ARIMA Based Network Anomaly Detection

An early warning system on potential attacks from networks will enable network administrators or even automated network management software to take preventive measures. This is needed as we move towards maximizing the utilization of the network with new paradigms such as Web Services and Software As A Service. This paper introduces a novel approach through using Auto-Regressive Integrated Moving Average (ARIMA) technique to detect potential attacks that may occur in the network. The solution is able to provide feedback through its predictive capabilities and hence provide an early warning system. With the affirmative results, this technique can serve beyond the detection of Denial of Service (DoS) and with sufficient development; an automated defensive solution can be achieved.

[1]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[2]  P. Young,et al.  Time series analysis, forecasting and control , 1972, IEEE Transactions on Automatic Control.

[3]  E. McKenzie General exponential smoothing and the equivalent arma process , 1984 .

[4]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[5]  Oliver W. W. Yang,et al.  Traffic prediction using FARIMA models , 1999, 1999 IEEE International Conference on Communications (Cat. No. 99CH36311).

[6]  Richard A. Davis,et al.  Introduction to time series and forecasting , 1998 .

[7]  Kathleen A. Jackson INTRUSION DETECTION SYSTEM (IDS) PRODUCT SURVEY , 1999 .