Combining statistical and spectral analysis techniques in network traffic anomaly detection

Rapid increase in number of computer attacks prompts a need to detect network anomalies quickly and effectively. This area has been widely studied and solutions typically use data not freely available. A labeled available network traffic flow dataset, Kyoto2006+, has been recently created. Most existing works using Kyoto2006+ for network anomaly detection, apply various clustering approaches. Clustering approaches typically require thresholds for minimum size or distance, or the number of clusters. Results could be sensitive to the selection of such thresholds. This paper leverages existing spectral analysis and statistical analysis techniques for network anomaly detection. One well known spectral analysis technique is Haar Wavelet filtering analysis. It measures the amount and magnitude of abrupt changes in data. Another popular approach is a statistical analysis technique called Principal Component Analysis (PCA). PCA describes data in a new dimension to unlock otherwise hidden characteristics. Both approaches have strengths and limitations. In response, this paper proposes a Hybrid PCA-Haar Wavelet Analysis; a modified PCA which incorporates time shifting to account for changes over time is considered. In addition, the hybrid approach uses PCA to describe the data and Haar Wavelet filtering for analysis. Based on prototyping and measurement, an investigation of the Hybrid PCA-Haar Wavelet Analysis technique is performed using the Kyoto2006+ dataset. We present experimental results to demonstrate the accuracy and precision of the hybrid approach as compared to the two algorithms individually. Furthermore, tests to examine the impact of various parameters used in the algorithm are discussed.

[1]  J. Wade Davis,et al.  Statistical Pattern Recognition , 2003, Technometrics.

[2]  Christian Callegari,et al.  Application of Wavelet Packet Transform to Network Anomaly Detection , 2008, NEW2AN.

[3]  Liming Zheng,et al.  Traffic Anomaly Detection and Containment Using Filter-Ary-Sketch , 2012 .

[4]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[5]  Farnam Jahanian,et al.  A comparative study of two network-based anomaly detection methods , 2011, 2011 Proceedings IEEE INFOCOM.

[6]  Juan E. Tapiador,et al.  Anomaly detection methods in wired networks: a survey and taxonomy , 2004, Comput. Commun..

[7]  Marius Salagean Real network traffic anomaly detection based on Analytical Discrete Wavelet Transform , 2010, 2010 12th International Conference on Optimization of Electrical and Electronic Equipment.

[8]  Hiroki Takakura,et al.  A Comparative Study of Unsupervised Anomaly Detection Techniques Using Honeypot Data , 2010, IEICE Trans. Inf. Syst..

[9]  Chung-Horng Lung,et al.  Tracking per-flow state — Binned Duration Flow Tracking , 2010, Proceedings of the 2010 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS '10).

[10]  Marcos M. Campos,et al.  Creation and deployment of data mining-based intrusion detection systems in Oracle Database l0g , 2005, Fourth International Conference on Machine Learning and Applications (ICMLA'05).

[11]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[12]  William Stallings Data and Computer "Communications, 7th ed , 2004 .

[13]  Hiroki Takakura,et al.  Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation , 2011, BADGERS '11.

[14]  Marius Salagean,et al.  Anomaly detection of network traffic based on Analytical Discrete Wavelet Transform , 2010, 2010 8th International Conference on Communications.

[15]  William Stallings,et al.  Data and Computer Communications , 1985 .

[16]  Kavé Salamatian,et al.  Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[17]  S. J. QinDepartment Multi-dimensional Fault Diagnosis Using a Subspace Approach , 1997 .

[18]  Hiroki Takakura,et al.  Toward a more practical unsupervised anomaly detection system , 2013, Inf. Sci..

[19]  Mohammad Zulkernine,et al.  A hybrid network intrusion detection technique using random forests , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[20]  Hiroki Takakura,et al.  A Generalized Feature Extraction Scheme to Detect 0-Day Attacks via IDS Alerts , 2008, 2008 International Symposium on Applications and the Internet.

[21]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[22]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[23]  Alberto Dainotti,et al.  Wavelet-based Detection of DoS Attacks. , 2006 .

[24]  Martin May,et al.  Applying PCA for Traffic Anomaly Detection: Problems and Solutions , 2009, IEEE INFOCOM 2009.