Anomaly detection using Wavelet-based estimation of LRD in packet and byte count of control traffic

Abstract

The detection of anomalous behavior such as low volume attacks and abnormalities in today's large volume of Internet traffic has become a challenging problem in the network community. An efficient and real-time detection of anomaly traffic is crucial in order to rapidly diagnose and mitigate the anomaly, and to recover the resulting malfunction. In this paper, we present an efficient anomaly detection method based on the estimation of long-range dependence (LRD) behavior in packet and byte count of the aggregated control traffic. This method surrogates Internet aggregated whole traffic (i.e., control plus data) by the aggregated control traffic and detects anomaly traffic through the wavelet-based estimation of LRD behavior in the corresponding control traffic. Since Internet traffic exhibits LRD behavior during benign normal condition, deviation from this behavior can indicate an anomalous behavior. Experiments on the KSU dataset demonstrate that this method not only significantly improves the process of anomaly detection by considerably reducing the large-volume of traffic to be processed but also achieves a high detection effect. Because the control traffic constitute a small fraction of the whole traffic, and usually most of the attacks are manifested and carried out in the control traffic; therefore, surrogating the whole traffic by the control traffic increases the detection efficacy.