Network traffic self similarity measurements using classifier based Hurst parameter estimation

Network traffic has been shown on numerous occasions to be self similar under normal conditions. This self similar property is however, lost during anomalous conditions such as device failure, congestion and malicious intrusions. Therefore, this loss of self similarity can be used to detect such events. The Hurst parameter (H) is the most widely accepted parameter for determining self similarity. However, an accurate estimate is data and computationally expensive. This paper discusses the potential of using efficient classifier and soft computing based approaches for determining self similarity. Traffic data is obtained for various user activities from genuine browsing to malicious attacks. This data is then analysed for self similarity. The logarithmic normalized histogram of the packet interarrival time is used to obtain a feature set for classification. Various techniques are used to analyse and reduce the feature set. Classification is done using Naive Bayes classifiers and Support Vector Machines (SVM). Artificial Neural Networks (ANN) are also used to estimate the Hurst parameter using function approximation. The results show that classifiers can detect non self similar behaviour with a very high accuracy of up to 100%.

[1]  C. Peng,et al.  Mosaic organization of DNA nucleotides. , 1994, Physical review. E, Statistical physics, plasmas, fluids, and related interdisciplinary topics.

[2]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[3]  Silvia Farraposo,et al.  Contributions on detection and classification of internet traffic anomalies , 2009 .

[4]  J. R. Wallis,et al.  Some long‐run properties of geophysical records , 1969 .

[5]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[6]  W. Willinger,et al.  ESTIMATORS FOR LONG-RANGE DEPENDENCE: AN EMPIRICAL STUDY , 1995 .

[7]  Jiri Matas,et al.  On Combining Classifiers , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[8]  Some results on the self-similarity property in communication networks , 2004, IEEE Transactions on Communications.

[9]  M.N.O. Sadiku,et al.  Application of Wavelets and Self-similarity to Enterprise Network Intrusion Detection and Prevention Systems , 2007, 2007 IEEE International Symposium on Consumer Electronics.

[10]  J. Samarabandu,et al.  Evidence Theory based Decision Fusion for Masquerade Detection in IEC61850 Automated Substations , 2008, 2008 4th International Conference on Information and Automation for Sustainability.

[11]  H. Hurst METHODS OF USING LONG-TERM STORAGE IN RESERVOIRS. , 1956 .

[12]  Giacomo Patrizi,et al.  Formal methods in pattern recognition: A review , 2000, Eur. J. Oper. Res..

[13]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[14]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[15]  Jagath Samarabandu,et al.  Possibilistic decision trees for Intrusion Detection in IEC61850 automated substations , 2009, 2009 International Conference on Industrial and Information Systems (ICIIS).

[16]  David A. Nash,et al.  Simulation of self-similarity in network utilization patterns as a precursor to automated testing of intrusion detection systems , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[17]  L. Oxley,et al.  Estimators for Long Range Dependence: An Empirical Study , 2009, 0901.0762.