A Novel Network Traffic Anomaly Detection Model Based on Superstatistics Theory

With the development of network technology and growing enlargement of network size, the network structure is becoming more and more complicated. Mutual interactions of different network equipment, topology configurations, transmission protocols and cooperation and competition among the network users inevitably cause the network traffic flow which is controlled by several driving factors to appear non-stationary and complicated behavior. Because of its non-stationary property it can not easily use traditional way to analyze the complicated network traffic. A new detecti on method of non-stationary network traffic based on superstatistics theory is discussed in the paper. According to the superstatistics theory, the complex dynamic system may have a large fluctuation of intensive quantities on large time scales which cause the system to behave as non-stationary which is also the characteristic of network traffic. This new idea provides us a novel method to partition the non-stationary traffic time series into small stationary segments which can be modeled by discrete Generalized Pareto(GP) distribution. Different segments follow GP distribution with different distribution parameters which are named slow parameters. We use this slow parameters of the segments as a key determinant factor of the system to describe the network characteristic and analyze the slow parameters with time series theory to detect network anomaly. The result of experiments indicates that this method can be effective.

[1]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[2]  P. Helman,et al.  A formal framework for positive and negative detection schemes , 2004, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[3]  J. Bouchaud,et al.  Theory Of Financial Risk And Derivative Pricing , 2000 .

[4]  Kymie M. C. Tan,et al.  Determining the operational limits of an anomaly-based intrusion detector , 2003, IEEE J. Sel. Areas Commun..

[5]  P. Rasmussen,et al.  Generalized probability weighted moments: Application to the generalized Pareto Distribution , 2001 .

[6]  Philip K. Chan,et al.  Learning nonstationary models of normal network traffic for detecting novel attacks , 2002, KDD.

[7]  Anthony C. Davison,et al.  Modelling Excesses over High Thresholds, with an Application , 1984 .

[8]  Chen Xiang,et al.  An Approach to Measure and Evaluate the Network Security , 2005 .

[9]  J. Pickands Statistical Inference Using Extreme Order Statistics , 1975 .

[10]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[11]  Michalis Faloutsos,et al.  Long-range dependence ten years of Internet traffic modeling , 2004, IEEE Internet Computing.

[12]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[13]  Henry Leung,et al.  Network Intrusion Detection Using CFAR Abrupt-Change Detectors , 2008, IEEE Transactions on Instrumentation and Measurement.

[14]  Xiaogang Wu,et al.  Parameter estimation only from the symbolic sequences generated by chaos system , 2004 .

[15]  Qiang Chen,et al.  An anomaly detection technique based on a chi‐square statistic for detecting intrusions into information systems , 2001 .

[16]  Hanping Hu,et al.  Synchronizing chaotic map from the two-valued symbolic sequences , 2005 .

[17]  Debbie J. Dupuis,et al.  Estimating the probability of obtaining nonfeasible parameter estimates of the generalized pareto distribution , 1996 .

[18]  Connie M. Borror,et al.  EWMA forecast of normal system activity for computer intrusion detection , 2004, IEEE Transactions on Reliability.

[19]  H. Stanley,et al.  Scale invariance in the nonstationarity of human heart rate. , 2000, Physical review letters.

[20]  Sally Floyd,et al.  Wide-area traffic: the failure of Poisson modeling , 1994 .

[21]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[22]  Tomasz J. Kozubowski,et al.  Testing Exponentiality Versus Pareto Distribution via Likelihood Ratio , 2008, Commun. Stat. Simul. Comput..

[23]  Walter Willinger,et al.  Long-range dependence in variable-bit-rate video traffic , 1995, IEEE Trans. Commun..