Anomaly detection in network traffic based on statistical inference and alpha-stable modeling

Federico Simmross-Wattenberg, Juan Ignacio Asensio-Perez, Pablo Casaseca de la Higuera, Marcos Martin-Fernandez, Ioannis A. Dimitriadis, Carlos Alberola-Lopez

Research output: Contribution to journalArticle

60 Citations (Scopus)

Abstract

This paper proposes a novel method to detect anomalies in network traffic, based on a nonrestricted alpha-stable first-order model and statistical hypothesis testing. To this end, we give statistical evidence that the marginal distribution of real traffic is adequately modeled with alpha-stable functions and classify traffic patterns by means of a Generalized Likelihood Ratio Test (GLRT). The method automatically chooses traffic windows used as a reference, which the traffic window under test is compared with, with no expert intervention needed to that end. We focus on detecting two anomaly types, namely floods and flash-crowds, which have been frequently studied in the literature. Performance of our detection method has been measured through Receiver Operating Characteristic (ROC) curves and results indicate that our method outperforms the closely-related state-of-the-art contribution described in [1]. All experiments use traffic data collected from two routers at our university-a 25,000 students institution-which provide two different levels of traffic aggregation for our tests (traffic at a particular school and the whole university). In addition, the traffic model is tested with publicly available traffic traces. Due to the complexity of alpha-stable distributions, care has been taken in designing appropriate numerical algorithms to deal with the model.
Original languageEnglish
Pages (from-to)494-509
Number of pages16
JournalIEEE Transactions on Dependable and Secure Computing
Volume8
Issue number4
DOIs
Publication statusPublished - 2011
Externally publishedYes

Keywords

  • Traffic analysis
  • anomaly detection
  • alpha-stable distributions
  • statistical models
  • hypothesis testing
  • ROC curves

Cite this

Simmross-Wattenberg, F., Ignacio Asensio-Perez, J., Casaseca de la Higuera, P., Martin-Fernandez, M., Dimitriadis, I. A., & Alberola-Lopez, C. (2011). Anomaly detection in network traffic based on statistical inference and alpha-stable modeling. IEEE Transactions on Dependable and Secure Computing, 8(4), 494-509. https://doi.org/10.1109/TDSC.2011.14