Decoupling non-stationary and stationary components in long range network time series in the context of anomaly detection

Network traffic characterisation and modeling using time series models is an area which has been extensively studied in the past. Coarse-grained (aggregated traffic) time series analysis using parametric approach, primarily carried out at the backbone network over a long time period (of the order of days to months), show strong deterministic cyclic trends, while the fine-grained (at the packet or flow level) counterpart, done mostly at edge network over small time period (of the order of few minutes), exhibit self-similar behaviour. This paper is an attempt to study the fine-grained time series characteristics of network traffic at an edge network, observed over a long period (of the order of days and weeks), using parametric approach. The analysis is carried out in the context of anomaly detection. Most of the earlier attempts in this direction followed a non-parametric approach, by either using adaptive or non-adaptive (i.e assuming stationarity) mechanisms, whose performance is found to be extremely sensitive towards empirically determined parameters of the model and hence difficult to determine. Also, the model parameters need to be recomputed at regular intervals of time (of the order of few seconds to minutes). To some extent, this make such algorithms less attractive in terms of generality and practical implementation. The first part of the paper discusses the statistical characteristics of such long range network time series. These are found to exhibit structural breaks apart from transient shocks and can be approximated by a stationary AR model, after an absolute first difference transformation (i.e decoupling stationary component from the non-stationary one). In the later part of the paper, the efficacy of the model proposed is evaluated, by conducting extensive trace driven simulations for the detection of low intensity TCP SYN flood Denial of Service (DoS) attacks. Performance is measured in terms of false positives, false alarm time, detection rate and detection delay. Experiments are performed on actual traffic traces collected from one of the edge networks over a period of three months and for various sampling intervals (10s, 60s, 120s). Comparative studies with adaptive and non-adaptive methods are carried out to demonstrate the relevance of the proposed model. It is observed that the proposed method gives better performance with 100% detection accuracy for false positive as low as 0.9%.

[1]  John F. Canny,et al.  A Computational Approach to Edge Detection , 1986, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[2]  Martine Bellaïche,et al.  Avoiding DDoS with active management of backlog queues , 2011, 2011 5th International Conference on Network and System Security.

[3]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  J. R. M. Hosking,et al.  FRACTIONAL DIFFERENCING MODELING IN HYDROLOGY , 1985 .

[6]  Allen B. Downey,et al.  The structural cause of file size distributions , 2001, MASCOTS 2001, Proceedings Ninth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[7]  Timothy A. Gonsalves,et al.  Detection of Syn Flooding Attacks using Linear Prediction Analysis , 2006, 2006 14th IEEE International Conference on Networks.

[8]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[9]  Matthew Roughan,et al.  Large-scale measurement and modeling of backbone Internet traffic , 2002, SPIE ITCom.

[10]  Mina Guirguis,et al.  Exploiting the transients of adaptation for RoQ attacks on Internet resources , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[11]  Haitham S. Cruickshank,et al.  Internet QoS and traffic modelling , 2004, IEE Proc. Softw..

[12]  Clive W. J. Granger,et al.  Occasional Structural Breaks and Long Memory , 1999 .

[13]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2006, TNET.

[14]  Gang Wei,et al.  A prediction-based detection algorithm against distributed denial-of-service attacks , 2009, IWCMC.

[15]  Li Geng-sheng Detecting DDoS attacks against Web server using time series analysis , 2007 .

[16]  Hema A. Murthy,et al.  Time series models and its relevance to modeling TCP SYN based DoS attacks , 2011, 2011 7th EURO-NGI Conference on Next Generation Internet Networks.

[17]  Qingbo Yang,et al.  A Survey of Anomaly Detection Methods in Networks , 2009, 2009 International Symposium on Computer Network and Multimedia Technology.

[18]  Jennifer Rexford,et al.  Future Internet architecture , 2010, Commun. ACM.

[19]  Alan Pankratz,et al.  Forecasting with univariate Box-Jenkins models : concepts and cases , 1983 .

[20]  Matthew Roughan,et al.  Experience in measuring internet backbone traffic variability: Models metrics, measurements and meaning , 2003 .

[21]  R. Cont Long range dependence in financial markets , 2005 .

[22]  Gebhard Kirchgässner,et al.  Introduction to Modern Time Series Analysis , 2007 .

[23]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[24]  Min Sik Kim,et al.  Real-Time Detection of Stealthy DDoS Attacks Using Time-Series Decomposition , 2010, 2010 IEEE International Conference on Communications.

[25]  R. Engle Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation , 1982 .

[26]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[27]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[28]  Konstantina Papagiannaki,et al.  Long-term forecasting of Internet backbone traffic , 2005, IEEE Transactions on Neural Networks.

[29]  Z. Sun,et al.  Traffic predictability based on ARIMA/GARCH model , 2006, 2006 2nd Conference on Next Generation Internet Design and Engineering, 2006. NGI '06..

[30]  Ling Huang,et al.  Communication-Efficient Online Detection of Network-Wide Anomalies , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[31]  Sándor Molnár,et al.  On the distribution of round-trip delays in TCP/IP networks , 1999, Proceedings 24th Conference on Local Computer Networks. LCN'99.

[32]  Qiang Chen,et al.  Computer intrusion detection through EWMA for autocorrelated and uncorrelated data , 2003, IEEE Trans. Reliab..

[33]  Michalis Faloutsos,et al.  A nonstationary Poisson view of Internet traffic , 2004, IEEE INFOCOM 2004.

[34]  Gabriel Maciá-Fernández,et al.  Evaluation of a low-rate DoS attack against iterative servers , 2007, Comput. Networks.

[35]  Ahmed Mehaoua,et al.  Flooding attacks detection in traffic of backbone networks , 2011, 2011 IEEE 36th Conference on Local Computer Networks.

[36]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[37]  G. C. Tiao,et al.  Random Level-Shift Time Series Models, ARIMA Approximations, and Level-Shift Detection , 1990 .

[38]  Yuting Zhang,et al.  Reduction of quality (RoQ) attacks on Internet end-systems , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[39]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[40]  David D. Clark,et al.  The design philosophy of the DARPA internet protocols , 1988, SIGCOMM '88.

[41]  Sukumar Nandi,et al.  Statistical analysis of network traffic inter-arrival , 2010, 2010 The 12th International Conference on Advanced Communication Technology (ICACT).

[42]  Amir-Hossein Jahangir,et al.  Entropy based SYN flooding detection , 2011, 2011 IEEE 36th Conference on Local Computer Networks.

[43]  B. P. Lathi Linear systems and signals , 1992 .

[44]  C. Granger,et al.  Some Properties of Absolute Return, An Alternative Measure of Risk , 1995 .