Network Anomaly Detection based on Multi-scale Dynamic Characteristics of Traffic


  • Jing Yuan Department of Automation, Tsinghua University Beijing, China 100084
  • Ruixi Yuan Department of Automation, Tsinghua University Beijing, China 100084
  • Xi Chen Department of Automation, Tsinghua University Beijing, China 100084


network anomaly detection, multi-scale dynamic characteristics, recurrence analysis, WRC detection model


This paper proposes a novel detection engine, called the Wavelet-Recurrence-Clustering (WRC) detection model, to study the network anomaly detection problem that is widely attractive in Internet security area. The WRC model first
applies the wavelet transform and recurrence analysis to calculate the multi-scale dynamic characteristics of network traffic, and then identifies network anomalies through
the clustering algorithm with those dynamic characteristics. The evaluation results on DARPA 1999 dataset indicate that the WRC detection model can effectively improve the detection accuracy with a low false alarm rate.

Author Biography

Jing Yuan, Department of Automation, Tsinghua University Beijing, China 100084

Department of Mathematics and Computer Science


Kim, H. J.; Na, J. C.; Jang, J. S.; Network traffic anomaly detection based on ratio and volume analysis, International Journal of Computer Science and Network Security, 6(5): 190-194, 2006.

Wu, Q.; Shao Z.; Network anomaly detection using time series analysis, Proc. of the Joint Int. Conference on Autonomic and Autonomous Systems and International Conference on Network and Services, Papeete, Tahiti, 42-47, 2005.

Willinger, W.; Paxson, V.; Taqqu, M. S.; Self-similarity and heavy tail: structural modeling of network traffic, A Pratical Guide to Heavy Tails: Statistical Techniques and Applications, BirkhRăuser, Boston, USA, 1998.

Grossglauser, M.; Bolot, J. C.; On the relevance of long-range dependence in network traffic, IEEE/ACM Transactions on Networking, 7(5): 629-640, 1999.

Tsai, C. F.; Hsu, Y. F.; Lin, C.; Lin, W.; Intrusion detection by machine learning: a review, Experts Systems with Applications, 36(10): 11994-12000, 2009.

Shon, T.; Moon, J.; A hybrid machine learning approach to network anomaly detection, Information Science, 177: 3799-3821, 2007.

Gaddam, S. R.; Phoha, V. V.; Balagani, K. S.; K-Means+ID3: a novel method for supervised anomaly detection by cascading K-Means clustering and ID3 decision tree learning methods, IEEE Transactions on Knowledge and Data Engineering, 19(3): 345-354, 2007.

Sabhnani, M.; Serpen, G.; Why machine learning algorithms fail in misuse detection on KDD intrusion detection dataset, Intelligent Data Analysis, 8(4): 403-415, 2004.

Barford, P.; Kline, J.; Plonka, D.; Ron, A.; A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, Marseille, France, 71-82, 2002.

Polikar, R.; Wavelet tutorial,, 2001.

Eckmann, J. P.; Kamphorst, S. O.; Ruelle, D.; Recurrence plots of dynamical systems, Europhysics Letters, 4(9): 973-977, 1987.

Zbilut, J. P.; Webber, C. L.; Embedding and delays as derived from quantification of recurrence plots, Physics Letter A, 171: 199-203, 1992.

Duda, R. O.; Hart, P. E.; Stork, D. G.; Pattern classification, 2rd edn., Wiley-intersicence, New York, USA, 2000.

DARPA 1999;, 1999.

Ohira, T.; Schreiber T.; Nonlinear time series analysis, 2rd edn., Cambridge University Press, New York, USA, 2004.

Chen, W. (2006); Study on the identification of two-phase flow patterns, Master Thesis.

Marwan, N.; Romano, M. C.; Thiel, M.; Kurths, J.; Recurrence plots for the analysis of complex systems, Physics Reports, 438: 237-329, 200



Most read articles by the same author(s)

Obs.: This plugin requires at least one statistics/report plugin to be enabled. If your statistics plugins provide more than one metric then please also select a main metric on the admin's site settings page and/or on the journal manager's settings pages.