Improving Network Security through Traffic Log Anomaly Detection Using Time Series Analysis

  • Aitor Corchero Rodriguez
  • Mario Reyes de los Mozos
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 85)


Detecting and understanding the different anomalies that may occur in the network is a hard and non-well defined problem. The main propose in this document is to show the results obtained from the application of Data Mining techniques in order to detect aberrant behavior in the network. For that, we focused the detection on time series analysis, an unsupervised learning technique based on network flows that studies the past patterns to obtain future decisions. This approach have shown to be effective in preliminary anomaly detection as a part of bigger log correlation method or anomaly detector.


Data Mining Anomaly Detection Time Series Analysis ARIMA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Abry, P., Veitch, D.: Wavelet analysis of long range dependent traffic. IEEE Transactions On Information Theory 44, 2–15 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  2. Anderson, J.: Computer security technology planning study. Tech. rep., NIST (1972)Google Scholar
  3. Anderson, J.: Computer security threat: Monitoring and surveillance. Tech. rep., Fort Washington (1980)Google Scholar
  4. Andrew, Y.: Detecting anomalies in network traffic using maximum entropy estimation. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, pp. 32–32 (2005)Google Scholar
  5. Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: Internet Measurement Workshop, pp. 71–82 (2002)Google Scholar
  6. Box, G., Jenkins, G.: Time series analysis: Forecasting and control, 3rd edn. Holden Day (1976)Google Scholar
  7. Chatfield, C., Yar, M.: Holt-Winters forecasting: Some practical issues. The Statistician, 129–140 (1988)Google Scholar
  8. Denning, D.: An intrusion-detection model. IEEE Transactions On Software Engineering 13(2), 222–232 (1987)CrossRefGoogle Scholar
  9. Fox, K., Henning, R., Reed, J., Simonian, R.: A neural network approach towards intrusion detection. In: Proc. 13th National Computer Security Conference. Information Systems Security. Standards - the Key to the Future, vol. I, pp. 124–134. NIST, Gaithersburg (1990)Google Scholar
  10. Keogh, E., Lonardi, S., Chiu, B.: Finding surprising patterns in a time series database in linear time and space. In: Proc. of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 550–556. ACM Press, New York (2002)Google Scholar
  11. Lakhina, A., Crovella, M., Diot, C.: Characterization of network-wide anomalies in traffic flows. In: ACM/SIGCOMM IMC, pp. 201–206 (2004)Google Scholar
  12. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)CrossRefGoogle Scholar
  13. Ringberg, H., Soule, A., Rexford, J., Diot, C.: Sensitivity of pca for traffic anomaly detection. SIGMETRICS Perform Eval. Rev. 35(1), 109–120 (2007)CrossRefGoogle Scholar
  14. S21sec, Bitacora product description (2010),
  15. Ye, N.: A markov chain model of temporal behavior for anomaly detection. In: Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pp. 171–174 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Aitor Corchero Rodriguez
    • 1
  • Mario Reyes de los Mozos
    • 1
  1. 1.S21sec LabsParque Empresarial “La Muga” 

Personalised recommendations