350 rub
Journal Electromagnetic Waves and Electronic Systems №2 for 2012 г.
Article in number:
Detection of abnormal spikes in network traffic by methods of discrete wavelet analysis
Keywords: anomaly detection wavelet decomposition traffic statistical detection algorithm
Authors:
O.I. Sheluhin, A.V. Garmashev
Abstract:
For traffic anomaly detection in computer and telecommunication networks, a method based on discrete wavelet decomposition and statistical processing algorithms based on the criteria of Fisher and Cochran is proposed. For online detection, two sliding windows with two thresholds, which ensures high efficiency of detection of abnormal traffic bursts are used. In this paper for solving the problems of traffic anomaly detection in computer and telecommunication networks, we propose a method based on discrete wavelet decomposition of traffic data and statistical detection algorithm based on the criteria of Fisher and Cochran. Fisher's criteria is proposed to use for detection of fast high-frequency bursts, characterized by changes in the variance. Cochran-s criteria operates with medium and it is proposed to detect long-term low-frequency anomalies. The article deals with signs of abnormal behavior in network stream and the connection between these signs by using different statistical criteria. Known statistical methods for detecting disorders caused by abnormal network traffic spikes is based on a comparison of statistical characteristics of packet flow, averaged over a relatively short period of time (local characteristics) with appropriate characteristics for an extended period of time (global characteristics). If the local characteristics are very different from the corresponding global characteristics, this indicates the anomalous behavior of the packet flows, and quite likely an attempt to scan or attack the network. In the article we consider the problem solution of the anomalous network traffic detection based on discrete wavelet transform and statistical criteria. To adapt this method for traffic analysis in real-time the technique of two sliding windows is used, that move in time with a certain step, fixing the value of traffic that are in time borders of each window. It is shown that the use of sliding windows allows to increase the reliability of the detection of even minor anomalies.
Pages: 15-27
References
  1. Kwitt, R., A Statistical Anomaly Detection Approach for DetectingNetwork Attacks. 14th December 2004/ 6QM Workshop, Salzburg.
  2. Feinstein, L. and Schnackenberg, D., Statistical Approaches to DDoS AttackDetection and Response. Proceedings of the DARPA Information SurvivabilityConference and Expostion (DISCEX-03), April 2003.
  3. Vinay A.Mahadik, Xiaoyong Wu and Reeves, D. S., Detection of Denialof-QoS Attacks Based On χ 2 Statistic And EWMA Control Charts. http://arqos.csc.ncsu.edu/papers/2002-02-usenixsec-diffservattack.pdf, NC StateUniversity, Raleigh.
  4. Nong Ye and Qiang Chen, An Anomaly Detection Technique Based on aChi-Square Statistic for Detecting Intrusions into Information Systems.Qualityand Reliability Eng. Int'l. 2001. V. 17, № 2. P.105-112.
  5. Кобзарь А. И. Прикладная математическая статистика. Для инженеров и научных работников. М.: Физматлит. 2006.
  6. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html
  7. Mallat, S., A wavelet tour of signal processing 3 ed.: The Sparse Way, 2005.