Decoupling non-stationary and stationary components in long range network time series in the context of anomaly detection

Proceedings - Conference on Local Computer Networks, LCN

Volumn , Issue , 2012, Pages 76-84

  James, Cyriac ^a   Murthy, Hema A ^a  

^a INDIAN INSTITUTE OF TECHNOLOGY MADRAS   (India)

Author keywords

Anomaly detection; Monitoring and forecasting; Network traffic characterisation; Stochastic modeling; Time series models

Indexed keywords

AGGREGATED TRAFFICS; ANOMALY DETECTION; AR MODELS; BACK-BONE NETWORK; BETTER PERFORMANCE; COARSE-GRAINED; COMPARATIVE STUDIES; DENIAL OF SERVICE ATTACKS; DETECTION ACCURACY; DETECTION DELAYS; DETECTION RATES; EDGE NETWORKS; FALSE ALARMS; FALSE POSITIVE; FLOW LEVEL; LONG RANGE; LOW-INTENSITY; MODEL PARAMETERS; NETWORK TRAFFIC; NONPARAMETRIC APPROACHES; NONSTATIONARY; PARAMETRIC APPROACH; PRACTICAL IMPLEMENTATION; SAMPLING INTERVAL; SELF-SIMILAR; STATIONARITY; STATIONARY COMPONENTS; STATISTICAL CHARACTERISTICS; STRUCTURAL BREAK; TCP SYN FLOOD; TIME SERIES CHARACTERISTIC; TIME SERIES MODELS; TIME-PERIODS; TRACE DRIVEN SIMULATION; TRAFFIC TRACES;

STOCHASTIC MODELS; TELECOMMUNICATION TRAFFIC; TIME SERIES ANALYSIS;

COMPUTER SIMULATION;

EID: 84874309665     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/LCN.2012.6423689     Document Type: Conference Paper

References (47)

1. M. Roughan, A. Greenberg, C. R. Kalmanek, M. P. Rumsewicz, J. Yates, and Y. Zhang, "Experience in measuring internet backbone traffic variability: Models, metrics, measurements and meaning," in ITC, 2003, pp. 379-388.
2. K. Papagiannaki, N. Taft, Z. Zhang, and C. Diot, "Long-term forecasting of internet backbone traffic," IEEE Transactions on Neural Networks, vol. 16, no. 5, pp. 1110-1124, Sep 2005.
3. O. Salem, A. Makke, J. Tajer, and A. Mehaoua, "Flooding Attacks Detection in Traffic of Backbone Networks," in LCN, 2011, pp. 441-449.
4. B. Zhou, D. He, and Z. Sun, "Traffic predictability based on ARIMA/GARCH model," in NGI, 2006, pp. 200-207.
5. L. Arshadi and A. H. Jahangir, "Entropy based SYN flooding detection," in LCN, 2011, pp. 139-142.
6. W. E. Leland, M. S. Taqqu, W. Willinger, and D. V. Wilson, "On the self-similar nature of Ethernet traffic (extended version)," IEEE/ACM Transactions on Networking, vol. 2, no. 1, pp. 1-15, Feb 1994.
7. H. Wang, D. Zhang, and K. Shin, "SYN-dog: Sniffing SYN flooding sources," in ICDCS, 2002, pp. 421-428.
8. W. U. Qing-tao and S. Zhi-qing, "Detecting DDOS attacks against web server using time series analysis," Wuhan Univesity Journal of Natural Sciences, vol. 11, no. 1, pp. 175-180, 2006.
9. D. M. Divakaran, H. A. Murthy, and T. A. Gonsalves, "Detection of SYN flooding attacks using linear prediction analysis," in ICON, 2006, pp. 1-6.
10. G. Zhang, S. Jiang, G. Wei, and Q. Guan, "A prediction-based detection algorithm against distributed denial-of-service attacks," in IWCMC, June 2009, pp. 106-110.
11. C. James and H. A. Murthy, "Time series models and its relevance to modeling TCP SYN based DOS attacks," in EURO-NGI, 2011, pp. 1-8.
12. V. A. Siris and F. Papagalou, "Application of anomaly detection algorithms for detecting SYN flooding attacks," in GLOBECOM, 2004, pp. 2050-2054.
13. H. Liu and M. S. Kim, "Real-time detection of stealthy DDOS attacks using time-series decomposition," in ICC, 2010.
14. N. Ye, S. Vilbert, and Q. Chen, "Computer intrusion detection through EWMA for autocorrelated and uncorrelated data," IEEE Transactions on Reliability, vol. 52, no. 1, pp. 75-82, March 2003.
15. K. Papagiannaki, N. Taft, Z. Zhang, and C. Diot, "Evaluation of a low-rate dos attack against iterative servers," Journal of Computer and Telecommunications Networking, vol. 51, no. 4, pp. 1013-1030, March 2007.
16. A. Kuzmanovic and E. W. Knightly, "Low-rate TCP-Targeted denial of service attacks and counter strategies," IEEE/ACM Transactions on Networking, vol. 14, no. 4, pp. 683-696, Aug 2006.
17. M. Guirguis, A. Bestavros, I. Matta, and Y. Zhang, "Reduction of Quality (RoQ) Attacks on Internet End-Systems," in INFOCOM, vol. 2, 2005, pp. 1362-1372.
18. B. P. Lathi, Principles of Linear Systems and Signals. Oxford University Press, 2009.
19. M. Guirguis, A. Bestavros, and I. Matta, "Exploiting the transients of adaptation for RoQ attacks on Internet resources," in ICNP, 2004, pp. 184-195.
20. V. Paxson and S. Floyd, "Wide-Area traffic: The failure of Poisson modeling," IEEE/ACM Transactions on Networking, vol. 3, no. 3, pp. 226-244, June 1995.
21. W. Zhang, Q. Yang, and Y. Geng, "A Survey of Anomaly Detection Methods in Networks," in CNMT, 2009, pp. 1-3.
22. V. Paxson, "Bro: A system for detecting network intruders in real-time," Computer Networks, vol. 31, pp. 2435-2463, 1999.
23. M. Roesch, "Snort-Lightweight Intrusion Detection for Networks," in Proceedings of the 13th USENIX Conference on System Administration (LISA '99), 1999, pp. 229-238.
24. M. Bellaiche and J. Gregoire, "Avoiding DDoS with active management of backlog queues," in NSS, 2011, pp. 310-315.
25. A. Lakhina, M. Crovella, and C. Diot, "Diagnosing Network-Wide Traffic Anomalies," in Proceedings of the 2004 conference on applications, technologies, architectures, and protocols for computer communications (SIGCOMM '04), 2004, pp. 219-230.
26. L. Huang, X. L. Nguyen, M. Garofalakis, J. M. Hellerstein, M. I. Jordan, A. D. Joseph, and N. Taft, "Communication-Efficient Online Detection of Network-Wide Anomalies," in INFOCOM, 2007, pp. 134-142.
27. H. Ringberg, A. Soule, J. Rexford, and C. Diot, "Sensitivity of PCA for traffic anomaly detection," in SIGMETRICS, 2007, pp. 109-120.
28. J. Rexford and C. Dovrolis, "Future internet architecture: clean-slate versus evolutionary research," Communications of the ACM, vol. 53, no. 9, pp. 36-40, Sept 2010.
29. D. Clark, "The design philosophy of the DARPA Internet protocols," in Symposium proceedings on communications, architectures and protocols (SIGCOMM '88), vol. 18, no. 4, 1988, pp. 106-114.
30. G. E. P. Box, G. M. Jenkins, and G. C. Reinsel, Time Series Analysis: Forecasting and Control. Pearson Education, 1994.
31. A. Pankratz, Forecasting With Univariate Box-Jenkins Models: Concepts and Cases. John Wiley & Sons, 1983.
32. C. Chen and G. Tiao, "Random level-shift time series models, ARIMA approximations, and level-shift detection," Journal of Business and Economic Statistics, vol. 8, no. 1, pp. 83-97, Jan 1990.
33. G. Kirchgassner and J. Wolters, Introduction to Modern Time Series Analysis. Springer, 2007.
34. J. Canny, "A computational approach to edge detection," IEEE Trans-actions on PAMI, vol. 8, no. 6, pp. 679-698, 1986.
35. Z. Sun, D. He, L. Liang, and H. Cruickshank, "Internet QOS and traffic modelling," IEEE Proceedings on Software, vol. 151, no. 5, pp. 248-255, Oct 2004.
36. R. Cont, "Long range dependence in financial markets," Fractals in Engineering, vol. 4, pp. 159-179, 2005.
37. C. Granger and Z. Ding, "Some properties of absolute return: An alternative measure of risk," Annals of Economics and Statistics, no. 40, pp. 67-91, 1995.
38. C. Granger and N. Hyung, "Occasional structural breaks and long memory," Discussion Paper 99-14, University of California, San Diego, 1999.
39. R. F. Engle, "Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation," Econometrica, vol. 50, no. 4, pp. 987-1007, July 1982.
40. T. Elteto and S. Molnar, "On the distribution of round-trip delays in TCP/IP networks," in LCN, 1999, pp. 172-181.
41. T. Karagiannis, M. Molle, M. Faloutsos, and A. Broido, "A nonstationary Poisson view of Internet traffic," in INFOCOM, 2004.
42. J. R. M. Hosking, "Fractional differencing," Biometrika, vol. 68, pp. 165-176, 1981.
43. A. Downey, "The structural cause of file size distributions," in MASCOT, 2001, pp. 361-370.
44. A. Bhattacharjee and S. Nandi, "Statistical analysis of network traffic inter-arrival," in ICACT, 2010, pp. 1052-1057.
45. M. Roughan and J. Gottlieb, "Large-scale measurement and modeling of backbone internet traffic," in SPIE ITCOM, 2002.
46. MAWI working group traffic archive, "http://mawi.wide.ad.jp/mawi/, " last accessed on July 2012.
47. The Internet Traffic Archive, "http://ita.ee.lbl.gov/," last accessed on July 2012.