Research Article
Network-Wide Traffic Anomaly Detection and Localization Based on Robust Multivariate Probabilistic Calibration Model
Table 6
Comparisons of RMPCM and PCA test results on DETERLab.
| (a) Initial settings |
| | Preset anomaly cycles | Alerts cycles | Type | | RMPCM | PCA |
| | 500~503 | 501~503 | 502, 503 | DoS | | 800~804 | 801 | 801 | Port scan | | 1000~1003 | 1000~1003 | 1000~1003 | DoS | | 1200~1239 | 1200~1239 | 1217, 1231–1239 | Ingress/egress shift | | 1500~1505 | 1501~1505 | 1501~1505 | DDoS | | 1800~1803 | 1802, 1803 | 1803 | DoS |
|
|
| (b) After adjusting settings |
| | Preset anomaly cycles | Alerts cycles | Type | | RMPCM | PCA |
| | 500~503 | 503 | 502, 503 | DoS | | 800~804 | | | Port scan | | 1000~1003 | 1001, 1002 | 1001, 1002 | DoS | | 1200~1219 | 1200~1219 | 1200~1219, 1272 | Ingress/egress shift | | 1500~1505 | 1503, 1504 | 1407, 1416, 1451, 1503, 1504, 1637, 1665 | DDoS | | 1800~1803 | 1802 | 1701, 1733, 1814, 1849 | DoS |
|
|
| (c) Injecting the large anomaly |
| | Preset anomaly cycles | Alerts cycles | Type | | RMPCM | PCA |
| | 500~503 | 500~503 | 500~503 | DoS | | 800~804 | 801 | 801 | Port scan | | 1000~1003 | 1001, 1002 | | DoS | | 1200~1239 | 1200~1239 | | Ingress/egress shift | | 1500~1505 | 1501~1504 | 1502~1504 | DDoS | | 1800~1803 | 1801, 1803 | 1801~1803 | DoS |
|
|
