Anomaly detection through information sharing under different topologies

Lazaros K. Gallos, Maciej Korczyński, Nina H. Fefferman

Research output: Contribution to journalArticlepeer-review

6 Scopus citations


Early detection of traffic anomalies in networks increases the probability of effective intervention/mitigation actions, thereby improving the stability of system function. Centralized methods of anomaly detection are subject to inherent constraints: (1) they create a communication burden on the system, (2) they impose a delay in detection while information is being gathered, and (3) they require some trust and/or sharing of traffic information patterns. On the other hand, truly parallel, distributed methods are fast and private but can observe only local information. These methods can easily fail to see the “big picture” as they focus on only one thread in a tapestry. A recently proposed algorithm, Distributed Intrusion/Anomaly Monitoring for Nonparametric Detection (DIAMoND), addressed these problems by using parallel surveillance that included dynamic detection thresholds. These thresholds were functions of nonparametric information shared among network neighbors. Here, we explore the influence of network topology and patterns in normal traffic flow on the performance of the DIAMoND algorithm. We contrast performance to a truly parallel, independent surveillance system. We show that incorporation of nonparametric data improves anomaly detection capabilities in most cases, without incurring the practical problems of fully parallel network surveillance.

Original languageEnglish (US)
Article number5
JournalEurasip Journal on Information Security
Issue number1
StatePublished - Dec 1 2017

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Computer Science Applications


  • Anomaly detection
  • DDoS attack
  • Information sharing
  • Simulation


Dive into the research topics of 'Anomaly detection through information sharing under different topologies'. Together they form a unique fingerprint.

Cite this