{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,8]],"date-time":"2025-09-08T06:38:23Z","timestamp":1757313503639,"version":"3.37.3"},"reference-count":41,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2018,4,28]],"date-time":"2018-04-28T00:00:00Z","timestamp":1524873600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Computing"],"published-print":{"date-parts":[[2019,4]]},"DOI":"10.1007\/s00607-018-0619-4","type":"journal-article","created":{"date-parts":[[2018,4,28]],"date-time":"2018-04-28T05:00:47Z","timestamp":1524891647000},"page":"339-361","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["Multivariate network traffic analysis using clustered patterns"],"prefix":"10.1007","volume":"101","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9835-1866","authenticated-orcid":false,"given":"Jinoh","family":"Kim","sequence":"first","affiliation":[]},{"given":"Alex","family":"Sim","sequence":"additional","affiliation":[]},{"given":"Brian","family":"Tierney","sequence":"additional","affiliation":[]},{"given":"Sang","family":"Suh","sequence":"additional","affiliation":[]},{"given":"Ikkyun","family":"Kim","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,4,28]]},"reference":[{"key":"619_CR1","unstructured":"Cisco white paper: Cisco vni forecast and methodology, 2015\u20132020. \n                    http:\/\/www.cisco.com\/c\/dam\/en\/us\/solutions\/collateral\/service-provider\/visual-networking-index-vni\/complete-white-paper-c11-481360.pdf"},{"key":"619_CR2","doi-asserted-by":"crossref","unstructured":"Cho K, Fukuda K, Esaki H, Kato A (2008) Observing slow crustal movement in residential user traffic. In: Proceedings of the 2008 ACM conference on emerging network experiment and technology, CoNEXT 2008, Madrid, Spain, December 9\u201312, p\u00a012","DOI":"10.1145\/1544012.1544024"},{"issue":"4","key":"619_CR3","doi-asserted-by":"publisher","first-page":"70","DOI":"10.1145\/2927964.2927977","volume":"43","author":"D Tong","year":"2016","unstructured":"Tong D, Prasanna V (2016) High throughput sketch based online heavy hitter detection on FPGA. ACM SIGARCH Comput Archit News 43(4):70\u201375","journal-title":"ACM SIGARCH Comput Archit News"},{"key":"619_CR4","unstructured":"Yu M, Jose L, Miao R (2013) Software defined traffic measurement with opensketch. In: Proceedings of the 10th USENIX conference on networked systems design and implementation, NSDI\u201913, pp 29\u201342"},{"key":"619_CR5","doi-asserted-by":"crossref","unstructured":"Liu Z, Manousis A, Vorsanger G, Sekar V, Braverman V (2016) One sketch to rule them all: Rethinking network flow monitoring with univmon. In: Proceedings of the 2016 conference on ACM SIGCOMM 2016 conference, Florianopolis, Brazil, August 22\u201326, pp 101\u2013114","DOI":"10.1145\/2934872.2934906"},{"issue":"2","key":"619_CR6","doi-asserted-by":"publisher","first-page":"567","DOI":"10.1016\/j.jnca.2012.12.020","volume":"36","author":"B Li","year":"2013","unstructured":"Li B, Springer J, Bebis G, Gunes MH (2013) Review: a survey of network flow applications. J Netw Comput Appl 36(2):567\u2013581","journal-title":"J Netw Comput Appl"},{"key":"619_CR7","doi-asserted-by":"crossref","unstructured":"Krishnamurthy B, Sen S, Zhang Y, Chen Y (2003) Sketch-based change detection: methods, evaluation, and applications. In: Proceedings of the 3rd ACM SIGCOMM conference on internet measurement, IMC \u201903, pp 234\u2013247","DOI":"10.1145\/948205.948236"},{"key":"619_CR8","unstructured":"Choi J, Hu K, Sim A (2013) Relational dynamic bayesian networks with locally exchangeable measures. LBNL Technical Report, LBNL-6341E"},{"key":"619_CR9","unstructured":"Portnoy L, Eskin E, Stolfo S (2001) Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS workshop on data mining applied to security (DMSA), pp 5\u20138"},{"issue":"4","key":"619_CR10","doi-asserted-by":"publisher","first-page":"507","DOI":"10.1007\/s00778-006-0002-5","volume":"16","author":"L Khan","year":"2007","unstructured":"Khan L, Awad M, Thuraisingham B (2007) A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J 16(4):507\u2013521","journal-title":"VLDB J"},{"key":"619_CR11","unstructured":"Leung K, Leckie C (2005) Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the twenty-eighth Australasian conference on computer science, vol 38, ACSC \u201905, pp 333\u2013342"},{"issue":"1\u20132","key":"619_CR12","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1016\/j.cose.2008.08.003","volume":"28","author":"P Garcia-Teodoro","year":"2009","unstructured":"Garcia-Teodoro P, D\u00edaz-Verdejo JE, Maci\u00e1-Fern\u00e1ndez G, V\u00e1zquez E (2009) Anomaly-based network intrusion detection: techniques, systems and challenges. Comput Secur 28(1\u20132):18\u201328","journal-title":"Comput Secur"},{"key":"619_CR13","doi-asserted-by":"crossref","unstructured":"Dusi M, Este A, Gringoli F, Salgarelli L (2009) Using GMM and SVM-based techniques for the classification of SSH-encrypted traffic. In: Proceedings of IEEE international conference on communications, ICC, pp 1\u20136","DOI":"10.1109\/ICC.2009.5199557"},{"key":"619_CR14","unstructured":"KDD Cup 1999 Data. \n                    http:\/\/kdd.ics.uci.edu\/databases\/kddcup99\/kddcup99.html"},{"key":"619_CR15","unstructured":"ESnet. \n                    https:\/\/www.es.net\/"},{"key":"619_CR16","doi-asserted-by":"crossref","unstructured":"Iliofotou M, Pappu P, Faloutsos M, Mitzenmacher M, Singh S, Varghese G (2007) Network monitoring using traffic dispersion graphs (TDGS), IMC \u201907, pp 315\u2013320","DOI":"10.1145\/1298306.1298349"},{"issue":"4","key":"619_CR17","doi-asserted-by":"publisher","first-page":"229","DOI":"10.1145\/1090191.1080119","volume":"35","author":"T Karagiannis","year":"2005","unstructured":"Karagiannis T, Papagiannaki K, Faloutsos M (2005) Blinc: multilevel traffic classification in the dark. SIGCOMM Comput Commun Rev 35(4):229\u2013240","journal-title":"SIGCOMM Comput Commun Rev"},{"issue":"1","key":"619_CR18","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1145\/1925861.1925865","volume":"41","author":"S Lee","year":"2011","unstructured":"Lee S, Kim H, Barman D, Lee S, Kim C, Kwon T, Choi Y (2011) Netramark: a network traffic classification benchmark. SIGCOMM Comput Commun Rev 41(1):22\u201330","journal-title":"SIGCOMM Comput Commun Rev"},{"key":"619_CR19","doi-asserted-by":"crossref","unstructured":"Zhang H, Sun M, Yao DD, North C (2015) Visualizing traffic causality for analyzing network anomalies. In: Proceedings of the 2015 ACM international workshop on international workshop on security and privacy analytics, IWSPA \u201915, New York, NY, USA, pp 37\u201342. ACM","DOI":"10.1145\/2713579.2713583"},{"key":"619_CR20","doi-asserted-by":"crossref","unstructured":"Sivaraman V, Narayana S, Rottenstreich O, Muthukrishnan S, Rexford J (2017) Heavy-hitter detection entirely in the data plane. In: Proceedings of the symposium on SDN research, SOSR \u201917, New York, NY, USA, pp 164\u2013176. ACM","DOI":"10.1145\/3050220.3063772"},{"key":"619_CR21","doi-asserted-by":"crossref","unstructured":"Das S, Antony S, Agrawal D, Abbadi AE (2009) Cots: a scalable framework for parallelizing frequency counting over data streams. In: IEEE international conference on data engineering (ICDE), pp 1323\u20131326","DOI":"10.1109\/ICDE.2009.231"},{"key":"619_CR22","doi-asserted-by":"crossref","unstructured":"Guha S, Koudas N, Shim K (2001) Data-streams and histograms. In: ACM symposium on theory of computing, pp 471\u2013475","DOI":"10.1145\/380752.380841"},{"key":"619_CR23","doi-asserted-by":"crossref","unstructured":"Datar M, Gionis A, Indyk P, Motwani R (2002) Maintaining stream statistics over sliding windows. In: ACM-SIAM symposium on discrete algorithms, pp 635\u2013644","DOI":"10.1137\/S0097539701398363"},{"key":"619_CR24","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511814075","volume-title":"Randomized algorithms","author":"R Motwani","year":"1995","unstructured":"Motwani R, Raghavan P (1995) Randomized algorithms. Cambridge University Press, Cambridge"},{"key":"619_CR25","unstructured":"Manku GS, Motwani R (2002) Approximate frequency counts over data streams. In: VLDB, pp 346\u2013357"},{"key":"619_CR26","first-page":"261","volume":"31","author":"S Papadimitriou","year":"2007","unstructured":"Papadimitriou S, Sun J, Faloutsos C (2007) Dimensionality reduction and forecasting on streams. Data Streams Models Algorithms 31:261\u2013288","journal-title":"Data Streams Models Algorithms"},{"key":"619_CR27","doi-asserted-by":"crossref","unstructured":"Baek S, Kwon D, Kim J, Suh SC, Kim H, Kim I (2017) Unsupervised labeling for supervised anomaly detection in enterprise and cloud networks. In: 4th IEEE international conference on cyber security and cloud computing, CSCloud 2017, New York, NY, USA, June 26\u201328, pp 205\u2013210","DOI":"10.1109\/CSCloud.2017.26"},{"issue":"C","key":"619_CR28","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.jnca.2015.11.024","volume":"64","author":"G Fernandes","year":"2016","unstructured":"Fernandes G, Carvalho LF, Rodrigues JJPC, Proen\u00e7a ML (2016) Network anomaly detection using ip flows with principal component analysis and ant colony optimization. J Netw Comput Appl 64(C):1\u201311","journal-title":"J Netw Comput Appl"},{"key":"619_CR29","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1016\/j.jnca.2015.11.016","volume":"60","author":"M Ahmed","year":"2016","unstructured":"Ahmed M, Mahmood AN, Hu J (2016) A survey of network anomaly detection techniques. J Netw Comput Appl 60:19\u201331","journal-title":"J Netw Comput Appl"},{"issue":"5","key":"619_CR30","doi-asserted-by":"publisher","first-page":"1732","DOI":"10.1016\/j.jnca.2011.06.006","volume":"34","author":"T Qin","year":"2011","unstructured":"Qin T, Guan X, Li W, Wang P, Huang Q (2011) Monitoring abnormal network traffic based on blind source separation approach. J Netw Comput Appl 34(5):1732\u20131742","journal-title":"J Netw Comput Appl"},{"key":"619_CR31","doi-asserted-by":"crossref","unstructured":"Li B, Liu P, Lin L (2016) A cluster-based intrusion detection framework for monitoring the traffic of cloud environments. In: 3rd IEEE international conference on cyber security and cloud computing, CSCloud 2016, Beijing, China, June 25\u201327, pp 42\u201345","DOI":"10.1109\/CSCloud.2016.43"},{"key":"619_CR32","doi-asserted-by":"crossref","unstructured":"Papalexakis EE, Beutel A, Steenkiste P (2012) Network anomaly detection using co-clustering. In: Proceedings of the 2012 international conference on advances in social networks analysis and mining (ASONAM 2012), ASONAM \u201912, pp 403\u2013410","DOI":"10.1109\/ASONAM.2012.72"},{"key":"619_CR33","unstructured":"Jin L, Lee D, Sim A, Borgeson S, Wu K, Spurlock CA, Todd A (2017) Comparison of clustering techniques for residential energy behavior using smart meter data. In: AAAI workshops\u2014artificial intelligence for smart grids and buildings, March 2017, San Francisco, CA"},{"issue":"7","key":"619_CR34","doi-asserted-by":"publisher","first-page":"622","DOI":"10.14778\/2180912.2180915","volume":"5","author":"B Bahmani","year":"2012","unstructured":"Bahmani B, Moseley B, Vattani A, Kumar R, Vassilvitskii S (2012) Scalable k-means++. Proc VLDB Endow 5(7):622\u2013633","journal-title":"Proc VLDB Endow"},{"issue":"5","key":"619_CR35","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1145\/1629607.1629610","volume":"39","author":"F Rgringoli","year":"2009","unstructured":"Rgringoli F, Salgarelli L, Dusa M, Cascarano N, Risso F, Claffy K (2009) Gt: picking up the truth from the ground for internet traffic. ACM SIGCOMM Comput Commun Rev 39(5):12\u201318","journal-title":"ACM SIGCOMM Comput Commun Rev"},{"key":"619_CR36","unstructured":"Kolmogorov-Smirnov Goodness-of-Fit Test. \n                    http:\/\/www.itl.nist.gov\/div898\/handbook\/eda\/section3\/eda35g.htm"},{"key":"619_CR37","doi-asserted-by":"publisher","first-page":"251","DOI":"10.1016\/S0167-7152(97)00020-5","volume":"35","author":"A Justel","year":"1997","unstructured":"Justel A, Pena D, Zamar R (1997) A multivariate Kolmogorov\u2013Smirnov test of goodness of fit. Stat Probab Lett 35:251\u2013259","journal-title":"Stat Probab Lett"},{"issue":"2","key":"619_CR38","doi-asserted-by":"publisher","first-page":"497","DOI":"10.1080\/10485252.2011.650169","volume":"24","author":"TJ O\u2019Neilla","year":"2012","unstructured":"O\u2019Neilla TJ, Sterna SE (2012) Finite population corrections for the Kolmogorov\u2013Smirnov tests. J Nonparametr Stat 24(2):497\u2013504","journal-title":"J Nonparametr Stat"},{"key":"619_CR39","unstructured":"Mills-Tettey GA, Stentz A, Dias SMB (2007) The dynamic hungarian algorithm for the assignment problem with changing costs. Technical report, Carnegie Mellon University, East Lansing, Michigan"},{"key":"619_CR40","doi-asserted-by":"crossref","unstructured":"Dart E, Rotman L, Tierney B, Hester M, Zurawski J (2013) The science dmz: a network design pattern for data-intensive science. In: Proceedings of the international conference on high performance computing, networking, storage and analysis, SC \u201913, pp 85:1\u201385:10","DOI":"10.1145\/2503210.2503245"},{"issue":"1","key":"619_CR41","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/S1389-1286(04)00201-4","volume":"47","author":"M Mellia","year":"2005","unstructured":"Mellia M, Cigno RL, Neri F (2005) Measuring IP and TCP behavior on edge nodes with tstat. Comput Netw 47(1):1\u201321","journal-title":"Comput Netw"}],"container-title":["Computing"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00607-018-0619-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00607-018-0619-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00607-018-0619-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,4,27]],"date-time":"2019-04-27T19:12:18Z","timestamp":1556392338000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00607-018-0619-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,4,28]]},"references-count":41,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2019,4]]}},"alternative-id":["619"],"URL":"https:\/\/doi.org\/10.1007\/s00607-018-0619-4","relation":{},"ISSN":["0010-485X","1436-5057"],"issn-type":[{"type":"print","value":"0010-485X"},{"type":"electronic","value":"1436-5057"}],"subject":[],"published":{"date-parts":[[2018,4,28]]},"assertion":[{"value":"29 May 2017","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 April 2018","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"28 April 2018","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}