congestion (related link) . Currently, we are expanding the study to generalization of the anomaly detectors for the broadband, untrained environment to detect Unsolicited Bulk Emails (UNBE). Numerous techniques have been proposed to defeat Unsolicited Bulk Emails (UNBE). The Bayesian solution is based on statistical key word matching. Black/white lists are based on sharing of the databases on known good and bad sources. Large email providers (gmail, yahoo, hotmail, AOL etc) adopt source authentication. Puzzle solving is bandwidth limiting technique to defeat email scripts. Despite the impressive progress made in anti-spamming solutions, email spamming continues to grow explosively. To support objective and efficient evaluation of detector designs, we are developing a bulk email generator (BMG) . As of writing of this web page the generator can generate bulk email bodies for experiments.