Early detection of traffic anomalies in networks increases the probability of effective intervention/mitigation actions, thereby improving the stability of system function. Centralized methods of anomaly detection are subject to inherent constraints: (1) they create a communication burden on the system, (2) they impose a delay in detection while information is being gathered, and (3) they require some trust and/or sharing of traffic information patterns. On the other hand, truly parallel, distributed methods are fast and private but can observe only local information. These methods can easily fail to see the “big picture” as they focus on only one thread in a tapestry. A recently proposed algorithm, Distributed Intrusion/Anomaly Monitoring for Nonparametric Detection (DIAMoND), addressed these problems by using parallel surveillance that included dynamic detection thresholds. These thresholds were functions of nonparametric information shared among network neighbors. Here, we explore the influence of network topology and patterns in normal traffic flow on the performance of the DIAMoND algorithm. We contrast performance to a truly parallel, independent surveillance system. We show that incorporation of nonparametric data improves anomaly detection capabilities in most cases, without incurring the practical problems of fully parallel network surveillance.

中文翻译：

---

通过不同拓扑下的信息共享进行异常检测

网络中流量异常的早期检测增加了有效干预/缓解措施的可能性，从而提高了系统功能的稳定性。集中式异常检测方法受到固有限制：（1）它们对系统造成通信负担；（2）它们在收集信息时强加了检测延迟；（3）它们需要一定的信任和/或共享交通信息模式。另一方面，真正的并行，分布式方法既快速又私有，但只能观察本地信息。这些方法仅关注挂毯中的一个线程，因此很容易看不到“全局”。最近提出的算法，用于非参数检测的分布式入侵/异常监视（DIAMoND），通过使用包括动态检测阈值的并行监视解决了这些问题。这些阈值是网络邻居之间共享的非参数信息的函数。在这里，我们探讨了正常流量中网络拓扑和模式对DIAMoND算法性能的影响。我们将性能与真正的并行，独立的监视系统进行对比。我们表明，在大多数情况下，合并非参数数据可提高异常检测能力，而不会引起完全并行网络监视的实际问题。我们将性能与真正的并行，独立的监视系统进行对比。我们表明，在大多数情况下，合并非参数数据可提高异常检测能力，而不会引起完全并行网络监视的实际问题。我们将性能与真正的并行，独立的监视系统进行对比。我们表明，在大多数情况下，合并非参数数据可提高异常检测能力，而不会引起完全并行网络监视的实际问题。