Network Anomaly Detection based on Multi-scale Dynamic Characteristics of Traffic
Abstract
This paper proposes a novel detection engine, called the Wavelet-Recurrence-Clustering (WRC) detection model, to study the network anomaly detection problem that is widely attractive in Internet security area. The WRC model firstapplies the wavelet transform and recurrence analysis to calculate the multi-scale dynamic characteristics of network traffic, and then identifies network anomalies throughthe clustering algorithm with those dynamic characteristics. The evaluation results on DARPA 1999 dataset indicate that the WRC detection model can effectively improve the detection accuracy with a low false alarm rate.References
[2] Wu, Q.; Shao Z.; Network anomaly detection using time series analysis, Proc. of the Joint Int. Conference on Autonomic and Autonomous Systems and International Conference on Network and Services, Papeete, Tahiti, 42-47, 2005.
[3] Willinger, W.; Paxson, V.; Taqqu, M. S.; Self-similarity and heavy tail: structural modeling of network traffic, A Pratical Guide to Heavy Tails: Statistical Techniques and Applications, BirkhRăuser, Boston, USA, 1998.
[4] Grossglauser, M.; Bolot, J. C.; On the relevance of long-range dependence in network traffic, IEEE/ACM Transactions on Networking, 7(5): 629-640, 1999.
http://dx.doi.org/10.1109/90.803379
[5] Tsai, C. F.; Hsu, Y. F.; Lin, C.; Lin, W.; Intrusion detection by machine learning: a review, Experts Systems with Applications, 36(10): 11994-12000, 2009.
http://dx.doi.org/10.1016/j.eswa.2009.05.029
[6] Shon, T.; Moon, J.; A hybrid machine learning approach to network anomaly detection, Information Science, 177: 3799-3821, 2007.
http://dx.doi.org/10.1016/j.ins.2007.03.025
[7] Gaddam, S. R.; Phoha, V. V.; Balagani, K. S.; K-Means+ID3: a novel method for supervised anomaly detection by cascading K-Means clustering and ID3 decision tree learning methods, IEEE Transactions on Knowledge and Data Engineering, 19(3): 345-354, 2007.
http://dx.doi.org/10.1109/TKDE.2007.44
[8] Sabhnani, M.; Serpen, G.; Why machine learning algorithms fail in misuse detection on KDD intrusion detection dataset, Intelligent Data Analysis, 8(4): 403-415, 2004.
[9] Barford, P.; Kline, J.; Plonka, D.; Ron, A.; A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, Marseille, France, 71-82, 2002.
http://dx.doi.org/10.1145/637201.637210
[10] Polikar, R.; Wavelet tutorial, http://users.rowan.edu/polikar/WAVELETS/WTtutorial.html, 2001.
[11] Eckmann, J. P.; Kamphorst, S. O.; Ruelle, D.; Recurrence plots of dynamical systems, Europhysics Letters, 4(9): 973-977, 1987.
http://dx.doi.org/10.1209/0295-5075/4/9/004
[12] Zbilut, J. P.; Webber, C. L.; Embedding and delays as derived from quantification of recurrence plots, Physics Letter A, 171: 199-203, 1992.
http://dx.doi.org/10.1016/0375-9601(92)90426-M
[13] Duda, R. O.; Hart, P. E.; Stork, D. G.; Pattern classification, 2rd edn., Wiley-intersicence, New York, USA, 2000.
[14] DARPA 1999; http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/1999data.html, 1999.
[15] Ohira, T.; Schreiber T.; Nonlinear time series analysis, 2rd edn., Cambridge University Press, New York, USA, 2004.
[16] Chen, W. (2006); Study on the identification of two-phase flow patterns, Master Thesis.
[17] Marwan, N.; Romano, M. C.; Thiel, M.; Kurths, J.; Recurrence plots for the analysis of complex systems, Physics Reports, 438: 237-329, 200
Keywords

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
ONLINE OPEN ACCES: Acces to full text of each article and each issue are allowed for free in respect of Attribution-NonCommercial 4.0 International (CC BY-NC 4.0.
You are free to:
-Share: copy and redistribute the material in any medium or format;
-Adapt: remix, transform, and build upon the material.
The licensor cannot revoke these freedoms as long as you follow the license terms.
DISCLAIMER: The author(s) of each article appearing in International Journal of Computers Communications & Control is/are solely responsible for the content thereof; the publication of an article shall not constitute or be deemed to constitute any representation by the Editors or Agora University Press that the data presented therein are original, correct or sufficient to support the conclusions reached or that the experiment design or methodology is adequate.