Using adaptive lossless compression to characterize network traffic

Abstract

Detecting anomalies in network traffic is a challenging task, not only because of the inherent difficulty of identifying anomalies such as intrusions [1] but also because of the sheer volume of data. In this paper, we attempt to extend existing work in the field of steganalysis to the problem of detecting anomalies in network traffic. By losslessly compressing network traffic using an adaptive compression algorithm, we postulate that it is possible to characterize normal network traffic. Once typical traffic has been defined, it is possible to identify anomalous traffic as the traffic that does not compress well.