Network Anomaly Detection based on Multi-scale Dynamic Characteristics of Traffic

Jing Yuan, Ruixi Yuan, Xi Chen


This paper proposes a novel detection engine, called the Wavelet-Recurrence-Clustering (WRC) detection model, to study the network anomaly detection problem that is widely attractive in Internet security area. The WRC model first
applies the wavelet transform and recurrence analysis to calculate the multi-scale dynamic characteristics of network traffic, and then identifies network anomalies through
the clustering algorithm with those dynamic characteristics. The evaluation results on DARPA 1999 dataset indicate that the WRC detection model can effectively improve the detection accuracy with a low false alarm rate.


network anomaly detection, multi-scale dynamic characteristics, recurrence analysis, WRC detection model

Full Text:



Kim, H. J.; Na, J. C.; Jang, J. S.; Network traffic anomaly detection based on ratio and volume analysis, International Journal of Computer Science and Network Security, 6(5): 190-194, 2006.

Wu, Q.; Shao Z.; Network anomaly detection using time series analysis, Proc. of the Joint Int. Conference on Autonomic and Autonomous Systems and International Conference on Network and Services, Papeete, Tahiti, 42-47, 2005.

Willinger, W.; Paxson, V.; Taqqu, M. S.; Self-similarity and heavy tail: structural modeling of network traffic, A Pratical Guide to Heavy Tails: Statistical Techniques and Applications, BirkhRăuser, Boston, USA, 1998.

Grossglauser, M.; Bolot, J. C.; On the relevance of long-range dependence in network traffic, IEEE/ACM Transactions on Networking, 7(5): 629-640, 1999.

Tsai, C. F.; Hsu, Y. F.; Lin, C.; Lin, W.; Intrusion detection by machine learning: a review, Experts Systems with Applications, 36(10): 11994-12000, 2009.

Shon, T.; Moon, J.; A hybrid machine learning approach to network anomaly detection, Information Science, 177: 3799-3821, 2007.

Gaddam, S. R.; Phoha, V. V.; Balagani, K. S.; K-Means+ID3: a novel method for supervised anomaly detection by cascading K-Means clustering and ID3 decision tree learning methods, IEEE Transactions on Knowledge and Data Engineering, 19(3): 345-354, 2007.

Sabhnani, M.; Serpen, G.; Why machine learning algorithms fail in misuse detection on KDD intrusion detection dataset, Intelligent Data Analysis, 8(4): 403-415, 2004.

Barford, P.; Kline, J.; Plonka, D.; Ron, A.; A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, Marseille, France, 71-82, 2002.

Polikar, R.; Wavelet tutorial,, 2001.

Eckmann, J. P.; Kamphorst, S. O.; Ruelle, D.; Recurrence plots of dynamical systems, Europhysics Letters, 4(9): 973-977, 1987.

Zbilut, J. P.; Webber, C. L.; Embedding and delays as derived from quantification of recurrence plots, Physics Letter A, 171: 199-203, 1992.

Duda, R. O.; Hart, P. E.; Stork, D. G.; Pattern classification, 2rd edn., Wiley-intersicence, New York, USA, 2000.

DARPA 1999;, 1999.

Ohira, T.; Schreiber T.; Nonlinear time series analysis, 2rd edn., Cambridge University Press, New York, USA, 2004.

Chen, W. (2006); Study on the identification of two-phase flow patterns, Master Thesis.

Marwan, N.; Romano, M. C.; Thiel, M.; Kurths, J.; Recurrence plots for the analysis of complex systems, Physics Reports, 438: 237-329, 200


Copyright (c) 2017 Jing Yuan, Ruixi Yuan, Xi Chen

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

CC-BY-NC  License for Website User

Articles published in IJCCC user license are protected by copyright.

Users can access, download, copy, translate the IJCCC articles for non-commercial purposes provided that users, but cannot redistribute, display or adapt:

  • Cite the article using an appropriate bibliographic citation: author(s), article title, journal, volume, issue, page numbers, year of publication, DOI, and the link to the definitive published version on IJCCC website;
  • Maintain the integrity of the IJCCC article;
  • Retain the copyright notices and links to these terms and conditions so it is clear to other users what can and what cannot be done with the  article;
  • Ensure that, for any content in the IJCCC article that is identified as belonging to a third party, any re-use complies with the copyright policies of that third party;
  • Any translations must prominently display the statement: "This is an unofficial translation of an article that appeared in IJCCC. Agora University  has not endorsed this translation."

This is a non commercial license where the use of published articles for commercial purposes is forbiden. 

Commercial purposes include: 

  • Copying or downloading IJCCC articles, or linking to such postings, for further redistribution, sale or licensing, for a fee;
  • Copying, downloading or posting by a site or service that incorporates advertising with such content;
  • The inclusion or incorporation of article content in other works or services (other than normal quotations with an appropriate citation) that is then available for sale or licensing, for a fee;
  • Use of IJCCC articles or article content (other than normal quotations with appropriate citation) by for-profit organizations for promotional purposes, whether for a fee or otherwise;
  • Use for the purposes of monetary reward by means of sale, resale, license, loan, transfer or other form of commercial exploitation;

    The licensor cannot revoke these freedoms as long as you follow the license terms.

[End of CC-BY-NC  License for Website User]

INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL (IJCCC), With Emphasis on the Integration of Three Technologies (C & C & C),  ISSN 1841-9836.

IJCCC was founded in 2006,  at Agora University, by  Ioan DZITAC (Editor-in-Chief),  Florin Gheorghe FILIP (Editor-in-Chief), and  Misu-Jan MANOLESCU (Managing Editor).

Ethics: This journal is a member of, and subscribes to the principles of, the Committee on Publication Ethics (COPE).

Ioan  DZITAC (Editor-in-Chief) at COPE European Seminar, Bruxelles, 2015:

IJCCC is covered/indexed/abstracted in Science Citation Index Expanded (since vol.1(S),  2006); JCR2018: IF=1.585..

IJCCC is indexed in Scopus from 2008 (CiteScore2018 = 1.56):

Nomination by Elsevier for Journal Excellence Award Romania 2015 (SNIP2014 = 1.029): Elsevier/ Scopus

IJCCC was nominated by Elsevier for Journal Excellence Award - "Scopus Awards Romania 2015" (SNIP2014 = 1.029).

IJCCC is in Top 3 of 157 Romanian journals indexed by Scopus (in all fields) and No.1 in Computer Science field by Elsevier/ Scopus.


 Impact Factor in JCR2018 (Clarivate Analytics/SCI Expanded/ISI Web of Science): IF=1.585 (Q3). Scopus: CiteScore2018=1.56 (Q2);

SCImago Journal & Country Rank

Editors-in-Chief: Ioan DZITAC & Florin Gheorghe FILIP.