Applying particle filter and path-stack methods to detecting anomalies in network traffic volume

This thesis models web traffic volume as the sum of baseline and anomalous traffic, where inclusion of anomalous traffic depends on a hidden volume state. The purpose is to draw inference about the hidden volume states in real time.; Two methods are described for drawing inference on the hidden volume states for single-router data. The first, the Path-Stack Method, directly updates priors. The second method uses a particle filter. The Path-Stack Method uses two approximations. The first approximation is in the updating of the anomalous portion of the model. The second approximation is in the calculation of the probability of a sequence of hidden volume states. An extension of the theory used in the first approximation is presented.; Both the Path-Stack Method and the particle filter run in real time; the Path-Stack Method is the less computationally intensive of the two. When modelling traffic volume data from a single router, the particle filter results in a better fit than the Path-Stack Method when using the goodness-of-fit measures defined in this thesis. When comparing each of the methods to a week of expert-identified anomalies, the Path-Stack Method finds more of the anomalies but does so at the expense of many false positives.; A particle filter is also used to draw inference on the hidden volume states in the multiple-router case. Because more routers lead to more parameters, the particle filter needs more particles to approximate the parameter space. Variants of the particle filter designed to approximate the parameter space more efficiently are discussed. An auxiliary filter is implemented and does not produce a better fit than a particle filter using the same amount of computation. Using easily accessible and affordable computers, up to four routers are modelled.