1. Technical Field
Example embodiments of the present invention relate to an apparatuses and methods for detecting an anomalous event in a network.
2. Related Art
Network attacks, such as Internet worms, scanning, and a denial of service (DoS) attacks, cause waste of network resources, which degrades a quality of service and a level of security provided to users. Representative events include an event in which famous websites such as Amazon, CNN, Yahoo, and Ebay were paralyzed in 2000, and an event in which routers connected to a Microsoft domain name system (DNS) server were subjected to a distributed DoS attack and web access service was paralyzed for some time due to overload of the routers in 2001. Accordingly, it is necessary to develop a scheme of detecting the network attacks with high accuracy.
An anomalous event refers to a traffic property that may be extracted from a series of processes and results of network attacks. Examples of the anomalous event include high bandwidth, distribution of Internet protocol (IP) addresses or port numbers different from those of normal traffic, etc. The anomalous event provides a suitable clue in detecting network attacks. Accordingly, detection of such an anomalous event with high accuracy may contribute to rapidly coping with network attacks.
A number of schemes of efficiently detecting an anomalous event have been proposed. Prior research has focused on observing a traffic volume and determining that there is an anomalous event when a characteristic change appears in the traffic volume. The traffic volume refers to data obtained by sequentially observing a packet number per unit time, a change of a packet size per unit time, or the like. Representative research includes a scheme of detecting an anomalous event using time series prediction, principal component analysis, and signal analysis. This scheme exhibits high negative and positive rates or high temporal complexity.