Detection of Network Attacks Using Hybrid ARIMA-GARCH Model

In this article, an attempt to solve the problem of attacks (anomalies) detection in the analyzed network traffic with the use of a mixed statistical model (hybrid) ARIMA-GARCH is presented. The introductory actions consisted in normalization of elements of the analyzed time series by means of the Box-Cox transformation. To determine, though, if the analyzed time series were characterized by heteroscedasticity, they were subjected to the White’s test. For comparison, there were also tested with the use of differing statistical approaches (described by mean or conditional variance), realized by individual models of ARIMA and GARCH. The choice of optimal models’ parameters was performed as a compromise between the coherence of the model and the size of estimation error. To detect attacks (anomalies) in the network traffic, there were used relations between the proper estimated model of the network traffic, and its real parameters. The presented experimental results confirmed fitness and efficiency of the proposed solutions.

[1]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[2]  Su Fong Chien,et al.  ARIMA Based Network Anomaly Detection , 2010, 2010 Second International Conference on Communication Software and Networks.

[3]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[4]  Jing Shi,et al.  Applying ARMA–GARCH approaches to forecasting short-term electricity prices , 2013 .

[5]  Rob J Hyndman,et al.  Automatic Time Series Forecasting: The forecast Package for R , 2008 .

[6]  R. Baillie,et al.  Fractionally integrated generalized autoregressive conditional heteroskedasticity , 1996 .

[7]  Richard A. Davis,et al.  Introduction to time series and forecasting , 1998 .

[8]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[9]  R. Engle Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation , 1982 .

[10]  C. Granger,et al.  AN INTRODUCTION TO LONG‐MEMORY TIME SERIES MODELS AND FRACTIONAL DIFFERENCING , 1980 .

[11]  Tomasz Andrysiak,et al.  Network Traffic Prediction and Anomaly Detection Based on ARFIMA Model , 2014, SOCO-CISIS-ICEUTE.

[12]  T. Bollerslev,et al.  Generalized autoregressive conditional heteroskedasticity , 1986 .

[13]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[14]  Liang Hu,et al.  Research of DDoS attack mechanism and its defense frame , 2011, 2011 3rd International Conference on Computer Research and Development.

[15]  Felix Naumann,et al.  Data fusion , 2009, CSUR.

[16]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[17]  Hassan Hajji,et al.  Statistical analysis of network traffic for adaptive faults detection , 2005, IEEE Transactions on Neural Networks.

[18]  Maryam Tayefi,et al.  An Overview of FIGARCH and Related Time Series Models , 2016 .

[19]  Piotr Kiedrowski Toward More Efficient and More Secure Last Mile Smart Metering and Smart Lighting Communication Systems with the Use of PLC/RF Hybrid Technology , 2015, Int. J. Distributed Sens. Networks.

[20]  David R. Cox,et al.  Time Series Analysis , 2012 .

[21]  Mario Reyes de los Mozos,et al.  Improving Network Security through Traffic Log Anomaly Detection Using Time Series Analysis , 2010, CISIS.