Integrating Short History for Improving Anomaly Detection

Traf�c anomaly detection is of premier importance for network administrators as anomalies have a dramatic impact on network performances, & QoS perceived by users. It is, however, a very time consuming and costly task that often requires decision from network and security experts. For making anomaly detection autonomous, many research works started investigating the use of unsupervised machine learning techniques, and in most cases traf�c clustering. Identifying the clusters corresponding to anomalous traf�c classes among the full set of detected clusters still remains a challenge. This is mostly due to the nature of clustering techniques that work on traf�c samples of a given duration, each cluster being classi�ed after an uncertain post processing stage. In this paper, we show how anomaly detectors can bene�t from keeping a temporal track of the clustering results along time. This improvement has been added to ORUNADA (Online Real-time Unsupervised Network Anomaly Detection Algorithm) that aimed at providing ef�cient anomaly detection on high speed networks. This new ORUNADA version - called H-ORUNADA for History-ORUNADA. H-ORUNADA has also been implemented on Buffer Streaming for being able to work on very high-speed networks (targeting several hundreds of Grits/s) and evaluated on the Google Cloud Platform.