Telecommunication Systems

, Volume 65, Issue 2, pp 319–330 | Cite as

Context-aware security framework based on Traffic Anomaly Detection Indicator

  • Antonio CuadraEmail author
  • Javier Aracil


Context-aware security utilizes external data, such as time of the day or user information, to improve its capability of detecting a security breach. In this paper we present a Context-aware security framework based on a Traffic Anomaly Detection Indicator (TADI) which indicates when a threat can occur. The main novelty of our approach is that we use as a context the time-based information derived from profile analysis of a typical day to determine more accurately the presence of an anomaly based on the time of day it occurs. This 24-h typical daily analysis helps us to consider the time interval (night-time, working hours, etc.) in which a potential threat occurs, in contrast to traditional sudden peak changes. First, a preliminary analysis based on historical data shows how traffic typically behaves at each particular period of the day. We subsequently calibrate our procedure by checking the effectiveness of different algorithms so that we are aware of which ones gets better performance in each period of the day. Finally the TADI is calculated from the time-based contextual information. We also present the results based on actual traffic traces collected from a campus university that show the effectiveness of the proposed method.


Context-aware security Traffic anomaly detection Change point detection algorithms 


  1. 1.
    Gartner, IT Glosary, Gartner, Inc. (2015).
  2. 2.
    Davis, A. (2014). Security Think Tank: Context-aware security is about more than buying technology, Scholar
  3. 3.
    Garcia-Teodoro, P., Diaz-Verdejo, J., Maciá-Fernández, G., & Vázquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. The International Source of Innovation for the Information Security and IT Audit Professional (Computers & security Journal). Elsevier, 28, 18–28.Google Scholar
  4. 4.
    Cuadra, A., & Ramos, A. J. J. (2014). Proposal of a new information-theory based technique and analysis of traffic anomaly detection. In IEEE International Conference on Smart Communications in Network Technologies (SaCoNeT) (Vol. 1, pp. 1–6).Google Scholar
  5. 5.
    Cuppens, F., & Cuppens-Boulahia, N. (2008). Modeling contextual security policies. International Journal of Information Security, Springer, 7, 285–305.CrossRefGoogle Scholar
  6. 6.
    Gartner, Hype Cycle for Application Security, Gartner, Inc. (2014).
  7. 7.
    Miettinen, M., Asokan, N., Nguyen, T. D., Sadeghi, A. R., & Sobhani, M. (2014) Context-based zero-interaction pairing and key evolution for advanced personal devices. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, ACM (pp. 880–891).Google Scholar
  8. 8.
    Ouedraogo, W. F., Biennier, F., & Ghodous, P. (2012). Adaptive security policy model to deploy business process in cloud infrastructure. In International Conference on Cloud Computing and Services Science (CLOSER) (pp. 287–290).Google Scholar
  9. 9.
    Sliman, L., Biennier, F., & Badr, Y. (2009). A security policy framework for context-aware and user preferences in e-services. Journal of Systems Architecture, 55, 275–288.CrossRefGoogle Scholar
  10. 10.
    Kalam, A. A. E., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., & Trouessin, G. (2003). Organization based access control. In IEEE 4th International Workshop on Policies for Distributed Systems and Networks. Proceedings. POLICY 2003, IEEE (pp. 120–131).Google Scholar
  11. 11.
    Debar, H., Thomas, Y., Boulahia-Cuppens, N., & Cuppens, F. (2006). Using contextual security policies for threat response. In Detection of intrusions and malware & vulnerability assessment (pp. 109–128). New York: Springer.Google Scholar
  12. 12.
    Debar, H., Thomas, Y., Cuppens, F., & Cuppens-Boulahia, N. (2007). Enabling automated threat response through the use of a dynamic security policy. Journal in Computer Virology, 3, 195–210.CrossRefGoogle Scholar
  13. 13.
    Preda, S., Cuppens-Boulahia, N., Cuppens, F.,&Toutain, L. (2010). Architecture-aware adaptive deployment of contextual security policies. In ARES’10 International Conference on Availability, Reliability, and Security, IEEE (pp. 87–95).Google Scholar
  14. 14.
    Preda, S., Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J., & Toutain, L. (2011). Dynamic deployment of context-aware access control policies for constrained security devices. Journal of Systems and Software, 84, 1144–1159.CrossRefGoogle Scholar
  15. 15.
    Kim, Y., Lau, W. C., Chuah, M. C., & Chao, H. J. (2004). Packetscore: Statistics-based overload control against distributed denial-of-service attacks. In INFOCOM 2004. Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies (2004), IEEE (Vol. 4, pp. 2594–2604).Google Scholar
  16. 16.
    Kim, Y., Lau, W. C., Chuah, M. C., & Chao, H. J. (2006). Packetscore: A statistics-based packet filtering scheme against distributed denial-of-service attacks. IEEE Transactions on Dependable and Secure Computing, 3, 141–155.CrossRefGoogle Scholar
  17. 17.
    Croarkin, C., & Guthrie, W. (2012). NIST/SEMATECH e-Handbook of statistical methods. National Institute of Standards and Technology (NIST).Google Scholar
  18. 18.
    Shannon, C. E. (2001). A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review, 5, 3–55.CrossRefGoogle Scholar
  19. 19.
    Montgomery, D. (2004). Introduction to statistical quality control. New York: Wiley.Google Scholar
  20. 20.
    Cuadra-Sánchez, A., & Aracil, J. (2015). Traffic anomaly detection. Amsterdam: Elsevier Ltd.Google Scholar
  21. 21.
    Maria, A., Matias, R., Macedo, A., Maciel, P. R. M., & Araujo, L. B. (2011). Performance analysis of control charts techniques applied to ip traffic forecasts. IEEE 12th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT) (pp. 109–115).Google Scholar
  22. 22.
    Matias, R., Carvalho, A. M., Araujo, L. B., & Maciel, P. R. M. (2011). Comparison analysis of statistical control charts for quality monitoring of network traffic forecasts. In IEEE International Conference on Systems, Man, and Cybernetics (SMC) (pp. 404–409).Google Scholar
  23. 23.
    Oprea, R., & Emile, A. (2013). Traffic anomaly detection using a distributed measurement network. Amsterdam: University of Amsterdam.Google Scholar
  24. 24.
    Bulunga, M. L. (2012). Change-point detection in dynamical systems using auto-associative neural networks. Doctoral dissertation, Stellenbosch University.Google Scholar
  25. 25.
    Carvalho, A. M. M. (2012). Controle estatstico de processos de predio de trfego de redes de computadores. Master’s Thesis, University of Uberlndia.Google Scholar
  26. 26.
    Callegari, C., Giordano, S., Pagano, M., & Pepe, T. (2012). Wave-cusum: Improving cusum performance in network anomaly detection by means of wavelet analysis. Computers and Security, 31, 727–735.CrossRefGoogle Scholar
  27. 27.
    Arnold, T. B., & Emerson, J. W. (2011). Nonparametric goodness-of-fit tests for discrete null distributions. The R Journal, 3, 34–39.Google Scholar
  28. 28.
    Gagunashvili, N. (2010). Chi-square tests for comparing weighted histograms. Nuclear Instruments and Methods in Physics Research Section A: Accelerators, Spectrometers, Detectors and Associated Equipment, 614, 287–296.CrossRefGoogle Scholar
  29. 29.
    Higgins, J. J. (2003). Introduction to modern nonparametric statistics (1st ed.). Florence: Duxbury Press.Google Scholar
  30. 30.
    Tartakovsky, A. G., Rozovskii, B. L., Blazek, R. B., & Kim, H. (2006). A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Transactions on Signal Processing, 54, 3372–3382.CrossRefGoogle Scholar
  31. 31.
    Marinescu, D. C., & Marinescu, G. M. (2012). Classical and quantum information. New York: Academic Press.Google Scholar
  32. 32.
    Verron, S., Tiplica, T., & Kobi, A. (2008). Fault detection and identification with a new feature selection based on mutual information. Journal of Process Control, 18, 479–490.CrossRefGoogle Scholar
  33. 33.
    Amiri, F., Yousefi, M. R., Lucas, C., Shakery, A., & Yazdani, N. (2011). Mutual information-based feature selection for intrusion detection systems. Journal of Network and Computer Applications, 34, 1184–1199.CrossRefGoogle Scholar
  34. 34.
    Drugman, T. (2014). Using mutual information in supervised temporal event detection: Application to cough detection. Biomedical Signal Processing and Control, 10, 50–57.Google Scholar
  35. 35.
    Shah, K., Jonckheere, E., & Bohacek, S. (2006). Dynamic modeling of internet traffic for intrusion detection. EURASIP Journal on Advances in Signal Processing, 2004, 1.Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Universidad Autónoma de MadridMadridSpain
  2. 2.Indra Sistemas, S.A.ValladolidSpain

Personalised recommendations