2014 33rd International Conference of the Chilean Computer Science Society

Digital Signature of Network Segment Using Flow Analysis Through Genetic

Algorithm and ACO Metaheuristics

Paulo R. Galego Hernandes Jr. Luiz F. Carvalho Mario Lemes Proença Jr.

Information Security Department Computer Science Department Computer Science Department

São Paulo State Technological State University State University
College (Fatec Ourinhos) of Londrina (UEL) of Londrina (UEL)
Ourinhos, Brazil Londrina, Brazil Londrina, Brazil
Email: paulogalego@gmail.com Email: luizfcarvalhoo@gmail.com Email: proenca@uel.br

Abstract—Traffic monitoring is an important task for net-
work administrators who require tools to aid in the detection of
changes in the network’s routine. In this paper, we use a Digital
Signature of Network Segment using Flow Analysis (DSNSF) as
a technique to describe standard network behavior aiming to
support network management through traffic characterization.
We have collected real data set from State University of
Londrina (UEL), using data flow attributes such as bits,
packets and number of flows. Our novel model uses Genetic
Algorithm to optimize the process, which consists or organizing
the data to display graphically a standard network behavior.
To accomplish this task, we compared our novel model with
another similar method, Ant Colony Optimization for Digital
Signature (ACODS), evaluating these models to measure their
accuracy.
Keywords-Characterization, Traffic Monitoring, Network
Management, Genetic Algorithm, ACO, sFlow.
I. I NTRODUCTION
Nowadays, one of the biggest challenges for network
administrators is to manage bandwidth resources efficiently.
There are a variety of tools and techniques to help these
administrators identify anomalous behavior and prevent se-
curity incidents. Information such as an interface’s traffic
should be monitored through network active elements.
The Simple Network Management Protocol (SNMP) was
used for many years to provide such information, however,
administrators required more knowledge about their environ-
ments. With the use of data flow, they were able to obtain
the required details. A flow record is defined by a connection
between two hosts reporting fields in common, those could
be the endpoint addresses, time, and volume of information
transferred. This gives a more detailed view on the traffic
and allows it to be used on large networks, due to the data
reduction compared to SNMP [1].
Apart from data flow, there are other tools used to support
network managers, such as Network Intrusion Detection
Systems (NIDS). These tools are normally based on attack
signatures, represented as a set of rules frequently updated
by the security community or companies. When a packet is
matched against a signature, an alert is raised, indicating an
attempted intrusion or misuse, which could be considered a
network anomaly [2]. But, an attack signature can change
and a NIDS can leave an intruder to gain unauthorized
access, or to bring down a server over a DDoS attack, until
its signature data base is updated.
In order to overcome this lack of security, we find models
able to detect every change in the network routine by
learning the standard behavior of an environment using
traffic characterization. According to Zarpelão et al. [3],
the anomaly detection techniques known as profile-based
or statistical-based do not require any previous knowledge
about the nature and properties of the anomalies to be
detected. It is an advantage because these models can be
used in different environments.
In this study, we use genetic algorithm (GA), a powerful
metaheuristic, to organize IP data flow in clusters. We used
three features from a real data set: bits, packets and number
of flows per second. These data were used to generate our
Digital Signature of Network Segment using Flow Analysis
(DSNSF), which characterize network traffic through its
behavior and predict traffic usage, standard possible to
identify anomalous traffic. We will call this method DSNSF-
GA and we will compare it with another approach based
on DSNSF: Ant Colony Optimization for Digital Signature
(ACODS).
This paper is organized as follows: Section II presents the
related work. Section III explains the novel method giving
details of the DSNSF-GA generation. Section IV presents
the result of our evaluation tests, and finally Section V
concludes this paper.
II. R ELATED W ORK
Patcha and Park [4] classify network anomaly based
systems in three groups such as signature based, profile
based and hybrid. A signature based system works similar

1522-4902/15 $31.00 © 2015 IEEE 92

DOI 10.1109/SCCC.2014.15
to a NIDS, using a set of signatures (patterns) of previously
known attacks to build a database, and packets are inspected
against this database to find an anomaly. Profile based sys-
tems works creating a network profile based on its behavior,
and every deviation of this profile can be an anomaly. The
third is a combination of both.
A traffic characterization is the first step to build an
anomaly detection system profile based. An extensive survey
about network anomaly detection systems was presented by
Monowar et al. [5], where different methods were classified
according to its characteristics, such as Statistical, knowl-
edge based and clustering, among others.
A cluster is a group and the process of organizing data in
clusters is called clusterization. When data are organized into
groups, elements within the same group should be similar
and data within other groups should be different. In addition
to this, there are metaheuristics techniques used to optimize
the clusterization process.
Nanda et al. [6] described various nature inspired meta-
heuristic algorithms used for this optimization, including
evolutionary algorithms and swarm intelligence. They found
in this study, that nature inspired metaheuristics explore the
entire search space with the population involved, and ensure
that optimal partition is achieved.
Genetic algorithms were proposed by Holland [7] to
simulate the natural evolution process, and it is recognized
as an ideal optimization technique to solve a large variety of
problems, simulating the natural evolution process through
operators such as selection, crossover and mutation. To get
the best of both GA and clusterization process, Maulik et al.
[8] proposed a Genetic Algorithm-based clustering technique
and used the Euclidean distance to classify in which cluster
each point should be. The Ant Colony Optimization (ACO)
algorithm is a swarm intelligence metaheuristic, and it is
inspired by ants behavior in determining the optimal path
from their nest to the food source [9].
In [10], the entropy was used as a summarization tool,
classifying flow data (IP addresses and ports) to enable auto-
matic classification of anomalies via unsupervised learning.
Another approach [11] is based on the detection of breaks
in the distribution of connections size. The authors define a
connection as a cumulative traffic between two IP addresses,
and it is measured in number of packets. They used abnormal
variations in the connections size distribution, and measure
similarity among flows, to determine if the traffic is or not
suspect.
A digital signature of network segments (DSNS), was
used by [12] to characterize the traffic which flows through
the network servers. This characterization should reflect the
expected profile for the traffic along the day. The authors
used the SNMP protocol to obtain network information such
as the quantity of input and output of octets (ifInOctets,
ifOutOctets), the number of IP datagrams received (ipInRe-
ceives) and the total number of TCP segments received from
93
networks interfaces (tcpInSegs).
There are many studies trying to find an anomaly detection
model based on traffic characterization, which should learn
the standard behavior of an environment and, based on its
history, detect changes in the network routine [13] [14].
Traffic characterization based methods are efficient because
they learn the network’s behavior along a period of time,
reducing the probability of a successful attack [15]. In
[16], a pro-active system uses correlation of the detected
deviations to identify anomalies avoiding a high number of
false alarms. A Holt-Winters for Digital Signature (HWDS)
method was proposed by [17], and consists in an improved
version of the statistical forecasting Holt-Winters method.
A Firefly Harmonic Clustering Algorithm are described in
[18] and was applied to detect anomalies in real network
traffic making it possible to achieve a trade-off between a
90% true-positive rate and 30% false-positive rate.
III. T RAFFIC C HARACTERIZATION U SING DSNSF-GA
In this section, we present a novel model used to generate
a DSNSF using data flow such as bits, packets and number
of flows, collected using sFlow pattern [19]. The genetic
algorithm (GA) model has its basis on the natural evolution
of species theory, which simulates the evolutionary process.
We compare this model with Ant Colony Optimization for
Digital Signature (ACODS), which is based on ant colonies’
behavior. Both models are able to characterize network
traffic using data flows.
A. ACODS
The ACODS model was presented by Carvalho et al. [20].
Similarly to real ants, ACO agents are able to organize them-
selves using pheromone trail. Agents are attracted to more
favorable locations to optimize an objective function, i.e.,
those in which the concentration of pheromone deposited by
ants which previously went through the same path is higher.
Thus, the author introduces the ACODS, a modification
of the Ant Colony Optimization metaheuristic for DSNSF
creation using the clustering approach. More details can be
found in [21].
B. DSNSF-GA
Our DSNSF-GA uses genetic algorithm based approach
to organize data flow in clusters. Each cluster has its own
centroid, a point in RN which indicates the center of
the cluster. We measure the distance between the points
to organize data and use the average among centroids to
generate a graph. For each workday in a week, we used data
from the same day of week for during a three week period
and compared them with the current day. For example, for
the 2nd of October, a Tuesday, we use data from the last
three Tuesdays: 28th, 21st and 14th of September to generate
a DSNSF, which will be compared to the current traffic to
detect a network anomalous behavior.
 GA is a method which manipulates a population of poten-
tial problem solutions, trying to solve them using a coded
representation of these solutions, which are equivalent to
genetic material (chromosomes) of individuals in nature. In
GA, members of a population (the solutions) compete with
each other to survive and reproduce, generating new solu-
tions. Each individual will be assigned a fitness value which
will reflect how adapted in an environment this individual
is in comparison with others. As in nature, the selection
will elect the fittest individuals. These will be assigned for
a genetic combination, also called crossover, which will
result in the exchange of genetic material (reproduction),
generating a new population. The GA cycle are illustrated
in Figure 1.
Figure 1: Genetic Algorithm Cycle
Besides, we have to determine our objective and fitness
functions which will be optimized. In our approach, we use
the Euclidean distance as an objective and fitness function.
The Euclidean distance is given by Equation 1.
 9:
E K  N
J=  (xin − cjn )2 (1)
i=1 j=1 n=1
in which K is the total number of clusters, E represents
the amount of flows to be clustered and N indicates data
94
dimensionality, i.e., number of features to be processed. The
collected flows are divided in 5 minute intervals, totaling 288
data sets throughout the day. The variable xin denotes value
of the feature n of flow i and cjn stores value of center of
cluster j at n dimension.
We use the cluster centroids as the chromosomes’s value.
For the initial population, we have generated randomly chro-
mosomes and their values should be between the minimum
and maximum flow data values. These chromosomes are
used to generate new populations of individuals. The next
action is to determine the fittest individuals in a population.
What will determine if an individual is or not fit, is the
sum of the distance between all points and their respective
cluster centroid, as we are finding the lower value. If this
total distance is lower in an individual than in other, it means
that the data inside that cluster are well organized, i.e., there
are more points closer from its central point in that cluster,
than in other. In our approach, we used this total distance
to determine the fittest individuals which will procreate. A
Roulette Wheel technique was used to determine the best
chromosomes, which consists of giving each individual a
slice of a circular wheel equal in area to the individual’s
fitness [22]. We spun the roulette for the same number of
individuals in the population. Those which were selected
more often were the fittest, and will breed a new generation.
The operation of DSNSF-GA is shown in Algorithm 1.
Algorithm 1 – using DSNSF-GA to create the DSNSF
Require: Set of bits, packets and flows collected from
historic database, number of: clusters, initial population
and iterations
Ensure: X: Vector representing the bits, packets and flows
of a day arranged in 288 intervals, which means 5
minutes, i.e. the DSNSF
1: for i = 1 to 288 do
2: Initialize population ρ
3: for t = 1 to number of iterations do
4: Compute fitness for ρ
5: Select the fittest using the Roulette Wheel
6: Apply crossover to generate a new population τ
7: Apply mutation if necessary
8: Evaluate solutions through the objective function
(1)
end for
10: Calculate the center of each cluster of the best solu-
tion found (fittest)
11: Xi ← average among the clusters
12: end for
13: return X
 To yield new generations, the crossover operator will 6
x 10 Bits per Second Traffic of 10/02/2012 and Generated DSNSFs

combine chromosomes of two parents to create a new one. In 3

our approach, we have chosen a random number to divide

bits/s
2

both chromosomes in the same point and merge them in 1

current day DSNSF−GA ACODS
another (child). This process will continue until the old 0
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
population is replaced by a new population of ”children”. As time (hours)

in nature, the fittest individuals have a greater probability of Packets per Second Traffic of 10/02/2012 and Generated DSNSFs
500
generating a new offspring, who will then generate another 400

packets/s
and so on. To generate a new progeny, two parents must 300
combine their genetic material. The crossover is the key 200
100
process in a genetic algorithm, because at this moment the current day DSNSF−GA ACODS
0
exchange of genes will occur. When two parents reproduce, 6 7 8 9 10 11 12 13 14 15 16
time (hours)
17 18 19 20 21 22 23 24

they will switch genetic material and their children will be

Flows per Second Traffic of 10/02/2012 and Generated DSNSFs
a copy of both merged chromosomes. For our purposes, the
1.5
exchange of chromosomes will improve the solution, where

we are finding the shorter total distance in a chromosome.
To start this process, we set an initial population of ρ
individuals, and we choose τ = ρ/2 corresponding to the
fittest in this population to generate a new one. The last
individuals will join with the previous population to breed
another one. The fittest will be elected by the Roulette
technique, which will choose τ to generate other children.
Each one of these iterations is called a new generation.
To create our DSNSF-GA, we have collected data from
State University of Londrina (UEL) during five weeks using
sFlow to generate IP flows. These data were separated
in files, one per day. Every file has 86400 lines, each
corresponding to the amount of bits, packets or flows per
second. As we choose to generate the DSNSF-GA using data
from five minute intervals, we selected 300 lines from each
file (as we are using three previous days) to generate a single
point in the graphic. Those lines (data) were divided and
later grouped in clusters according to Euclidean distance.
Using the Silhouette method for interpretation and validation
of clusters [23], best results were reached using K = 3,
where K is the number of clusters, and the GA was used to
optimize these distribution among the clusters.
Each chromosome also undergoes a mutation probability,
which is a fixed number. Mutation allows the beginning
and preservation of genetic variation in a population by
introducing another genetic structure modifying genes inside
the chromosome. We established a mutation tax of 5%.
When the mutation occurs we choose a mutation point,
called M P , which will be the point where its value changes.
This new value is calculated using:
N ewi = Oldi + (δ × Oldi ) (2)
where N ewi is the new individual, Oldi is the old individ-
ual, δ is the randomic number 0 < n < 1 which determine
if mutation will or will not occur. The new chromosome will
be used to generate a new offspring.
The best population will be acquired at the end of these
Flows/s
1
0.5
current day DSNSF−GA ACODS
0
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
time (hours)
Figure 2: DSNSF-GA and ACODS for the 2nd of October.
processes, and from this we choose the best individual,
which represents the shortest sum of the distance between
each point in the cluster and its respective centroid. Now,
we calculate the average among the three cluster centroids.
This number represents a single point in the graphic, and
this process will repeat for other 288 times, representing all
5 minutes intervals during a day. By using data from three
previous days to generate this single point, we now have a
network signature of this day, or the DSNSF-GA.
IV. T ESTS AND R ESULTS
For our purpose, we used only data between 06:00 and
24:00 since we collect data from a University, whose work
hours commence at 07:00 and end at 23:00. It is important
to emphasize that the 12th of October is a national holiday
in Brazil, and this is the reason for a different traffic
behavior on that specific day. We decided to keep this day
to demonstrate the ability of adaptation of the methods to
similar situations.
Furthermore, Figure 2 shows the observed traffic predicted
by both, DSNSF-GA and ACODS for bits, packets and flows
per second. The figure represents the traffic measure from
2nd October 2012 where the green color is the current
day and two other lines are presented: one for DSNSF-
GA and another for ACODS approaches. As shown in this
figure, both of them are able to characterize network traffic,
presenting the usual observed traffic, displaying increases
and decreases in usage following the same pattern, and also
a greater use of network resources during the periods from

95
 6
x 10 Bits per second traffic of 10/12/2012 − DSNSF
CC/Days 1 2 3 4 5 Average
4
3 GA-bits 0.79 0.87 0.79 0.89 0.66 0.80
Bits/s

2 GA-packets 0.59 0.64 0.73 0.61 0.49 0.61

GA-flows 0.63 0.72 0.79 0.56 0.56 0.65
1
current day DSNSF−GA ACODS ACO-bits 0.88 0.91 0.84 0.92 0.60 0.83
0
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ACO-packets 0.71 0.83 0.80 0.56 0.55 0.69
time (hours) ACO-flows 0.62 0.83 0.80 0.51 0.55 0.66
Packets per second traffic of 10/12/2012 − DSNSF
Table I: CC Table - Days between 1st to 5th of October
400
Packets/s

200 CC/Days 8 9 10 11 12 Average

current day DSNSF−GA ACODS
GA-bits 0.85 0.90 0.84 0.76 0.16 0.70
0 GA-packets 0.79 0.83 0.81 0.57 0.31 0.66
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
time (hours) GA-flows 0.79 0.86 0.86 0.55 0.32 0.68
ACO-bits 0.91 0.92 0.87 0.76 0.18 0.73
Flows per second traffic of 10/12/2012 − DSNSF ACO-packets 0.87 0.80 0.85 0.59 0.27 0.68
ACO-flows 0.87 0.88 0.87 0.59 0.27 0.70
1.5
Flows/s

1
Table II: CC Table - Days between 8th to 12th of October
0.5 current day DSNSF−GA ACODS
0
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
time (hours)

Figure 3: DSNSF-GA and ACODS for the 12th of October,

a national holiday. bits per second

ACODS
0.4 DSNSF−GA
NMSE

07:00 to 12:00 hours and from 13:00 to 23:00 hours. 0.2

In Figure 3, we observe a significant difference between 0

1 2 3 4 5 8 9 10 11 12
predicted and observed traffic. It was caused by a national Workdays from 1st to 12th of October
holiday, when there was little activity at the University. We
packets per second
decided to show these graphs to demonstrate the efficiency
DSNSF−GA
of both models. 0.2
ACODS
NMSE

We adopted two methods to measure the accuracy of

0.1
each DSNSF generation: Correlation Coefficient (CC) and
Normalized Mean Square Error (NMSE). NMSE compares 0
1 2 3 4 5 8 9 10 11 12
the mean of a series against certain predicted values. If the Workdays from 1st to 12th of October

NMSE value is close to 0, then the forecasts are doing Flows per second

better than the current traffic, but if it is close to 1, then 0.2

DSNSF−GA
NMSE

ACODS
the predictions are doing worse than the current traffic. The
0.1
CC measures how suitable a model is, whether the growth
and decrease trends of the traffic movement are followed by 0
1 2 3 4 5 8 9 10 11 12
the DSNSF, resulting values varying from -1 to 1. A positive Workdays from 1st to 12th of October

value indicates total correlation, and values close to 0 mean

bad or no correlation between data and the adjustable model
[24]. Figure 4: NMSE Days between 1st to 12th of October
The NMSE values are shown in Figure 4. The DSNSF-GA
presents averages NMSE values of 0.06 for bits per second,
0.04 for packets per second and 0.03 for flows per second, In addition to this, we can see in Tables I and II that
excluding the national holiday and averages of 0.1 for bits, there is correlation between the observed traffic and the
0.04 for packets and 0.04 for flows including it. A value of predictions generated by the characterization from DSNSF-
bits of 0.6, for example, for 12th of October, indicates that GA and ACODS, where values are close to 1, except
the current traffic has values outside the predicted average. during the national holiday, where values are close to 0.
For ACODS we found close average values, of 0.05, 0.03 We investigated what the cause was for inadequate values
and 0.03 including the national holiday, and 0.1, 0.04 and for NMSE and CC for 5th of October. After analyzing server
0.04 excluding it, for bits, packets and flows, respectively. log files, the network administrator discovered a large input

96
of HTTP traffic. It was caused by students applying for one
of the 53 new classes of postgraduate courses. It means that
both methods are able to characterize network traffic, while
its predictions were able to display the normal behavior,
making it possible to identify deviations.
V. C ONCLUSION AND F UTURE W ORKS
In this paper, we presented a novel model to characterize
network traffic using flow attributes, such as bits, packets
and number of flows per second through genetic algorithm,
called DSNSF-GA. In addition to this, we compare our
model with another method, ACODS, which is based on
ant colony’s optimization. In terms of computational com-
plexity, both methods use metaheuristics algorithms to find
an optimal solution, there are a number of iterations until
a certain condition is reached, and both of them used the
same value.
We used a real data set of traffic, collected from State
University of Londrina (UEL). In our tests, both methods
were able to characterize network traffic efficiently, and pre-
dict the standard behavior of an environment. Although we
have no threshold to distinguish anomalous from standard
behavior, we observe in tables positive values from NMSE
and CC, which means satisfactory predictions. In future
works, we intend to increase the number of attributes, linking
all of them, creating a multidimensional model, which uses
genetic algorithm to generate our DSNSF-GA.
ACKNOWLEDGMENT
This work was supported by SETI/Fundação Araucária
for Betelgeuse Project financial support. Also the authors
would thanks São Paulo State Technological College (Fatec
Ourinhos).
R EFERENCES
[1] B. Trammell and E. Boschi, “An introduction to ip flow information
export (ipfix),” IEEE Communications Magazine, vol. 49, no. 4, pp.
89–95, 2011.
[2] K. Salah and A. Kahtani, “Performance evaluation comparison of
snort nids under linux and windows server,” J. Network and Computer
Applications, vol. 33, no. 1, pp. 6–15, 2010.
[3] B. B. Zarpelão, L. d. S. Mendes, and M. L. Proença Jr., “Anomaly
detection aiming pro-active management of computer network based
on digital signature of network segment,” Journal of Network and
Systems Management, vol. 15, no. 2, pp. 267–283, 2007.
[4] A. Patcha and J.-M. Park, “An overview of anomaly detection tech-
niques: Existing solutions and latest technological trends,” Computer
Networks, vol. 51, no. 12, pp. 3448–3470, 2007.
[5] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “Network
anomaly detection: Methods, systems and tools,” IEEE Communica-
tions Surveys and Tutorials, vol. 16, no. 1, pp. 303–336, 2014.
[6] S. J. Nanda and G. Panda, “A survey on nature inspired metaheuristic
algorithms for partitional clustering,” Swarm and Evolutionary Com-
putation, vol. 16, no. 0, pp. 1 – 18, 2014.
[7] J. H. Holland, Adaptation in Natural and Artificial Systems: An
Introductory Analysis with Applications to Biology, Control and
Artificial Intelligence. Cambridge, MA, USA: MIT Press, 1992.
[8] U. Maulik and S. Bandyopadhyay, “Genetic algorithm-based cluster-
ing technique,” Pattern Recognition, vol. 33, no. 9, pp. 1455–1465,
2000.
97
[9] M. Dorigo, G. D. Caro, and L. M. Gambardella, “Ant algorithms for
discrete optimization,” Artificial Life, vol. 5, pp. 137–172, 1999.
[10] A. Lakhina, M. Crovella, and C. Diot, “Characterization of network-
wide anomalies in traffic flows,” in Internet Measurement Conference,
2004, pp. 201–206.
[11] H. Rahmani, N. Sahli, and F. Kamoun, “Ddos flooding attack de-
tection scheme based on f-divergence,” Computer Communications,
vol. 35, no. 11, pp. 1380–1391, 2012.
[12] M. L. Proença Jr., B. B. Zarpelão, and L. S. Mendes, “Anomaly
detection for network servers using digital signature of network
segment,” in Proceedings - Advanced Industrial Conference on
Telecommunications/Service Assurance with Partial and Intermit-
tent Resources Conference/E-Learning on Telecommunications Work-
shop AICT/SAPIR/ELETE 2005, vol. 2005, 2005, pp. 290–295,
doi:10.1109/AICT.2005.26.
[13] A. Rajaraman and J. D. Ullman, Mining of Massive Datasets. New
York, NY, USA: Cambridge University Press, 2011.
[14] M. H. A. C. Adaniya, T. Abrão, and M. L. Proença Jr., “Anomaly
detection using metaheuristic firefly harmonic clustering,” Journal of
Networks, vol. 8, no. 1, 2013.
[15] M. L. Proença Jr., C. Coppelmans, M. Bottoli, and L. Souza Mendes,
“Baseline to help with network management,” in e-Business and
Telecommunication Networks. Springer Netherlands, 2006, pp. 158–
166, doi: 10.1007/1–4020–4761–4 12.
[16] B. B. Zarpelão, L. S. Mendes, M. L. Proença Jr., and J. J. P. C.
Rodrigues, “Parameterized anomaly detection system with automatic
configuration,” in Global Telecommunications Conference, 2009.
GLOBECOM 2009. IEEE, Nov 2009, pp. 1–6, doi: 10.1109/GLO-
COM.2009.5 426 189.
[17] M. V. O. Assis, J. J. P. C. Rodrigues, and M. L. Proença Jr.,
“A seven-dimensional flow analysis to help autonomous network
management,” Information Sciences, vol. 278, pp. 900 – 913,
doi:10.1016/j.ins.2014.03.102, 2014.
[18] M. H. A. C. Adaniya, M. F. Lima, J. J. P. C. Rodrigues, T. Abrão,
and M. L. Proença Jr., “Anomaly detection using dsns and firefly
harmonic clustering algorithm,” in Communications (ICC), 2012
IEEE International Conference on, June 2012, pp. 1183–1187,
doi:10.1109/ICC.2012.6 364 088.
[19] P. Phaal, S. Panchen, and N. McKee, “InMon corporation s sFlow: A
method for monitoring traffic in switched and routed networks,” RFC
3176, Tech. Rep., 2001.
[20] L. F. Carvalho, A. M. Zacaron, M. H. A. da Costa Adaniya, and M. L.
Proença Jr., “Ant colony optimization for creating digital signature of
network segments using flow analysis,” in SCCC, 2012, pp. 171–180.
[21] L. F. Carvalho, J. J. P. C. Rodrigues, S. Barbon, and M. L. Proença Jr.,
“Using ant colony optimization metaheuristic and dynamic time
warping for anomaly detection,” in Software, Telecommunications and
Computer Networks (SoftCOM), 2013 21st International Conference
on, Sept 2013, pp. 1–5.
[22] M. Mitchell, An introduction to genetic algorithms. Cambridge, MA,
USA: MIT Press, 1998.
[23] P. J. Rousseeuw, “Silhouettes: A graphical aid to the interpretation and
validation of cluster analysis,” Journal of Computational and Applied
Mathematics, vol. 20, no. 0, pp. 53 – 65, 1987.
[24] K. Bansal, S. Vadhavkar, and A. Gupta, “Brief application description.
neural networks based forecasting techniques for inventory control
applications,” Data Min. Knowl. Discov., vol. 2, no. 1, pp. 97–102,
1998.