Anomaly Detection

Anomaly Detection is a hot topic in the TMA community, and a lot of institutions are doing research in this area. However, Anomaly Detection has multiple facets, and may have a different meaning for different researchers. Therefore, to facilitate the exchange of information among the participating institutions, we collected some compact information and compiled the "knowledge map" below, that can be used as a reference to initiate collaborations in the community.

Institution Current Research in AD Keywords

Un. Lancaster

(David Hutchinson, Kave’ Salamatian)

EC projects, namely ANA, INTERSECTION, ECODE and ResumeNet.

Methodologies for AD

AD on sampled data

Distributed AD

Sampling impact, resilience, PCA, Kalman Filter, Distributed AD


(Symeon Papavassiliou)

Integrated multi-metric-multi-link (M3L) PCA-based AD. Impact of intelligent sampling techniques

PCA, Sampling impact

TU München

(Gerhard Münz)

Univariate and multivariate analysis of Netflow data.

Time series analysis, PCA

Un. Twente

(Anna Sperotto, Giovane Moura)

Flow-based Intrusion Detection

Statistical modelling of malicious and normal user behaviour

Scalable NetFlow based detection of phishing attacks and botnets

User behaviour profiling, Phishing and Botnet detection


(Tanja Zseby)

Worm detection in DNS traffic, node cooperation for network protection, influence of sampling techniques, IPFIX-based metrics

Sampling techniques, cooperation techniques, IPFIX/PSAMP

Hebrew Un. Jerusalem

(Danny Dolev, Shimrit Tzur, Tal Anker)

Designed and implemented a full network intrusion prevention system (NIPS) based on two novel pattern matching algorithms, with a Snort compatible syntax.

Designed and implemented an anomaly based NIPS to detect DoS/DDoS attacks and web-related attacks.

NIDS, NIPS, HW assisted algorithms, anomaly based NIPS


(Michalis Polychronakis)

Developed attack detection algorithms that use heuristics on different interpretations of the packet payload

Packet inspection


(Alessandro D’Alconzo, Andreas Berger)

AD with applications to 3G networks

Novel statistical-based detection algorithms based on the analysis of time-series of traffic feature distribution

Ability to associate each individual packet to the Mobile Station (MS) that sent or received it

Network-based malware detection

SIP fingerprinting for SPIT and DoS detection

3G networks, SIP, malware, NIDS, SPIT

Un. Of Pisa

(Christian Callegari)

Development of several AD algorithms, based on advanced mathematical tools

Mathematical modelling

UPC (Barcelona)

Pere Barlet

Studying the impact of several sampling techniques on AD methods as well as on the design sampling-resilient anomaly detection techniques using Sampled NetFlow

Sampling impact, Sampling-resilient AD

NEC Labs Europe

(Saverio Niccolini)

Application-layer anomaly detection for (SIP-based) multimedia communications (VoIP/IPTV)

application-layer, VoIP/IPTV, SPIT, SIP

Orange Labs

(Fredric Guyard)

Singular Spectrum Analysis based method for online detection of anomalies in time-series. Application to detection of anomalies in QoExperience indicators time-series

Spectral analysis, QoExperience


(Maurizio Molina)

Quantitative cross comparison of commercial tools for AD on GÉANT network

Commercial tools benchmarking and deployment

ETH Zurich

(Daniela Brauckoff, Bernhard Tellenbach,

Martin Burkhart, Xenofontas Dimitropoulos)

Anomaly injection in Netflow traffic traces (FLAME tool), Multi-domain privacy-preserving computation of AD metrics, use of Tsallis Entropy for AD, histogram analysis

Synthetic anomaly generation, Privacy, Entropy

CICANT, Univ. Lusofona

(Nuno Garcia)

Self-similarity analysis on multidimensional characteristics of trace flows applied to AD

Mathematical modelling

(Philippe Owezarski)

distributed anomaly detection and classification, assessment and validation of IDS, anomalous traffic modelling and generation, malicious traffic analysis

Anomaly classification, Synthetic anomaly generation, NIDS validation,

Malicious traffic analysis


(Dario Rossi, Olivier Cappé, Céline Lévy-Leduc,


F. Roueff,)

Distributed network AD, AD using NetFlow records and statistical methods

Mathematical modelling, statistics

ENS Lyon - CNRS, SiSyPhe Group (Patrice Abry, Pierre Borgnat, Guillaume Dewaele)

Traffic and Anomaly Classification, Benchmarking AD, Longitudinal studies of anomalies.

MultiResolution Methods, Statistics

UPV/EHU (Bilbao) University of the Basque Country

(Armando Ferro)

Analysis of traffic load and algorithm impact in computing performance. A NIPS based on multiprocessor architecture. Performance modelling. ADAMANTIUM EC project related to QoE and VoIP/IPTV provision (SIP-based).

Performance Modelling

Parallel computing

Packet inspection.


academic tools for traffic analysis

University of Napoli Federico II (Antonio Pescapè)

Distributed Architecture for real-time Intrusion Detection: traffic monitoring, information fusion, intrusion reaction. Reputation Models.

Behavior profiling: botnet detection, wireless security. Signal Processing approaches for Volume based Anomalies

Distributed detection architecture, user behaviour profiling, volume-based anomalies


(Jorma Kilpi)

AD on server log data and security data. Tools for telecom network monitoring.

Data mining, security, data clustering, self-organizing maps (SOM), server log, network level analysis



Statistical tools for (quasi)on-line detection of model’s parameters change in analyzed time series

Statistical analysis, changepoint detection

University of Jyväskylä

(Tapani Ristaniemi)

Detection of deviation from normal behaviour of high-dimensional systems. Protection of complex systems against a huge variety of new threats, not just classical cases, while predicting the emergence of performance degradation.

Mathematical modelling, statistics

AGH University of Science and Technology (Lucjan Janowski)

Traffic modelling focused on detecting DDoS and its influences on a user QoS/OoE. We are also interested in writing a tool helping easy comparison between different AD algorithms implemented in MATLAB.

DDoS, Traffic modelling, MATLAB, QoS/QoE

Universidad Autónoma de Madrid (Felipe Mata)

evaluation and development of new AD algorithms exploiting MRTG and NetFlow records, in order to apply them in the detection of changes that can help capacity planning decisions

Capacity planning, MRTG