Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data

  • Seong Soo Kim
  • A. L. Narasimha Reddy
  • Marina Vannucci
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3042)


If efficient network analysis tools were available, it could become possible to detect the attacks, anomalies and to appropriately take action to contain the attacks. In this paper, we suggest a technique for traffic anomaly detection based on analyzing correlation of destination IP addresses in outgoing traffic at an egress router. This address correlation data are transformed through discrete wavelet transform for effective detection of anomalies through statistical analysis. Our techniques can be employed for postmortem and real-time analysis of outgoing network traffic at a campus edge. Results from trace-driven evaluation suggest that proposed approach could provide an effective means of detecting anomalies close to the network. We also present data analyzing the correlation of port numbers as a means of detecting anomalies.


Discrete Wavelet Transform Network Traffic Port Number Aggregate Analysis Simulated Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anu Ramanathan, “WADeS: A Tool for Distributed Denial of Service Attack Detection”, TAMU-ECE-2002–02, Master of Science Thesis, August 2002.Google Scholar
  2. 2.
    National Laboratory for Applied Network Research (NLANR), measurement and operations analysis team, “NLANR network traffic packet header traces”, accessed in August 2002.Google Scholar
  3. 3.
    P. Barford, J. Kline, D. Pionka and A. Ron, “A Signal Analysis of Network Traffic Anomalies,” in Proc. of ACM SIGCOMM IMW, Marseille, France, November 2002.Google Scholar
  4. 4.
    T. M. Gil and M. Poletto, “MULTOPS: A Data-Structure for Bandwidth Attack Detection”, in Proc. of the 10 th USENIX Security Symposium, Washington, D.C., USA, August 2001.Google Scholar
  5. 5.
    E. Kohler, J. Li, V. Paxson and S. Shenker, “Observed Structure of Addresses in IP Traffic, in Proc. of ACM SIGCOMM IMW, Marseille, France, November 2002.Google Scholar
  6. 6.
    Chen-Mou Cheng, H. T. Kung and Koan-Sin Tan, “Use of spectral analysis in defense against DoS attacks”, in Proc. of IEEE Globecom, 2002.Google Scholar
  7. 7.
    KREONet2 (Korea Research Environment Open NETwork2),
  8. 8.
    Seong Soo Kim, A. L. Narasimha Reddy and Marina Vannucci, “Detecting Traffic Anomalies using Discrete Wavelet Transform”, in Proc. of ICOIN 2004, Busan, Korea, Feb 2004Google Scholar
  9. 9.
    Anja Feldmann, Anna Gilbert, Polly Huang and Walter Willinger, “Dynamics of IP traffic: A study of the role of variability and the impact of control”, Computer Communication Review, Vol. 29, No. 4 (Proc. of the ACM Sigcomm’99, Cambridge, MA), pp. 301–313, 1999.CrossRefGoogle Scholar
  10. 10.
    CERT Coordination Center (CERT/CC), “CERT Advisory CA-2003–04 MS-SQL Server Worm”, January 2003.

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Seong Soo Kim
    • 1
  • A. L. Narasimha Reddy
    • 1
  • Marina Vannucci
    • 2
  1. 1.Department of Electrical EngineeringUSA
  2. 2.StatisticsTexas A&M UniversityCollege StationUSA

Personalised recommendations