Network Traffic Prediction and Anomaly Detection Based on ARFIMA Model

  • Tomasz AndrysiakEmail author
  • Łukasz Saganowski
  • Michał Choraś
  • Rafał Kozik
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 299)


In this paper, we present network anomaly detection with the use of ARFIMA model. We propose the method of estimation parameters using the Hyndman-Khandakar algorithm to estimate the polymonials parameters and the Haslett and Raftery algorithm to estimate the differencing parameters. The choice of optimal values of the model parameters is performed on the basis of information criteria representing a compromise between the consistency model and the size of its error of estimate. In the presented method, we propose to use statistical relationships between predicted and original network traffic to determine if the examined trace is normal or attacked. The efficiency of our method is verified with the use of extended set of benchmark test real traces. The reported experimental results confirm the efficiency of the presented method.


network anomaly detection cybersecurity ARFIMA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Jackson, K.: Intrusion Detection Systems (IDS). Product Survey. Los Alamos National Library, LA-UR-99-3883 (1999)Google Scholar
  2. 2.
    Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C.: Evaluating Pattern Recognition Techniques in Intrusion Detection Systems. PRIS, pp. 144–153 (2005)Google Scholar
  3. 3.
    Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C.: Real Time Detection of Novel Attacks by Means of Data Mining Techniques. ICEIS (3), 120–127 (2005)Google Scholar
  4. 4.
    Lakhina, A., Crovella, M., Diot, C.H.: Characterization of network-wide anomalies in traffic flows. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 201–206 (2004)Google Scholar
  5. 5.
    Scherrer, A., Larrieu, N., Owezarski, P., Borgnat, P., Abry, P.: Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies. IEEE Transactions on Dependable and Secure Computing 4(1), 56 (2007)CrossRefGoogle Scholar
  6. 6.
    Rodriguez, A.C., de los Mozos, M.R.: Improving network security through traffic log anomaly detection using time series analysis. In: Herrero, Á., Corchado, E., Redondo, C., Alonso, Á. (eds.) Computational Intelligence in Security for Information Systems 2010. AISC, vol. 85, pp. 125–133. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Brockwell, P., Davis, R.: Introduction to time series and forecasting. Springer (2002)Google Scholar
  8. 8.
    Celenk, M., Conley, T., Graham, J., Willis, J.: Anomaly Prediction in Network Traffic Using Adaptive Wiener Filtering and ARMA Modeling. In: IEEE International Conference on Systems, Man and Cybernetics, SMC, pp. 3548–3553 (2008)Google Scholar
  9. 9.
    Geweke, J., Porter-Hudak, S.: The Estimation and Application of Long Memory Time Series Models. Journal of Time Series Analysis (4), 221–238 (1983)Google Scholar
  10. 10.
    Yaacob, A., Tan, I., Chien, S., Tan, H.: Arima based network anomaly detection. In: Second International Conference on Communication Software and Networks, pp. 205–209. IEEE (2010)Google Scholar
  11. 11.
    Box, G.E., Jenkins, M.G.: Time series analysis forecasting and control, 2nd edn. Holden-Day, San Francisco (1976)zbMATHGoogle Scholar
  12. 12.
    Hosking, J.R.M.: Fractional differencing. Biometrika (68), 165–176 (1981)Google Scholar
  13. 13.
    Haslett, J., Raftery, A.E.: Space-time modelling with long-memory dependence: assessing Ireland’s wind power resource (with Discussion). Applied Statistics 38(1), 1–50 (1989)CrossRefGoogle Scholar
  14. 14.
    Hyndman, R.J., Khandakar, Y.: Automatic time series forecasting: the forecast Package for R. Journal of Statistical Softwar 27(3), 1–22 (2008)Google Scholar
  15. 15.
    Johnston, J., DiNardo, J.: Econometric methods, 4th edn. McGraw-Hill, Singapore (1997)Google Scholar
  16. 16.
    Box, G., Jenkins, G., Reinsel, G.: Time series analysis. Holden-day San Francisco (1970)Google Scholar
  17. 17.
    Defense Advanced Research Projects Agency DARPA Intrusion Detection Evaluation Data Set,
  18. 18.
    CAIDA benchmark dataset (2009),
  19. 19.
    Benchmark Data (2010),
  20. 20.
    Wei, L., Ghorbani, A.: Network Anomaly Detection Based on Wavelet Analysis. EURASIP Journal on Advances in Signal Processing 2009, Article ID 837601, 16 pages (2009), doi:10.1155/2009/837601Google Scholar
  21. 21.
    Dainotti, A., Pescape, A., Ventre, G.: Wavelet-based Detection of DoS Attacks. In: IEEE GLOBECOM, San Francisco, CA, USA (November 2006)Google Scholar
  22. 22.
    Herrero, A., Zurutuza, U., Corchado, E.: A neural-visualization ids for honeynet data. International Journal of Neural Systems 22(2)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Tomasz Andrysiak
    • 1
    Email author
  • Łukasz Saganowski
    • 1
  • Michał Choraś
    • 1
  • Rafał Kozik
    • 1
  1. 1.Institute of TelecommunicationsUniversity of Technology & Life Sciences in BydgoszczBydgoszczPoland

Personalised recommendations