Volume based anomaly detection using LRD analysis of decomposed network traffic

Network traffic intrusions increase day by day in computer systems. This poses major security threats to computer networks. In this paper, we present an effective approach for anomaly detection in network traffic. We investigate the long-range dependence (LRD) behavior of decomposed network traffic subgroups in different directions with respect the enterprise network. If the network traffic exhibits LRD behavior during normal conditions, then deviation from this property can indicate an abnormality in the traffic. We analyze and evaluate recent Internet traffic captured at King Saud University (KSU). The results and analysis of the proposed approach show that the presence of short duration anomalies affect the LRD behavior of certain traffic subgroups, namely the subgroups in the control plane traffic while the aggregated whole traffic still exhibits LRD. These results show how this approach significantly reduces the amount of traffic to analyze, and more importantly it can detect abnormal behavior that is not detected when looking the traffic as a whole.

[1]  S. Shanawaz Basha,et al.  Efficient Detection of Real-World Botnets ' Command and Control Channels Traffic , 2014 .

[2]  A. Aljubouri INFLUENCE OF DIE ANGLES ON THE MICROHARDNESS OF ALUMINUM ALLOY PROCESSED BY EQUAL CHANNEL ANGULAR PRESSING , 2010 .

[3]  Philippe Owezarski On the impact of DoS attacks on Internet traffic characteristics and QoS , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[4]  Ali A. Ghorbani,et al.  IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART C: APPLICATIONS AND REVIEWS 1 Toward Credible Evaluation of Anomaly-Based Intrusion-Detection Methods , 2022 .

[5]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[6]  Gagandeep Kaur,et al.  A Novel Multi Scale Approach for Detecting High Bandwidth Aggregates in Network Traffic , 2013 .

[7]  Houssain Kettani,et al.  MULTI-LEVEL SAMPLING APPROACH FOR CONTINOUS LOSS DETECTION USING ITERATIVE WINDOW AND STATISTICAL MODEL , 2010 .

[8]  R. Dobrescu,et al.  Using internet traffic self-similarity for detection of network anomalies , 2008, 2008 11th International Conference on Optimization of Electrical and Electronic Equipment.

[9]  Houssain Kettani,et al.  On the detection of LRD phenomena , 2012, 2012 International Conference on Computing, Networking and Communications (ICNC).

[10]  Manuela Pereira,et al.  Analysis of the Impact of Intensive Attacks on the Self-Similarity Degree of the Network Traffic , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[11]  José M. F. Moura,et al.  An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic , 2013, Journal of advanced research.

[12]  G.A. Marin,et al.  The LoSS Technique for Detecting New Denial of Service Attacks , 2004, IEEE SoutheastCon, 2004. Proceedings..

[13]  Pedro Casas Hernandez Statistical analysis of network traffic for anomaly detection and quality of service provisioning , 2010 .

[14]  Babu Prakash Kumar,et al.  Protection against Denial of Service Attacks : Attack Detection , 2013 .

[15]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[16]  Ali Selamat,et al.  Uncovering Anomaly Traffic Based on Loss of Self-Similarity Behavior Using Second Order Statistical Model , 2007 .

[17]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[18]  José M. F. Moura,et al.  Network traffic behavior analysis by decomposition into control and data planes , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[19]  José M. F. Moura,et al.  Long-Range Dependence Analysis of Control and Data Planes Network Traffic , 2008 .

[20]  W. Schleifer,et al.  Online error detection through observation of traffic self-similarity , 2001 .

[21]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[22]  Houssain Kettani,et al.  A novel approach to the estimation of the long-range dependence parameter , 2006, IEEE Transactions on Circuits and Systems II: Express Briefs.

[23]  Zhang Qifei,et al.  Detection of Low-rate DDoS Attack Based on Self-Similarity , 2010, 2010 Second International Workshop on Education Technology and Computer Science.

[24]  Ming Li,et al.  Change trend of averaged Hurst parameter of traffic under DDOS flood attacks , 2006, Comput. Secur..

[25]  P. Dymora,et al.  Network anomaly detection based on the statistical self-similarity factor for HTTP protocol , 2014 .

[26]  Basil Abdullah AsSadhan,et al.  Network traffic analysis through statistical signal processing methods , 2009 .

[27]  Ali Selamat,et al.  LoSS Detection Approach Based on ESOSS and ASOSS Models , 2008, 2008 The Fourth International Conference on Information Assurance and Security.

[28]  M. A. Maarof,et al.  Iterative Window Size Estimation on Self-Similarity Measurement for Network Traffic Anomaly Detection , 2004 .