Network Anomaly Detection Based on ARFIMA Model

In this paper, the estimation model ARFIMA is presented as a method of detecting anomalies in network traffic. Parameters estimation and model identification are performed with the use of algorithms of: Geweke and Porter-Hudak (estimation of the differencing parameters) and Box-Jankins (identification of the row of the model). The choice of optimal parameters of the model is realized by a compromise between model consistency and size of its estimation error. In the proposed method, we use statistical relations between estimated traffic model and its real variation to detect its abnormal behaviour. The obtained experiment results confirm effectiveness of the presented method.

[1]  Bonnie K. Ray,et al.  Model selection and forecasting for long‐range dependent processes , 1996 .

[2]  Mehmet Celenk,et al.  Anomaly prediction in network traffic using adaptive Wiener filtering and ARMA modeling , 2008, 2008 IEEE International Conference on Systems, Man and Cybernetics.

[3]  J. Geweke,et al.  THE ESTIMATION AND APPLICATION OF LONG MEMORY TIME SERIES MODELS , 1983 .

[4]  Richard A. Davis,et al.  Time Series: Theory and Methods , 2013 .

[5]  Simon Pietro Romano,et al.  Real Time Detection of Novel Attacks by Means of Data Mining Techniques , 2005, ICEIS.

[6]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[7]  Mario Reyes de los Mozos,et al.  Improving Network Security through Traffic Log Anomaly Detection Using Time Series Analysis , 2010, CISIS.

[8]  Sílvia R. C. Lopes,et al.  Some simulations and applications of forecasting long-memory time-series models , 1999 .

[9]  Álvaro Herrero,et al.  Computational Intelligence in Security for Information Systems - CISIS'09, 2nd International Workshop, Burgos, Spain, 23-26 September 2009 Proceedings , 2009, CISIS.

[10]  Richard A. Davis,et al.  Introduction to time series and forecasting , 1998 .

[11]  Simon Pietro Romano,et al.  Evaluating Pattern Recognition Techniques in Intrusion Detection Systems , 2005, PRIS.

[12]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1972 .

[13]  David R. Cox,et al.  Time Series Analysis , 2012 .

[14]  Ryszard S. Choraś Image Processing and Communications Challenges 4 - 4th International Conference, IP&C 2012, Proceedings , 2013, IP&C.

[15]  Tomasz Andrysiak,et al.  Anomaly Detection Preprocessor for SNORT IDS System , 2012, IP&C.

[16]  Su Fong Chien,et al.  ARIMA Based Network Anomaly Detection , 2010, 2010 Second International Conference on Communication Software and Networks.