Adaptive Traffic Modelling for Network Anomaly Detection

With the rapid expansion of computer networks, security has become a crucial issue, either for small home networks or large corporate intranets. A standard way to detect illegitimate use of a network is through traffic monitoring. Consistent modelling of typical network activity can help separate the normal use of the network from an intruder activity or an unusual user activity. In this work an adaptive traffic modelling and estimation method for detecting network unusual activity, network anomaly or intrusion is presented. The proposed method uses simple and widely collected sets of traffic data, such as bandwidth utilization. The advantage of the method is that it builds the traffic patterns using data found easily by polling a network node MIB. The method was tested using real traffic data from various network segments in our university campus. The method performed equally well either offline or in real time, running at a fraction of the smallest sampling interval set by the network monitoring programs. The implemented adaptive multi-model partitioning algorithm was able to identify successfully all typical or unusual activities contained in the test datasets.

[1]  Kavitha Chandra,et al.  Time series models for Internet data traffic , 1999, Proceedings 24th Conference on Local Computer Networks. LCN'99.

[2]  Chuanyi Ji,et al.  Proactive network fault detection , 1997, Proceedings of INFOCOM '97.

[3]  A time series approach to fatigue crack propagation , 1991 .

[4]  Fred Halsall,et al.  Data communications, computer networks and open systems (3. ed.) , 1995, Electronic-systems engineering series.

[5]  Oliver W. W. Yang,et al.  Wireless traffic modeling and prediction using seasonal ARIMA models , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[6]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Frank Feather,et al.  A case study of Ethernet anomalies in a distributed computing environment , 1990 .

[8]  H. Akaike Fitting autoregressive models for prediction , 1969 .

[9]  Eleazar Eskin,et al.  Anomaly Detection over Noisy Data using Learned Probability Distributions , 2000, ICML.

[10]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[11]  Isna Alfi Bustoni,et al.  Forecasting Model for Hotspot Bandwidth Management at Department of Electrical Engineering and Information Technology UGM , 2015 .

[12]  Billy M. Williams,et al.  Comparison of parametric and nonparametric models for traffic flow forecasting , 2002 .

[13]  D. Lainiotis,et al.  Partitioning: A unifying framework for adaptive systems, I: Estimation , 1976, Proceedings of the IEEE.

[14]  James A. Mahaffey,et al.  Multiple Self-Organizing Maps for Intrusion Detection , 2000 .

[15]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[16]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[17]  Demetrios G. Lainiotis,et al.  AR model identification with unknown process order , 1990, IEEE Trans. Acoust. Speech Signal Process..

[18]  Sophia Daskalaki,et al.  Comparing forecasting approaches for Internet traffic , 2015, Expert Syst. Appl..

[19]  Konstantina Papagiannaki,et al.  Long-term forecasting of Internet backbone traffic: observations and initial models , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[20]  Symeon Papavassiliou,et al.  Adaptive and automated detection of service anomalies in transaction-oriented WANs: network analysis, algorithms, implementation, and deployment , 2000, IEEE Journal on Selected Areas in Communications.

[21]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1972 .

[22]  Srinivasan Keshav,et al.  An Engineering Approach to Computer Networking: ATM Networks , 1996 .

[23]  C. S. Hood,et al.  Proactive network-fault detection [telecommunications] , 1997 .