Chiera, B.Kraetzl, M.Roughan, M.White, L.Chiera, B.2008-05-232008-05-232007Australian Communication Theory Workshop Proceedings 2007 / pp.116-1211424407419http://hdl.handle.net/2440/44790In this paper we use a particular type of mutual information norm — the cepstral information norm — for anomaly detection at the router level in the Internet. We combine the cepstral norm with a state space Kalman filter to define two distance metrics to capture anomalous behaviour. These metrics are implemented using a subspace-based model-free paradigm to aid realtime analysis. We infer a top level Internet topology using Border Gateway Protocol router updates and characterise the structural evolution of the network using a selection of graph metrics. Analysis over one week of non time-homogeneous updates, which includes The SQL Slammer worm event, shows the combined use of the two cepstral distance metrics detects the occurrence and severity of anomalous network events.en© 2007 The Pennsylvania State UniversityCepstral information normmutual informationKalman filtersubspace-based model-freeanomaly detectionConference paper00200753132-s2.0-8489260322845818Roughan, M. [0000-0002-7882-7329]White, L. [0000-0001-6660-0517]