Similarity as a central approach to flow‐based anomaly detection

Network flow monitoring is currently a common practice in mid‐ and large‐size networks. Methods of flow‐based anomaly detection are subject to ongoing extensive research, because detection methods based on deep packets have reached their limits. However, there is a lack of comprehensive studies mapping the state of the art in this area. For this reason, we have conducted a thorough survey of flow‐based anomaly detection methods published on academic conferences and used by the industry. We have analyzed these methods using the perspective of similarity which is inherent to any anomaly detection method. Based on this analysis, we have proposed a new taxonomy of network anomalies and a similarity‐oriented classification of flow‐based detection methods. We have also identified four issues requiring further research: the lack of flow‐based evaluation datasets, infeasible benchmarking of proposed methods, excessive false positive rate and limited coverage of certain anomaly classes. Copyright © 2014 John Wiley & Sons, Ltd.