Subscribe

Issue No.04 - July/August (2011 vol.8)

pp: 494-509

Federico Simmross-Wattenberg , Universidad de Valladolid, Valladolid

Juan Ignacio Asensio-Pérez , University of Valladolid, Valladolid

Pablo Casaseca-de-la-Higuera , University of Valladolid, Valladolid

Marcos Martín-Fernández , University of Valladolid, Valladolid

Ioannis A. Dimitriadis , University of Valladolid, Valladolid

Carlos Alberola-López , University of Valladolid, Valladolid

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.14

ABSTRACT

This paper proposes a novel method to detect anomalies in network traffic, based on a nonrestricted \alpha-stable first-order model and statistical hypothesis testing. To this end, we give statistical evidence that the marginal distribution of real traffic is adequately modeled with \alpha-stable functions and classify traffic patterns by means of a Generalized Likelihood Ratio Test (GLRT). The method automatically chooses traffic windows used as a reference, which the traffic window under test is compared with, with no expert intervention needed to that end. We focus on detecting two anomaly types, namely floods and flash-crowds, which have been frequently studied in the literature. Performance of our detection method has been measured through Receiver Operating Characteristic (ROC) curves and results indicate that our method outperforms the closely-related state-of-the-art contribution described in [CHECK END OF SENTENCE]. All experiments use traffic data collected from two routers at our university—a 25,000 students institution—which provide two different levels of traffic aggregation for our tests (traffic at a particular school and the whole university). In addition, the traffic model is tested with publicly available traffic traces. Due to the complexity of \alpha-stable distributions, care has been taken in designing appropriate numerical algorithms to deal with the model.

INDEX TERMS

Traffic analysis, anomaly detection, \alpha-stable distributions, statistical models, hypothesis testing, ROC curves.

CITATION

Federico Simmross-Wattenberg, Juan Ignacio Asensio-Pérez, Pablo Casaseca-de-la-Higuera, Marcos Martín-Fernández, Ioannis A. Dimitriadis, Carlos Alberola-López, "Anomaly Detection in Network Traffic Based on Statistical Inference and \alpha-Stable Modeling",

*IEEE Transactions on Dependable and Secure Computing*, vol.8, no. 4, pp. 494-509, July/August 2011, doi:10.1109/TDSC.2011.14REFERENCES

- [1] A. Scherrer, N. Larrieu, P. Owezarski, P. Borgnat, and P. Abry, “Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies,”
IEEE Trans. Dependable and Secure Computing, vol. 4, no. 1, pp. 56-70, Jan. 2007.- [2] M. Thottan and C. Ji, “Anomaly Detection in IP Networks,”
IEEE Trans. Signal Processing, vol. 51, no. 8, pp. 2191-2204, Aug. 2003.- [3] C. Manikopoulos and S. Papavassiliou, “Network Intrusion and Fault Detection: A Statistical Anomaly Approach,”
IEEE Comm. Magazine, vol. 40, no. 10, pp. 76-82, Oct. 2002.- [4] Y. Gu, A. McCallum, and D. Towsley, “Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation,”
Proc. Internet Measurement Conf., Oct. 2005.- [5] A. Lakhina, M. Crovella, and C. Diot, “Diagnosing Network-Wide Traffic Anomalies,”
Proc. ACM SIGCOMM '04, pp. 219-230, Aug. 2005.- [6] P. Barford, J. Kline, D. Plonka, and A. Ron, “A Signal Analysis of Network Traffic Anomalies,”
Proc. Second ACM SIGCOMM Workshop Internet Measurement, pp. 71-82, Nov. 2002.- [7] A. Ray, “Symbolic Dynamic Analysis of Complex Systems for Anomaly Detection,”
Signal Processing, vol. 84, no. 7, pp. 1115-1130, 2004.- [8] S.C. Chin, A. Ray, and V. Rajagopalan, “Symbolic Time Series Analysis for Anomaly Detection: A Comparative Evaluation,”
Signal Processing, vol. 85, no. 9, pp. 1859-1868, 2005.- [9] A. Wagner and B. Plattner, “Entropy Based Worm and Anomaly Detection in Fast IP Networks,”
Proc. 14th IEEE Int'l Workshops Enabling Technologies: Infrastructures for Collaborative Enterprises, pp. 172-177, June 2005.- [10] M. Ramadas, S. Ostermann, and B. Tjaden, “Detecting Anomalous Network Traffic with Self-Organizing Maps,”
Proc. Sixth Int'l Symp. Recent Advances in Intrusion Detection, pp. 36-54, 2003.- [11] S.T. Sarasamma, Q.A. Zhu, and J. Huff, “Hierarchical Kohonen Net for Anomaly Detection in Network Security,”
IEEE Trans. Systems, Man and Cybernetics, Part B: Cybernetics, vol. 35, no. 2, pp. 302-312, Apr. 2005.- [12] V. Alarcon-Aquino and J.A. Barria, “Anomaly Detection in Communication Networks Using Wavelets,”
IEE Proc.—Comm., vol. 148, no. 6, pp. 355-362, Dec. 2001.- [13] L. Kleinrock,
Queueing Systems, Volume 2: Computer Applications. John Wiley and Sons, 1976.- [14] W. Willinger, M.S. Taqqu, R. Sherman, and D.V. Wilson, “Self-Similarity through High-Variability: Statistical Analysis of Ethernet LAN Traffic at the Source Level,”
IEEE/ACM Trans. Networking, vol. 5, no. 1, pp. 71-86, Feb. 1997.- [15] G. Samorodnitsky and M.S. Taqqu,
Stable Non-Gaussian Random Processes: Stochastic Models with Infinite Variance. Chapman & Hall, 1994.- [16] F. Simmross-Wattenberg, A. Tristán-Vega, P. Casaseca-de-la Higuera, J.I. Asensio-Pérez, M. Martín-Fernández, Y.A. Dimitriadis, and C. Alberola-López, “Modelling Network Traffic as $\alpha$ -Stable Stochastic Processes: An Approach Towards Anomaly Detection,”
Proc. VII Jornadas de Ingeniería Telemática (JITEL), pp. 25-32, Sept. 2008.- [17] G.R. Arce,
Nonlinear Signal Processing: A Statistical Approach. John Wiley and Sons, 2005.- [18] J. Jiang and S. Papavassiliou, “Detecting Network Attacks in the Internet via Statistical Network Traffic Normality Prediction,”
J. Network and Systems Management, vol. 12, no. 1, pp. 51-72, Mar. 2004.- [19] W. Yan, E. Hou, and N. Ansari, “Anomaly Detection and Traffic Shaping under Self-Similar Aggregated Traffic in Optical Switched Networks,”
Proc. Int'l Conf. Comm. Technology (ICCT '03), vol. 1, pp. 378-381, Apr. 2003.- [20] J. Brutlag, “Aberrant Behavior Detection in Time Series for Network Monitoring,”
Proc. USENIX 14th System Administration Conf. (LISA), pp. 139-146, Dec. 2000.- [21] V. Paxson and S. Floyd, “Wide Area Traffic: The Failure of Poisson Modelling,”
IEEE/ACM Trans. Networking, vol. 3, no. 3, pp. 226-244, June 1995.- [22] Internet Traffic Archive, http:/ita.ee.lbl.gov/, 2011.
- [23] Waikato Internet Traffic Storage, http://wand.cs.waikato.ac.nzwits/, 2011.
- [24] Cooperative Assoc. for Internet Data Analysis, http:/www. caida.org/, 2011.
- [25] DiRT Group's Home Page, Univ. of North Carolina, http://www- dirt.cs.unc.eduts/, 2010.
- [26] “Metrology for Security and Quality of Service,” http://www.laas.frMETROSEC/, 2011.
- [27] B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, “Sketch-Based Change Detection: Methods, Evaluation, and Applications,”
Proc. Internet Measurement Conf. (IMC), pp. 234-247, Oct. 2003.- [28] DDoSVax, http://www.tik.ee.ethz.chddosvax/, 2010.
- [29] S. Stolfo et al., “The Third International Knowledge Discovery and Data Mining Tools Competition,” http://kdd.ics.uci.edu/ databases/kddcup99 kddcup99.html, 2011.
- [30] G. Cormode and S. Muthukrishnan, “What's New: Finding Significant Differences in Network Data Streams,”
IEEE/ACM Trans. Networking, vol. 13, no. 6, pp. 1219-1232, Dec. 2005.- [31] Cisco Systems, “Cisco IOS NetFlow,” http://www.cisco.com/web/gonetflow, 2011.
- [32] A. Papoulis,
Probability, Random Variables, and Stochastic Processes, third ed., McGraw-Hill, 1991.- [33] W. Leland, M. Taqqu, W. Willinger, and D. Wilson, “On the Self-Similar Nature of Ethernet Traffic (Extended Version),”
IEEE/ACM Trans. Networking, vol. 2, no. 1, pp. 1-15, Feb. 1994.- [34] P. Embrechts and M. Maejima,
Selfsimilar Processes. Princeton Univ. Press, 2002.- [35]
Lévy Processes: Theory and Applications, O.E. Barndorff-Nielsen, T. Mikosch, and S.I. Resnick, eds., Birkhäuser, 2001.- [36] J.R. Gallardo, D. Makrakis, and L. Orozco-Barbosa, “Use of $\alpha$ -Stable Self-Similar Stochastic Processes for Modelling Traffic in Broadband Networks,”
Performance Evaluation, vol. 40, pp. 71-98, 2000.- [37] A. Karasaridis and D. Hatzinakos, “Network Heavy Traffic Modeling Using $\alpha$ -Stable Self- Similar Processes,”
IEEE Trans. Comm., vol. 49, no. 7, pp. 1203-1214, July 2001.- [38] T. Mikosch, S. Resnick, H. Rootzén, and A. Stegeman, “Is Network Traffic Approximated by Stable Lévy Motion or Fractional Brownian Motion?”
The Annals of Applied Probability, vol. 12, no. 1, pp. 23-68, 2002.- [39] S.M. Kay,
Fundamentals of Statistical Signal Processing, Volume 2: Detection Theory. Prentice Hall, 1998.- [40] Iperf, http:/iperf.sourceforge.net/, 2011.
- [41] “Apache JMeter,” The Apache Jakarta Project, Apache Software Foundation, http://jakarta.apache.orgjmeter/, 2011.
- [42] Z. Liu, N. Niclausse, and C. Jalpa-Villanueva, “Traffic Model and Performance Evaluation of Web Servers,”
Performance Evaluation, vol. 46, nos. 2-3, pp. 77-100, 2001.- [43] M.A. Stephens, “EDF Statistics for Goodness of Fit and Some Comparisons,”
J. Am. Statistical Assoc., vol. 69, no. 347, pp. 730-737, 1974.- [44] M.S. Weiss, “Modification of the Kolmogorov-Smirnov Statistic for Use with Correlated Data,”
J. Am. Statistical Assoc., vol. 73, no. 364, pp. 872-875, 1978.- [45] R.S. Deo, “On Estimation and Testing Goodness of Fit for $m$ -Dependent Stable Sequences,”
J. Econometrics, vol. 99, pp. 349-372, 2000.- [46] L.J. Glesser and D.S. Moore, “The Effect of Dependence on Chi-Squared and Empiric Distribution Tests of Fit,”
The Annals of Statistics, vol. 11, no. 4, pp. 1100-1108, 1983.- [47] A.K. Jain, R.P.W. Duin, and J. Mao, “Statistical Pattern Recognition: A Review,”
IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 22, no. 1, pp. 4-37, Jan. 2000.- [48] S.J. Press and S. Wilson, “Choosing between Logistic Regression and Discriminant Analysis,”
J. Am. Statistical Assoc., vol. 73, no. 364, pp. 699-705, 1978.- [49] “MATLAB—The Language of Technical Computing,” Mathworks, Inc, http://www.mathworks.com/productsmatlab/, 2011.
- [50] B. Rosner,
Fundamentals of Biostatistics. Duxbury Thomson Learning, 2000.- [51] A. Stavrou, G.F. Cretu-Ciocarlie, M.E. Locasto, and S.J. Stolfo, “Keep Your Friends Close: The Necessity for Updating an Anomaly Sensor with Legitimate Environment Changes,”
Proc. ACM/CSS Workshop Security and Artificial Intelligence (AISec), 2009.- [52] G.F. Cretu-Ciocarlie, A. Stavrou, M.E. Locasto, and S.J. Stolfo, “Adaptive Anomaly Detection via Self-Calibration and Dynamic Updating,”
Proc. 12th Int'l Symp. Recent Advances in Intrusion Detection (RAID), Sept. 2009.- [53] G. Maciá-Fernández, J. Díaz-Verdejo, and P. García-Teodoro, “Evaluation of a Low-Rate DoS Attack against Application Servers,”
Computers and Security, vol. 27, pp. 335-354, 2008. |