The best answer i can think of and it will require some input from you in order to work with the data is nethogs!
Install nethogs (should be in repo)
And it will work like this :
nethogs
nethogs eth1
nethogs [option] eth0 eth1
nethogs [option] eth0 eth1 ppp0
sudo /usr/sbin/nethogs eth0
You will end up with something like this :
With this you will be able to identify the procID which is using the most upload and download..
You can also identify all of the nics and see them listed as one with identifying network controller :
The next step is where im not sure... You might need to create some parser of the info, setup a cron and feed it into your abnormal trafic analyzer.
Sorry its not a complete solution but its the only idea I have right now!
1http://askubuntu.com/questions/257263/how-to-display-network-traffic-in-terminal try this might help – Premkumar – 2014-10-15T06:20:03.123
Can you show us some of how you have approached it? – Pogrindis – 2014-10-15T07:23:58.933
@Pogrindis :I've used knn algorithm for data that contain 3 parameters: cpu, (network traffic)transmitted bytes and receieved bytes – Mjina – 2014-10-15T08:00:59.067
@Mjina and what is your definition of abnormal traffic? could you identify the procID runtime of the download / upload process ? – Pogrindis – 2014-10-15T08:03:09.617
@Pogrindis:I use knn as a machine learning method, so it will be trained with normal data and abnormal data, and then is expected to detect abnormal, the problem is that download and upload sometimes are so fast that resemble an attack like DoS which rise the traffic rates. your second question is just what I'm looking for, how to identify the process which is downloading/uploading?! – Mjina – 2014-10-15T08:11:52.140