Image-based anomaly detection technique: Algorithm, implementation and effectiveness

The frequent and large-scale network attacks have led to an increased need for developing techniques for analyzing network traffic. This paper presents NetViewer, a network measurement approach that can simultaneously detect, identify, and visualize attacks and anomalous traffic in real-time by passively monitoring packet headers. We propose to represent samples of network packet header data as frames or images. With such a formulation, a series of samples can be seen as a sequence of frames or video, revealing certain kinds of attacks to the human eye. This enables techniques from image processing and video compression to be applied to the packet header data to reveal interesting properties of traffic. We show that "scene change analysis" can reveal sudden changes in traffic behavior or anomalies. We also show that "motion prediction" techniques can be employed to understand the patterns of some of the attacks. We show that it may be feasible to represent multiple pieces of data as different colors of an image enabling a uniform treatment of multidimensional packet header data. We compare the effectiveness of NetViewer with classical detection theory-based Neyman-Pearson test.