350 rub
Journal Electromagnetic Waves and Electronic Systems №11 for 2014 г.
Article in number:
Comparison analysis of algorithms of anomalies - detection by statistics methods
Keywords: anomalies the network traffic detection methods wavelet decomposition coefficients detailed and approximation
Authors:
M.A. Smychek - Ph. D. (Eng.), Main Specialist, Department of Communications, JSC «Giprogazcentr» (N. Novgorod). E-mail: smychek@ggc.nnov.ru
R.A. Sudarikov - Engineer, Sector of Scientific Research, Department of Communications, JSC «Giprogazcentr» (N. Novgorod). E-mail: roman.sudarikov@gmail.com
Abstract:
A key element of any network system performance monitoring is online anomaly detection, which is to understand whether a system network data is close to the normal pattern or significantly deviates from expected and requires further investigation and diagnosis. This paper presents statistical techniques based on applying thresholds to individual data points and involving measuring the changes in distribution by windowing the data and using that to determine anomalies. Real-time network anomaly detection requires «lightweight» techniques that provide sufficient accuracy for subsequent diagnosis and management actions. There are several challenges in designing effective solutions for such online anomaly detection under conditions of huge amount of data. One of the critical performance aspects of any anomaly detection algorithm is the speed with which it can detect the anomaly. Another aspect is scale, for which the anomaly detection methods must be «lightweight», both in terms of the number of metrics they require to run (the volume of monitoring data continuously captured and used), and in terms of their runtime complexity for executing the detection methods. Anomaly detection is important because it must be done continuously, as long as a system is running and at scale of entire amount of network data. We have experimented the proposed algorithms using network data with different injected performance and configuration network anomalies such as ICMP flooding, UDP storm, Fraggle, Smurf, Synflooding, Flashcrowd attack. It is shown that for all the types of traffic anomalies, submitted a set of statistical filter contains more than one feature, which allows detecting anomaly traffic. Furthermore, it should be noted that the result of applying the proposed filters throughout anomaly is not singular but quasi-stationary. For example, the Smurf type anomaly specific is occurrence of high-frequency component which singularly appears with the anomaly, remains within and disappears with the anomaly. The ICMP-flooding type anomaly specific is singularly changing of the probability density functions characteristic. It-s shown the proposed superposition of statistical criteria allows diagnosing different type of anomalies.
Pages: 34-39
References

  1. Sheluxin O.I., Sakalema D.Zh., Filinova A.S. Obnaruzhenie vtorzhenij v komp'yuterny'e seti. Setevy'e anomalii. M.: Goryachaya liniya - telekom. 2013. 220 s.
  2. Nesterenko V.A. Statisticheskie metody' obnaruzheniya narushenij bezopasnosti v seti // Informaczionny'e proczessy'. 2006. T. 6. № 3. S. 208−217.
  3. Sudarikov R.A. Analiz informativny'x priznakov anomalij trafika v zadachax obnaruzheniya // Sb. trudov nauchno-texnich. konf. «Telekommunikaczionny'e i vy'chislitel'ny'e sistemy'». MTUSI. 2013. S. 128.
  4. Kriangkrai Limthong, Pirawat Watanapongse, Kensuke Fukuda. A Wavelet-Based Anomaly Detection for Outbound Network Traffic // Proceedings of 8th Asia-Pacific Symposium «Information & Telecommunication Technologies» (APSITT). 2010. P. 1−6.
  5. Lan Li, Gyungho Lee. DDoS Attack Detection and Wavelets // Proceedings of 12th International Conference on Computer Communications and Networks (ICCCN). 2003. P. 421−427.