Anomaly Detection Based on LRD Behavior Analysis of Decomposed Control and Data Planes Network Traffic Using SOSS and FARIMA Models

The detection of anomalies in network traffic, such as low volume attacks and abnormalities, has become a pressing problem in today’s large volume of Internet traffic. To this end, various anomaly detection techniques have been developed, including techniques based on long-range dependence (LRD) behavior estimation of network traffic. However, the existing LRD-based techniques analyze the aggregated WHOLE (control plus data) traffic, which might not be sufficient to detect short-duration and low-volume attacks and abnormalities in the traffic. This is because such anomalies might pass unnoticed in large volume of the normal background traffic. To address this issue, we propose a method that examines the LRD behavior of control and data planes traffic separately, which improves the detection efficacy. For LRD behavior analysis, the proposed method integrates the correlation structures of second-order self-similar and fractional autoregressive integrated moving average models. The performance of the proposed method is empirically evaluated and validated over a relatively recent real Internet traffic captured at King Saud University’s network. The analysis and results demonstrate that the proposed method efficiently detects such low volume and short duration attacks and abnormalities in the traffic, which would not be detected by merely analyzing the aggregated WHOLE traffic without decomposing it into control and data planes traffic.

[1]  Karl Andersson,et al.  A novel anomaly detection algorithm for sensor data under uncertainty , 2016, Soft Computing.

[2]  Fucai Zhou,et al.  Anomaly detection model of user behavior based on principal component analysis , 2016, J. Ambient Intell. Humaniz. Comput..

[3]  Yudha Purwanto,et al.  Traffic anomaly based detection: Anomaly detection by self-similar analysis , 2015, 2015 International Conference on Control, Electronics, Renewable Energy and Communications (ICCEREC).

[4]  Philippe Owezarski,et al.  Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection , 2015, Int. J. Netw. Manag..

[5]  Jong-Suk Ruth Lee,et al.  ATMSim: An anomaly teletraffic detection measurement analysis simulator , 2014, Simul. Model. Pract. Theory.

[6]  Jalal Al-Muhtadi,et al.  Volume based anomaly detection using LRD analysis of decomposed network traffic , 2014, Fourth edition of the International Conference on the Innovative Computing Technology (INTECH 2014).

[7]  Li Xu,et al.  Anomaly diagnosis based on regression and classification analysis of statistical traffic features , 2014, Secur. Commun. Networks.

[8]  Francesco Palmieri,et al.  A distributed approach to network anomaly detection based on independent component analysis , 2014, Concurr. Comput. Pract. Exp..

[9]  Zhengyuan Zhu,et al.  Multiresolution anomaly detection method for fractional Gaussian noise , 2014 .

[10]  José M. F. Moura,et al.  An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic , 2013, Journal of advanced research.

[11]  P. Dymora,et al.  Network anomaly detection based on the statistical self-similarity factor for HTTP protocol , 2014 .

[12]  Tadeusz Czachórski,et al.  A Few Investigations of Long-Range Dependence in Network Traffic , 2014, ISCIS.

[13]  Alfredo De Santis,et al.  Network anomaly detection with the restricted Boltzmann machine , 2013, Neurocomputing.

[14]  Gagandeep Kaur,et al.  A Novel Multi Scale Approach for Detecting High Bandwidth Aggregates in Network Traffic , 2013 .

[15]  Jong-Suk Ruth Lee,et al.  Detecting Anomaly Teletraffic Using Stochastic Self-Similarity Based on Hadoop , 2013, 2013 16th International Conference on Network-Based Information Systems.

[16]  Wanwei Huang,et al.  Network traffic anomaly detection based on self-similarity using FRFT , 2013, 2013 IEEE 4th International Conference on Software Engineering and Service Science.

[17]  Amir Herzberg,et al.  TCP Ack storm DoS attacks , 2011, Comput. Secur..

[18]  Dominik Strzalka,et al.  Computer network traffic analysis with the use of statistical self-similarity factor , 2013, Ann. UMCS Informatica.

[19]  Jianhua Li,et al.  DDoS Flood Attack Detection Based on Fractal Parameters , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[20]  Chong-kwon Kim,et al.  A DoS Detection Method Based on Composition Self-Similarity , 2012, KSII Trans. Internet Inf. Syst..

[21]  Houssain Kettani,et al.  On the detection of LRD phenomena , 2012, 2012 International Conference on Computing, Networking and Communications (ICNC).

[22]  Yingfeng Wang,et al.  Hurst Parameter for Security Evaluation of LAN Traffic , 2012 .

[23]  Hua Jiang,et al.  Fast Network Traffic Anomaly Detection Based on Iteration , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[24]  Y. Chen,et al.  Fractional Processes and Fractional-Order Signal Processing: Techniques and Applications , 2011 .

[25]  Charles W. Therrien,et al.  Probability and Random Processes for Electrical and Computer Engineers , 2011 .

[26]  Zhengyuan Zhu,et al.  Long-range dependence analysis of Internet traffic , 2011 .

[27]  Jong-Suk Ruth Lee,et al.  Self-Similar Properties of Spam , 2011, 2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[28]  Ji Zhang,et al.  Detecting anomalies from high-dimensional wireless network data streams: a case study , 2011, Soft Comput..

[29]  Houssain Kettani,et al.  MULTI-LEVEL SAMPLING APPROACH FOR CONTINOUS LOSS DETECTION USING ITERATIVE WINDOW AND STATISTICAL MODEL , 2010 .

[30]  Xiaofen Wang,et al.  A scheme for fast network traffic anomaly detection , 2010, 2010 International Conference on Computer Application and System Modeling (ICCASM 2010).

[31]  A. Aljubouri INFLUENCE OF DIE ANGLES ON THE MICROHARDNESS OF ALUMINUM ALLOY PROCESSED BY EQUAL CHANNEL ANGULAR PRESSING , 2010 .

[32]  Francesco Palmieri,et al.  Network anomaly detection through nonlinear analysis , 2010, Comput. Secur..

[33]  Mehmet A. Orgun,et al.  An Improved Wavelet Analysis Method for Detecting DDoS Attacks , 2010, 2010 Fourth International Conference on Network and System Security.

[34]  Yukio Iwaya,et al.  Network Anomaly Detection Based on R/S Pox Diagram , 2010 .

[35]  Jianhua Li,et al.  Enhancing DDoS Flood Attack Detection via Intelligent Fuzzy Logic , 2010, Informatica.

[36]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[37]  Ali Selamat,et al.  LoSS Detection Approach Based on ESOSS and ASOSS Models , 2008, 2008 The Fourth International Conference on Information Assurance and Security.

[38]  Zhengyuan Zhu,et al.  MultiResolution Anomaly Detection Method for Long Range Dependent Time Series , 2008, 0809.1281.

[39]  Manuela Pereira,et al.  Analysis of the Impact of Intensive Attacks on the Self-Similarity Degree of the Network Traffic , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[40]  José M. F. Moura,et al.  Network traffic behavior analysis by decomposition into control and data planes , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[41]  José M. F. Moura,et al.  Long-Range Dependence Analysis of Control and Data Planes Network Traffic , 2008 .

[42]  Ali Selamat,et al.  Uncovering Anomaly Traffic Based on Loss of Self-Similarity Behavior Using Second Order Statistical Model , 2007 .

[43]  Gennady Samorodnitsky,et al.  Long Range Dependence , 2007, Found. Trends Stoch. Syst..

[44]  Houssain Kettani,et al.  A novel approach to the estimation of the long-range dependence parameter , 2006, IEEE Transactions on Circuits and Systems II: Express Briefs.

[45]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[46]  Michalis Faloutsos,et al.  Long-range dependence ten years of Internet traffic modeling , 2004, IEEE Internet Computing.

[47]  M. A. Maarof,et al.  Iterative Window Size Estimation on Self-Similarity Measurement for Network Traffic Anomaly Detection , 2004 .

[48]  Michalis Faloutsos,et al.  A nonstationary Poisson view of Internet traffic , 2004, IEEE INFOCOM 2004.

[49]  Milos Doroslovacki,et al.  Long range dependence in Internet backbone traffic , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[50]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[51]  Walter Willinger,et al.  Self-Similar Network Traffic and Performance Evaluation , 2000 .

[52]  Walter Willinger,et al.  Self-similarity and heavy tails: structural modeling of network traffic , 1998 .

[53]  Anja Feldmann,et al.  The changing nature of network traffic: scaling phenomena , 1998, CCRV.

[54]  Walter Willinger,et al.  Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level , 1997, TNET.

[55]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[56]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[57]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[58]  A. Kolmogorov The local structure of turbulence in incompressible viscous fluid for very large Reynolds numbers , 1991, Proceedings of the Royal Society of London. Series A: Mathematical and Physical Sciences.

[59]  A. Kolmogorov,et al.  The local structure of turbulence in incompressible viscous fluid for very large Reynolds numbers , 1991, Proceedings of the Royal Society of London. Series A: Mathematical and Physical Sciences.

[60]  C. Sparrow The Fractal Geometry of Nature , 1984 .

[61]  C. Granger,et al.  AN INTRODUCTION TO LONG‐MEMORY TIME SERIES MODELS AND FRACTIONAL DIFFERENCING , 1980 .

[62]  H. E. Hurst,et al.  Long-Term Storage Capacity of Reservoirs , 1951 .

[63]  A. N. Kolmogorov Equations of turbulent motion in an incompressible fluid , 1941 .