Network traffic anomaly detection based on catastrophe theory

Although various methods have been proposed to detect anomalies, they are mostly based on the traditional statistical physics. The traditional statistical physics methods are based on the stationary hypothesis of the network traffic, which always ignore the real catastrophe process when anomalies occur. In order to reflect the catastrophe process of the abnormal network traffic, we present a non-stationary network traffic anomaly detection approach based on catastrophe theory. The cusp catastrophe model is selected to describe the catastrophe feature of the network traffic and the catastrophe distance is defined as an index to assess the deviation from the normal catastrophe model and the serial of catastrophe distance is the main feature to detect anomaly. We evaluate our approach using the 1999 intrusion evaluation data set of network traffic trace provided by The Defense Advanced Research Projects Agency (DARPA). Experiment results show that our approach can effectively detect network anomalies and achieve high detection probability and low false alarms rate.

[1]  Charles Thompson,et al.  Non-Linear Time-Series Models of Ethernet Traffic , 1998 .

[2]  Norman B. Waite,et al.  A Real-Time System-Adapted Anomaly Detector , 1999, Inf. Sci..

[3]  Julio M. Ottino,et al.  Complex networks , 2004, Encyclopedia of Big Data.

[4]  B. Melamed,et al.  Traffic modeling for telecommunications networks , 1994, IEEE Communications Magazine.

[5]  Ming Li,et al.  Change trend of averaged Hurst parameter of traffic under DDOS flood attacks , 2006, Comput. Secur..

[6]  Yue Yang,et al.  Anomaly Detection of Network Traffic Based on Autocorrelation Principle , 2007 .

[7]  Taeshik Shon,et al.  A hybrid machine learning approach to network anomaly detection , 2007, Inf. Sci..

[8]  Arun K. Pujari,et al.  Network traffic analysis using singular value decomposition and multiscale transforms , 2007, Inf. Sci..

[9]  Zhengyuan Zhu,et al.  Multi-Resolution Anomaly Detection for the internet , 2008, IEEE INFOCOM Workshops 2008.

[10]  Artur Ziviani,et al.  Network anomaly detection using nonextensive entropy , 2007, IEEE Communications Letters.

[11]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[12]  Yiguo Qiao,et al.  Anomaly intrusion detection method based on HMM , 2002 .

[13]  Susan C. Lee,et al.  Training a neural-network based intrusion detector to recognize novel attacks , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[14]  Mark Burgess,et al.  Probabilistic anomaly detection in distributed computer networks , 2006, Sci. Comput. Program..

[15]  A. Adas,et al.  Traffic models in broadband networks , 1997, IEEE Commun. Mag..

[16]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[17]  G. Smaragdakis,et al.  Spatio-Temporal Network Anomaly Detection by Assessing Deviations of Empirical Measures , 2009, IEEE/ACM Transactions on Networking.

[18]  C. L. Nelson,et al.  Sensor fusion for intelligent alarm analysis , 1995, 1996 30th Annual International Carnahan Conference on Security Technology.