Network Anomaly Detection: A Survey and Comparative Analysis of Stochastic and Deterministic Methods
This is an incremental survey and comparative analysis for network security practitioners, providing insights into method trade-offs.
The paper tackles network anomaly detection by comparing five common methods, including Statistical Hypothesis Tests and Support Vector Machines, on a simulated network with anomalies and attacks, concluding that combining methods improves detection results.
We present five methods to the problem of network anomaly detection. These methods cover most of the common techniques in the anomaly detection field, including Statistical Hypothesis Tests (SHT), Support Vector Machines (SVM) and clustering analysis. We evaluate all methods in a simulated network that consists of nominal data, three flow-level anomalies and one packet-level attack. Through analyzing the results, we point out the advantages and disadvantages of each method and conclude that combining the results of the individual methods can yield improved anomaly detection results.