Detecting low-rate periodic events in Internet traffic using renewal theory

In our previous work [1, 2] we studied detection of anomalies in packet arrival times for computer networks, most detection of denial-of-service (DoS) attacks in Internet traffic. In this paper we reformulate the detection method proposed in [1] using renewal theory, providing several useful extensions. This reformulation also leads to a method that would be applicable to numerous real life signals that exist as discrete events, e.g., biological signals. Most importantly renewal theory allows us to characterize the performance of our detector and determine theoretical bounds on the time-to-detection. Compared to alternative methods that use frequency spectra or event arrival rates for detection our method is shown to be superior in terms of time-to-detection. Further, unlike rate based techniques, our method can estimate the multiple periods when multiple periodic anomalies occur simultaneously.

[1]  John Heidemann,et al.  Detecting periodic patterns in internet traffic with spectral and statistical methods , 2006 .

[2]  P. Greenwood,et al.  A Guide to Chi-Squared Testing , 1996 .

[3]  Randolph Nelson,et al.  Probability, Stochastic Processes, and Queueing Theory , 1995 .

[4]  John S. Heidemann,et al.  Identification of Repeated Denial of Service Attacks , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[5]  Urbashi Mitra,et al.  Parametric Methods for Anomaly Detection in Aggregate Traffic , 2011, IEEE/ACM Transactions on Networking.

[6]  Xiaowei Yang,et al.  A passive approach for detecting shared bottlenecks , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[7]  Antonio Ortega,et al.  Analysis of Internet Measurement Systems for Optimized Anomaly Detection System Design , 2009, ArXiv.

[8]  Antonio Ortega,et al.  Improved Internet traffic analysis via optimized sampling , 2010, 2010 IEEE International Conference on Acoustics, Speech and Signal Processing.

[9]  U. Krieger,et al.  Nonparametric Estimation of the Renewal Function by Empirical Data , 2006 .