Network Traffic Prediction and Anomaly Detection Based on ARFIMA Model

In this paper, we present network anomaly detection with the use of ARFIMA model. We propose the method of estimation parameters using the Hyndman-Khandakar algorithm to estimate the polymonials parameters and the Haslett and Raftery algorithm to estimate the differencing parameters. The choice of optimal values of the model parameters is performed on the basis of information criteria representing a compromise between the consistency model and the size of its error of estimate. In the presented method, we propose to use statistical relationships between predicted and original network traffic to determine if the examined trace is normal or attacked. The efficiency of our method is verified with the use of extended set of benchmark test real traces. The reported experimental results confirm the efficiency of the presented method.

[1]  Antonio Pescapè,et al.  NIS04-1: Wavelet-based Detection of DoS Attacks , 2006, IEEE Globecom 2006.

[2]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1972 .

[3]  Gautam Tripathi,et al.  ECONOMETRIC METHODS , 2000, Econometric Theory.

[4]  A. Raftery,et al.  Space-time modeling with long-memory dependence: assessing Ireland's wind-power resource. Technical report , 1987 .

[5]  John DiNardo,et al.  Econometric methods. 4th ed. , 1997 .

[6]  Álvaro Herrero,et al.  Computational Intelligence in Security for Information Systems - CISIS'09, 2nd International Workshop, Burgos, Spain, 23-26 September 2009 Proceedings , 2009, CISIS.

[7]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[8]  Mehmet Celenk,et al.  Anomaly prediction in network traffic using adaptive Wiener filtering and ARMA modeling , 2008, 2008 IEEE International Conference on Systems, Man and Cybernetics.

[9]  Simon Pietro Romano,et al.  Real Time Detection of Novel Attacks by Means of Data Mining Techniques , 2005, ICEIS.

[10]  Peter Mell,et al.  Intrusion Detection Systems , 2001 .

[11]  Philippe Owezarski,et al.  Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies , 2007, IEEE Transactions on Dependable and Secure Computing.

[12]  Mario Reyes de los Mozos,et al.  Improving Network Security through Traffic Log Anomaly Detection Using Time Series Analysis , 2010, CISIS.

[13]  Richard A. Davis,et al.  Introduction to time series and forecasting , 1998 .

[14]  Rob J Hyndman,et al.  Automatic Time Series Forecasting: The forecast Package for R , 2008 .

[15]  Alberto Dainotti,et al.  Wavelet-based Detection of DoS Attacks. , 2006 .

[16]  Simon Pietro Romano,et al.  Evaluating Pattern Recognition Techniques in Intrusion Detection Systems , 2005, PRIS.

[17]  Su Fong Chien,et al.  ARIMA Based Network Anomaly Detection , 2010, 2010 Second International Conference on Communication Software and Networks.

[18]  J. Geweke,et al.  THE ESTIMATION AND APPLICATION OF LONG MEMORY TIME SERIES MODELS , 1983 .

[19]  Álvaro Herrero,et al.  A Neural-Visualization IDS for Honeynet Data , 2012, Int. J. Neural Syst..

[20]  James D. Hamilton Time Series Analysis , 1994 .

[21]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[22]  C Miller Image Sensor Data Base for the DARPA ALV (Defense Advanced Research Projects Agency Autonomous Land Vehicle) Program , 1986 .