Assessment of the Thresholding Impact on Reliability of Anomaly Detection in Network Traffic using Statistical Approach

The study introduces a method based on statistical criteria with additional thresholding of detail wavelet coefficients for online anomaly detection in computer networks. Methods using statistical criteria are used in behavioral intrusion detection systems that detect deviations from a given profile of normal behavior. To calculate the decision statistics, the proposed method uses two sliding windows, which enables high efficiency of anomaly detection in computer networks. The paper considers the implementation of the decision statistics for the three criteria based on the sample mean and sample variance: F-test for means, Cochran --- Cox test and F-test for variance. To process the traffic using thresholding, an additional size-defined window is entered. The anomaly detection is performed by comparing the values of the decision statistics with the threshold calculated in accordance with the statistics of the normal traffic. To assess the impact of thresholding, such intrusions as UDP flood and ICMP flood are detected with and without using thresholding. The developed algorithm based on statistical analysis with additional thresholding of wavelet decomposition refinement coefficients allows for the improved reliability of anomaly detection in network traffic

References

[1] Shelukhin O.I., Sakalema D.Zh., Filinova A.S. Obnaruzhenie vtorzheniy v kompyuternye seti. Setevye anomalii [Network intrusion detection. Network anomalies]. Moscow, Goryachaya liniya–Telekom Publ., 2013. 220 p.

[2] Feinstein L., Schnackenberg D., Balupari R., Kindred D. Statistical approaches to DDoS attack detection and response. Proc. DARPA Information Survivability Conf. and Exposition (DISCEX03), 2003, vol. 2, pp. 72–73. DOI: 10.1109/DISCEX.2003.1194894

[3] Mahadik V.A., Xiaoyong Wu, Reeves D.S. Detection of denial-of-QoS attacks based on Х² statistic and EWMA control charts. Available at: http://arqos.csc.ncsu.edu/papers/2002-02-usenixsec-diffservattack.pdf (accessed: 07.02.2018).

[4] Ye N., Chen Q. An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Quality and Reliability Engineering International, 2001, vol. 17, iss. 2, pp. 105–112. DOI: 10.1002/qre.392

[5] Hamna Farhan P.C., Britto D.J., Suganya K. Low rate DDoS attack detection and traceback using wavelet analysis. IRJET, 2016, vol. 3, no. 6, pp. 2813–2816.

[6] Alarcon-Aquino V., Barria A. Anomaly detection in communication networks using wavelets. IEE Proceedings — Communications, 2001, vol. 148, iss. 6, pp. 355–362. DOI: 10.1049/ip-com:20010659

[7] Munivara Prasad K., Rama Mohan Reddy A., Venugopal Rao K. DoS and DDoS attacks: defense, detection and traceback mechanisms — a survey. Global Journal of Computer Science and Technology: E. Network, Web & Security. 2014, vol. 14, no. 7, version 1.0, pp. 15–31.

[8] Barford P., Kline J., Plonka D., Ron A. A signal analysis of network traffic anomalies. Proc. ACM SIGCOMM Internet Measurement Workshop, 2002, pp. 1–12.

[9] Kim S.S., Narasimha Reddy A.L., Vannucci M. Detecting traffic anomalies at the source through aggregate analysis of packet header data. Proceedings of Networking, 2004. Available at: https://cesg.tamu.edu/wp-content/uploads/2012/04/reddy_papers/skim_net04.pdf (accessed: 07.02.2018).

[10] Li L., Lee G. DDoS attack detection and wavelets. Proc. 12th Int. Conf. on Computer Communications and Networks, 2003. DOI: 10.1109/ICCCN.2003.1284203

[11] 1999 DARPA Intrusion Detection Evaluation Data Set. Available at: https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-data-set (accessed: 01.02.2018).

[12] Kobzar A.I. Prikladnaya matematicheskaya statistika. Dlya inzhenerov i nauchnykh rabotnikov [Applied mathematical statistics. For engineers and scientific workers]. Moscow, Fizmatlit Publ., 2006. 816 p.

[13] Stéphane M. A wavelet tour of signal processing. Elsevier, 1999. 620 p.

[14] Smolentsev N.K. Osnovy teorii veyvletov. Veyvlety v Matlab. Moscow, LVR Press, 2005. 304 p.

[15] Shelukhin O.I., Pankrushin A.V. The comparative analysis of network traffic anomalies detection characteristics by wavelet analysis methods. T-Comm. Telekommunikatsii i transport [T-Comm], 2014, vol. 8, no. 6, pp. 65–70 (in Russ.).

[16] Shelukhin O.I., Filinova A.S., Vasina A.V. Detection of network anomalous intrusions by statistic methods. T-Comm. Telekommunikatsii i transport [T-Comm], 2015, vol. 9, no. 10, pp. 42–49