Time Series Forecasting Using Holt-Winters Model Applied to Anomaly Detection in Network Traffic

The preoccupation of the present work is an attempt to solve the problem of anomaly detection in network traffic by means of statistical models based on exponential smoothing. We used the generalized Holt-Winters model to detect possible fluctuations in network traffic, i.e. accidental fluctuations, trend and seasonal variations. The model parameters were estimated by means of the Hyndman-Khandakar algorithm. We chose the model parameters optimal values on the grounds of information criteria (AIC) which show a compromise between the consistency model and the size of its estimation error. In the proposed method, we used automatic forecasting on the basis of the estimated traffic model, which was further compared to the real variability of the analyzed network traffic in order to detect its abnormal behavior. The results of the performed experiments confirm efficiency of the proposed solution.

[1]  Sushil Jajodia,et al.  ADAM: a testbed for exploring the use of data mining in intrusion detection , 2001, SGMD.

[2]  Su Fong Chien,et al.  ARIMA Based Network Anomaly Detection , 2010, 2010 Second International Conference on Communication Software and Networks.

[3]  Richard A. Davis,et al.  Time Series: Theory and Methods (2Nd Edn) , 1993 .

[4]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[5]  Everette S. Gardner,et al.  Exponential smoothing: The state of the art , 1985 .

[6]  Blyth C. Archibald Parameter space of the Holt-Winters' model , 1990 .

[7]  Felix Naumann,et al.  Data fusion , 2009, CSUR.

[8]  R. Brown Statistical forecasting for inventory control , 1960 .

[9]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[10]  Rob J Hyndman,et al.  Automatic Time Series Forecasting: The forecast Package for R , 2008 .

[11]  Peter R. Winters,et al.  Forecasting Sales by Exponentially Weighted Moving Averages , 1960 .

[12]  Sushil Jajodia,et al.  ADAM: Detecting Intrusions by Data Mining , 2001 .

[13]  H. Bozdogan Model selection and Akaike's Information Criterion (AIC): The general theory and its analytical extensions , 1987 .

[14]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[15]  Rob J Hyndman,et al.  Forecasting with Exponential Smoothing: The State Space Approach , 2008 .

[16]  E. S. Gardner EXPONENTIAL SMOOTHING: THE STATE OF THE ART, PART II , 2006 .

[17]  Siem Jan Koopman,et al.  Time Series Analysis by State Space Methods , 2001 .

[18]  Rob J. Hyndman,et al.  Forecasting with Exponential Smoothing , 2008 .

[19]  Richard A. Davis,et al.  Time Series: Theory and Methods (2nd ed.). , 1992 .

[20]  Tomasz Andrysiak,et al.  Network Traffic Prediction and Anomaly Detection Based on ARFIMA Model , 2014, SOCO-CISIS-ICEUTE.

[21]  C. Holt Author's retrospective on ‘Forecasting seasonals and trends by exponentially weighted moving averages’ , 2004 .

[22]  Genshiro Kitagawa,et al.  State Space Modeling of Time Series , 1994 .

[23]  Morteza Amini,et al.  RT-UNNID: A practical solution to real-time network-based intrusion detection using unsupervised neural networks , 2006, Comput. Secur..

[24]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[25]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[26]  Rob J Hyndman,et al.  A state space framework for automatic forecasting using exponential smoothing methods , 2002 .

[27]  Richard A. Davis,et al.  Introduction to time series and forecasting , 1998 .

[28]  Tomasz Andrysiak,et al.  A DDoS Attacks Detection Based on Conditional Heteroscedastic Time Series Models , 2015 .