Email this article A Novel Network Traffic Anomaly Detection Model Based on Superstatistics Theory
Abstract
With the development of network technology and growing enlargement of network size, the network structure is becoming more and more complicated. Mutual interactions of different network equipment, topology configurations, transmission protocols and cooperation and competition among the network users inevitably cause the network traffic flow which is controlled by several driving factors to appear non-stationary and complicated behavior. Because of its non-stationary property it can not easily use traditional way to analyze the complicated network traffic. A new detection method of non-stationary network traffic based on superstatistics theory is discussed in the paper. According to the superstatistics theory, the complex dynamic system may have a large fluctuation of intensive quantities on large time scales which cause the system to behave as non-stationary which is also the characteristic of network traffic. This new idea provides us a novel method to partition the non-stationary traffic time series into small stationary segments which can be modeled by discrete Generalized Pareto(GP) distribution. Different segments follow GP distribution with different distribution parameters which are named slow parameters. We use this slow parameters of the segments as a key determinant factor of the system to describe the network characteristic and analyze the slow parameters with time series theory to detect network anomaly. The result of experiments indicates that this method can be effective.
Keywords
References
[1] R. A. Kemmerer and G. Vigna, Intrusion detection: A brief history and review, Computer, vol. 35, no. 4, pp. 27–30, Apr. 2002.
doi:10.1109/MC.2002.1012428
[2] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, Network intrusion detection, IEEE Netw., vol. 8, no. 3, pp. 26–41, May/Jun. 1994.
doi:10.1109/65.283931
[3] Di He Leung, H. Network Intrusion Detection Using CFAR Abrupt-Change Detectors, Instrumentation and Measurement, IEEE Transactions on, Volume: 57,pp: 490-497,Mar 2008
[4] Ye. N. and Chen, Q. An Anomaly Detection Technique Based on A ChiSquare Statistic for Detecting Intrusion Into Information System, Quality and Reliability Engineering International, 17, pp. 105-112. 2001
doi:10.1002/qre.392
[5] Ye, N., Chen, Q. and Borror, C.M. EWMA Forecast of Normal System Activity for Computer Intrusion Detection, IEEE Transaction on Reliability, Vol. 53, No.4, pp. 557-566. 2004
doi:10.1109/TR.2004.837705
[6] Karagiannis T, Molle M, Faloutsos M. Long-range Dependence: Ten Years of Internet Traffic Modeling [J].IEEE Internet Computing, 2004, 8(5):57-64
doi:10.1109/MIC.2004.46
[7] J. Beran, R. Sherman, M. S. Taqqu, and W.Willinger, "Long-Range Dependence in Variable-Bit-Rate Video Traffic", IEEE Transactions on Communications, February/March/April, 1995
[8] M. V. Mahoney, P. K. Chan, Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks, Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, 376-385, 2002.
[9] Hanping Hu, Xiaogang Wu, Zuxi Wang. Synchronizing chaotic map from two-valued symbolic sequences. Chaos, Solitons & Fractals, 2005, 24,pp:1059-1064.
doi:10.1016/j.chaos.2004.09.057
[10] Xiaogang Wu, Hanping Hu, Baoliang Zhang. Parameter estimation only from the symbolic sequences generated by chaos system. Chaos, Solitons & Fractals, 2004, 22,pp:359-366.
doi:10.1016/j.chaos.2004.02.008
[11] Hanping Hu,Xiang Chen, ZHANG Bao-Liang;GUO Wen-Xuan, An Approach to Measure and Evaluate the Network Security, Journal of Software 2005,16(11):1939-1945.
doi:10.1360/jos161939
[12] C. Beck, Phys. Rev. Lett. 87 (2001) 180 601.
[13] M. Ausloos and K. Ivanova, Phys. Rev. E 68, 046122 _2003_.
[14] S. Abe and S. Thurner, Phys. Rev. E 72, 036102 _2005_.
[15] M. Mahoney and P. Chan. An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In Proceeding of Recent Advances in Intrusion Detection (RAID) 2003, volume 2820 of Lecture Notes in Computer Science, pages 220-237. Springer Verlag, September 8-10 2003.
[16] Robin Sommer and Vern Paxson. Enhancing byte-level network intrusion detection signatures with context. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, pages 262{271. ACM Press, 2003.
[17] DARPA 99 Intrusion Detection Data Set Attack Documentation, http://www.ll.mit.edu/IST/ideval/docs/1999/attackDB.html
[18]Pickands, J., 1975. Statistical inference using extreme order statistics. The Annals of Statistics 3, 119–131.
doi:10.1214/aos/1176343003
[19]Davison, A.C., 1984. Modeling excesses over high thresholds, with an application.’’ In: Statistical Extremes and Applications, ed. J. Tiago de Oliveira, Dordrecht: D. Reidel, pp. 461–482.
[20] Rasmussen, P., Ashkar, F., Rosbjerg, D., Bobe’e, B., 1994. The POT method for flood estimation: A review. In: Hipel, K.W. (Ed.), Stochastic and Statistical Methods in Hydrology and Environmental Engineering. Kluwer Academic Publishers, pp. 15–26.
[21] H. Hasegawa, cond-mat/0506301.
[22] V. Paxson and S. Floyd, “Wide Area Traffic: The Failure of Poisson Modeling,” IEEE/ACM Trans. Networking, vol. 3, no. 3, 1995, pp. 226–244
doi:10.1109/90.392383
[23] K. M. C. Tan and R. A. Maxion, “Determining the operational limits of an anomaly-based intrusion detector,” IEEE J. Sel. Areas Commun., vol. 21, no. 1, pp. 96–110, Jan. 2003.
doi:10.1109/JSAC.2002.806130
[24] Dupuis, D.J., 1996. Estimating the probability of obtaining nonfeasible parameter estimates of the generalized Pareto distribution. Journal of Statistical Computation and Simulation 54, 197–209
doi:10.1080/00949659608811728
[25] Rasmussen, P.F., 2001. Generalized probability weighted moments: Application to the generalized Pareto distribution. Water Resources Research 37 (6), 1745–1751.
doi:10.1029/2001WR900014
[26] Davison, A.C., 1984. Modeling excesses over high thresholds, with an application.’’ In: Statistical Extremes and Applications, ed. J. Tiago de Oliveira, Dordrecht: D. Reidel, pp. 461–482.
[27] F. Esponda, S. Forrest, and P. Helman, “A formal framework for positiveand negative detection schemes,” IEEE Trans. Syst., Man, Cybern. B,Cybern., vol. 34, no. 1, pp. 357–373, Feb. 2004.
doi:10.1109/TSMCB.2003.817026
[28] Bernaola-Galvń, P., Ivanov, P. Ch., Amaral, L.A.N., and Stanley, H. E. Scale Invariance in the Nonstationarity of Human Heart Rate. Phys. Rev. Lett., 2001, 87, 168105 (4 pages)
[29] J.-P. Bouchard and M. Potters, Theory of Financial Risk and Derivative Pricing (Cambridge University Press, Cambridge, 2003).
doi:10.1017/CBO9780511753893
[30] M. Ausloos and K. Ivanova, Phys. Rev. E 68, 046122 [2003]
[31] C. Tsallis and A. M. C. Souza, Phys. Rev. E 67, 026106[2003].
[32] Kozubowski, T.J., A.K. Panorska, F. Qeadan, and A. Gershunov (2007). Testing exponentiality versus Pareto distribution via likelihood ratio, preprint in review.
Full Text: PDF