Improving Network Security through Traffic Log Anomaly Detection Using Time Series Analysis
Detecting and understanding the different anomalies that may occur in the network is a hard and non-well defined problem. The main propose in this document is to show the results obtained from the application of Data Mining techniques in order to detect aberrant behavior in the network. For that, we focused the detection on time series analysis, an unsupervised learning technique based on network flows that studies the past patterns to obtain future decisions. This approach have shown to be effective in preliminary anomaly detection as a part of bigger log correlation method or anomaly detector.
KeywordsData Mining Anomaly Detection Time Series Analysis ARIMA
Unable to display preview. Download preview PDF.
- Anderson, J.: Computer security technology planning study. Tech. rep., NIST (1972)Google Scholar
- Anderson, J.: Computer security threat: Monitoring and surveillance. Tech. rep., Fort Washington (1980)Google Scholar
- Andrew, Y.: Detecting anomalies in network traffic using maximum entropy estimation. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, pp. 32–32 (2005)Google Scholar
- Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: Internet Measurement Workshop, pp. 71–82 (2002)Google Scholar
- Box, G., Jenkins, G.: Time series analysis: Forecasting and control, 3rd edn. Holden Day (1976)Google Scholar
- Chatfield, C., Yar, M.: Holt-Winters forecasting: Some practical issues. The Statistician, 129–140 (1988)Google Scholar
- Fox, K., Henning, R., Reed, J., Simonian, R.: A neural network approach towards intrusion detection. In: Proc. 13th National Computer Security Conference. Information Systems Security. Standards - the Key to the Future, vol. I, pp. 124–134. NIST, Gaithersburg (1990)Google Scholar
- Keogh, E., Lonardi, S., Chiu, B.: Finding surprising patterns in a time series database in linear time and space. In: Proc. of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 550–556. ACM Press, New York (2002)Google Scholar
- Lakhina, A., Crovella, M., Diot, C.: Characterization of network-wide anomalies in traffic flows. In: ACM/SIGCOMM IMC, pp. 201–206 (2004)Google Scholar
- S21sec, Bitacora product description (2010), http://bitacora.s21sec.com/bitacora_compliance/sgsi.asp?id=en
- Ye, N.: A markov chain model of temporal behavior for anomaly detection. In: Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pp. 171–174 (2000)Google Scholar