Anomaly detection using Wavelet-based estimation of LRD in packet and byte count of control traffic

The detection of anomalous behavior such as low volume attacks and abnormalities in today's large volume of Internet traffic has become a challenging problem in the network community. An efficient and real-time detection of anomaly traffic is crucial in order to rapidly diagnose and mitigate the anomaly, and to recover the resulting malfunction. In this paper, we present an efficient anomaly detection method based on the estimation of long-range dependence (LRD) behavior in packet and byte count of the aggregated control traffic. This method surrogates Internet aggregated whole traffic (i.e., control plus data) by the aggregated control traffic and detects anomaly traffic through the wavelet-based estimation of LRD behavior in the corresponding control traffic. Since Internet traffic exhibits LRD behavior during benign normal condition, deviation from this behavior can indicate an anomalous behavior. Experiments on the KSU dataset demonstrate that this method not only significantly improves the process of anomaly detection by considerably reducing the large-volume of traffic to be processed but also achieves a high detection effect. Because the control traffic constitute a small fraction of the whole traffic, and usually most of the attacks are manifested and carried out in the control traffic; therefore, surrogating the whole traffic by the control traffic increases the detection efficacy.

[1]  Jianhua Li,et al.  DDoS Flood Attack Detection Based on Fractal Parameters , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[2]  H. E. Hurst,et al.  Long-Term Storage Capacity of Reservoirs , 1951 .

[3]  Li Xu,et al.  Anomaly diagnosis based on regression and classification analysis of statistical traffic features , 2014, Secur. Commun. Networks.

[4]  Tomasz Andrysiak,et al.  Network Anomaly Detection Based on Statistical Models with Long-Memory Dependence , 2015, DepCoS-RELCOMEX.

[5]  Jalal Al-Muhtadi,et al.  Volume based anomaly detection using LRD analysis of decomposed network traffic , 2014, Fourth edition of the International Conference on the Innovative Computing Technology (INTECH 2014).

[6]  Gagandeep Kaur,et al.  A Novel Multi Scale Approach for Detecting High Bandwidth Aggregates in Network Traffic , 2013 .

[7]  Uthpala Premarathne,et al.  Network traffic self similarity measurements using classifier based Hurst parameter estimation , 2010, 2010 Fifth International Conference on Information and Automation for Sustainability.

[8]  Wanwei Huang,et al.  Network traffic anomaly detection based on self-similarity using FRFT , 2013, 2013 IEEE 4th International Conference on Software Engineering and Service Science.

[9]  Paweł Dymora,et al.  Network Anomaly Detection Based on the Statistical Self-similarity Factor , 2015 .

[10]  Jong-Suk Ruth Lee,et al.  Self-Similar Properties of Spam , 2011, 2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[11]  José M. F. Moura,et al.  Long-Range Dependence Analysis of Control and Data Planes Network Traffic , 2008 .

[12]  Desmond P. Taylor,et al.  On the SelfSimilar Nature of Ethernet Traffic (Extended Version) , 2007 .

[13]  Milos Doroslovacki,et al.  Long range dependence in Internet backbone traffic , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[14]  Zhengyuan Zhu,et al.  MultiResolution Anomaly Detection Method for Long Range Dependent Time Series , 2008, 0809.1281.

[15]  Ming Li,et al.  Change trend of averaged Hurst parameter of traffic under DDOS flood attacks , 2006, Comput. Secur..

[16]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[17]  P. Dymora,et al.  Network anomaly detection based on the statistical self-similarity factor for HTTP protocol , 2014 .

[18]  Babu Prakash Kumar,et al.  Protection against Denial of Service Attacks : Attack Detection , 2013 .

[19]  Manuela Pereira,et al.  Analysis of the Impact of Intensive Attacks on the Self-Similarity Degree of the Network Traffic , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[20]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[21]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[22]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[23]  Zhengyuan Zhu,et al.  Multiresolution anomaly detection method for fractional Gaussian noise , 2014 .

[24]  Zhang Qifei,et al.  Detection of Low-rate DDoS Attack Based on Self-Similarity , 2010, 2010 Second International Workshop on Education Technology and Computer Science.

[25]  Yingfeng Wang,et al.  Hurst Parameter for Security Evaluation of LAN Traffic , 2012 .

[26]  S. Shanawaz Basha,et al.  Efficient Detection of Real-World Botnets ' Command and Control Channels Traffic , 2014 .

[27]  Patrice Abry,et al.  Wavelet Analysis of Long-Range-Dependent Traffic , 1998, IEEE Trans. Inf. Theory.

[28]  Brian E. Carpenter,et al.  Observations of UDP to TCP Ratio and Port Numbers , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.