Automatically Created Statistical Models Applied to Network Anomaly Detection

In this article we present the use of automatically created exponential smoothing models for anomaly detection in networks. We propose the method of parameters estimation and selection by means of model’s order obtained by Hyndman-Khandakar algorithm. Optimal values of the model parameters are chosen on the basis of information criteria reflecting a compromise between the consistency model and the size of its estimation error. In the proposed method, we use statistical relationships between the forecasted and real network traffic to determine whether the tested trace is normal or attacked. Efficiency of our method is examined with the use of large set of real network traffic test traces. The experimental results prove resilience and effectiveness of the suggested solutions.

[1]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[2]  Rajkumar,et al.  A Survey on Latest DoS Attacks:Classificationand Defense Mechanisms , 2013 .

[3]  Robert L. Goodrich,et al.  The Forecast Pro methodology , 2000 .

[4]  Su Fong Chien,et al.  ARIMA Based Network Anomaly Detection , 2010, 2010 Second International Conference on Communication Software and Networks.

[5]  Mario Reyes de los Mozos,et al.  Improving Network Security through Traffic Log Anomaly Detection Using Time Series Analysis , 2010, CISIS.

[6]  Helena Rifà-Pous,et al.  A Comparative Study of Anomaly Detection Techniques for Smart City Wireless Sensor Networks , 2016, Sensors.

[7]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[8]  Biming Tian,et al.  Anomaly detection in wireless sensor networks: A survey , 2011, J. Netw. Comput. Appl..

[9]  Philippe Owezarski,et al.  Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies , 2007, IEEE Transactions on Dependable and Secure Computing.

[10]  S.Y. Lim,et al.  Network Anomaly Detection System: The State of Art of Network Behaviour Analysis , 2008, 2008 International Conference on Convergence and Hybrid Information Technology.

[11]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1972 .

[12]  K. Ord,et al.  Automatic Forecasting@@@AUTOBOX, Version 3.0@@@AUTOCAST II@@@FORECAST PRO, Version 2.0@@@NCSS@@@4CAST/2 , 1996 .

[13]  Tomasz Andrysiak,et al.  Network Traffic Prediction and Anomaly Detection Based on ARFIMA Model , 2014, SOCO-CISIS-ICEUTE.

[14]  Everette S. Gardner,et al.  Exponential smoothing: The state of the art , 1985 .

[15]  Blyth C. Archibald Parameter space of the Holt-Winters' model , 1990 .

[16]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[17]  Rob J Hyndman,et al.  Automatic Time Series Forecasting: The forecast Package for R , 2008 .

[18]  Simon Pietro Romano,et al.  Evaluating Pattern Recognition Techniques in Intrusion Detection Systems , 2005, PRIS.

[19]  Rob J Hyndman,et al.  A state space framework for automatic forecasting using exponential smoothing methods , 2002 .

[20]  Richard A. Davis,et al.  Introduction to time series and forecasting , 1998 .

[21]  Minghua Zhu,et al.  Lightweight Anomaly Detection for Wireless Sensor Networks , 2015, Int. J. Distributed Sens. Networks.

[22]  Vipin Kumar,et al.  Anomaly Detection for Discrete Sequences: A Survey , 2012, IEEE Transactions on Knowledge and Data Engineering.

[23]  Felix Naumann,et al.  Data fusion , 2009, CSUR.

[24]  Masanao Aoki,et al.  State Space Modeling of Time Series , 1987 .

[25]  H. Bozdogan Model selection and Akaike's Information Criterion (AIC): The general theory and its analytical extensions , 1987 .

[26]  E. S. Gardner EXPONENTIAL SMOOTHING: THE STATE OF THE ART, PART II , 2006 .

[27]  Siem Jan Koopman,et al.  Time Series Analysis by State Space Methods , 2001 .