Abstract
With the rapid expansion of computer networks, security has become a crucial issue, either for small home networks or large corporate intranets. A standard way to detect illegitimate use of a network is through traffic monitoring. Consistent modelling of typical network activity can help separate the normal use of the network from an intruder activity or an unusual user activity. In this work an adaptive traffic modelling and estimation method for detecting network unusual activity, network anomaly or intrusion is presented. The proposed method uses simple and widely collected sets of traffic data, such as bandwidth utilization. The advantage of the method is that it builds the traffic patterns using data found easily by polling a network node MIB. The method was tested using real traffic data from various network segments in our university campus. The method performed equally well either offline or in real time, running at a fraction of the smallest sampling interval set by the network monitoring programs. The implemented adaptive multi-model partitioning algorithm was able to identify successfully all typical or unusual activities contained in the test datasets.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akaike, H.: Fitting autoregressive models for prediction. Ann. Inst. Stat. Math. 21, 243–247 (1969)
Anderson, B.D.O., Moore, J.B.: Optimal Filtering. Prentice Hall, Englewood Cliffs, NJ (1979)
Box, G., Jenkins, G.M., Reinsel, G.: Time Series Analysis: Forecasting and Control, 3rd edn. Prentice Hall, Englewood Cliffs, NJ (1994)
Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA (1992)
Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 222–232 (1987)
Eskin, E.: Anomaly detection over noisy data using learned probability distributions. In: ICML 2000, Menlo Park, CA. AAAI Press (2000)
Halsall, F.: Data Communications, Computer Networks and Open Systems. Addison-Wesley, Harlow (1996)
Hood, C., Ji, C.: Proactive network fault detection. IEEE Trans. Reliab. 46, 333 (1997)
Katris, C., Daskalaki, S.: Comparing forecasting approaches for internet traffic. Expert Syst. Appl. 42(21), 8172–8183 (2015)
Katsikas, S.K., Likothanassis, S.D., Lainiotis, D.G.: AR model identification with unknown process order. IEEE Trans. Acoust. Speech Signal Process. 38(5), 872–876 (1990)
Keshav, S.: An Engineering Approach to Computer Networking: ATM, Internet and Telephone Network. Addison-Wesley, Reading, MA (1997)
Lainiotis, D.G.: Partitioning: a unifying framework for adaptive systems, I: estimation. Proc. IEEE 64, 1126–1142 (1976)
Lawrence, L.H., Cavuto, D.J., Papavassiliou, S., Zawadzki, A.G.: Adaptive and automated detection of service anomalies in transaction-oriented WAN’s: network analysis, algorithms, implementation, and deployment. IEEE J. Sel. Areas Commun. 18(5), 744–757 (2000)
Maxion, R., Feather, F.E.: A case study of ethernet anomalies in a distributed computing environment. IEEE Trans. Reliab. 39, 433–443 (1990)
Moussas, V.C.: Network traffic flow prediction using multi-model partitioning algorithms. In: Tsahalis, D.T. (ed.) 2nd International Conference SCCE, Athens. Patras University Press, Patras (2006)
Moussas, V.C.: Traffic and user behaviour model classification for network simulation and anomaly detection. In: Tsahalis, D.T. (ed.) 2nd International Conference EPSMSO, Athens. Patras University Press, Patras (2007)
Moussas, V.C., Pappas, Sp.St.: Adaptive network anomaly detection using bandwidth utilization data. In: Tsahalis, D.T. (ed.) 1st International Conference EPSMSO, Athens. Patras University Press (2005)
Moussas, V.C., Daglis, M., Kolega, E.: Network traffic modeling and prediction using multiplicative seasonal ARIMA models. In: Tsahalis, D.T. (ed.) 1st International Conference EPSMSO, Athens, 6–9 July 2005
Oetiker, T.: Multi Router Traffic Grapher (MRTG) tool - Software Package and Manuals. At: oss.oetiker.ch/mrtg (2005)
Oetikerr, T.: Round Robin Database tool (RRDtool) - Software Package and Manuals. At: oss.oetiker.ch/rrdtool (2016)
Papagiannaki, K., Taft, N., Zhang, Z., Diot, C.: Long-term forecasting of internet backbone traffic: observations and initial models. In: IEEE Infocom (2003)
Papazoglou, P.M., Karras, D.A., Papademetriou, R.C.: High performance novel hybrid DCA algorithms for efficient channel allocation in cellular communications modelled and evaluated through a Java simulation system. WSEAS Trans. Comput. 5(11), 2078–2085 (2006)
Pappas, S.Sp., Katsikas, S.K., Moussas, V.C.: MV-ARMA order estimation via multi-model partition theory. In: Tsahalis, D.T. (ed.) 2nd International Conference EPSMSO, Athens, vol. II, pp. 688–698. Patras University Press, Patras (2007)
Permanasari, A.E., Hidayah, I., Bustoni, I.A.: Forecasting model for hotspot bandwidth management at Department of Electrical Engineering and Information Technology UGM. Int. J. Appl. Math. Stat. 53(4), 227 (2015)
Porras, P., Neumann, P.: Emerald: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD (1997)
Rhodes, B., Mahafey, J., Cannady, J.: Multiple self-organizing maps for intrusion detection. In: Proceedings of NISSC 2000 Conference (2000)
Shu, Y., Yu, M., Liu, J., Yang, O.W.W.: Wireless traffic modeling and prediction using seasonal ARIMA models. In: IEEE International Conference Communication May 2003, ICC03, vol. 3 (2003)
Smith, L.B.: Comparison of parametric and nonparametric models for traffic flow forecasting. Transp. Res. C 10, 303–321 (2002)
Solomos, G.P., Moussas, V.C.: A time series approach to fatigue crack propagation. Struct. Saf. 9, 211–226 (1991)
Tanenbaum, A.S.: Computer Networks. Prentice-Hall, Englewood Cliffs, NJ (1996)
Thottan, M., Ji, C.: Anomaly detection in IP networks. IEEE Trans. Signal Process. 51(8), 2191–2204 (2003)
You, C., Chandra, K.: Time series models for internet data traffic. In: 24th Conference on Local Computer Networks. LCN-99 (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Moussas, V.C. (2018). Adaptive Traffic Modelling for Network Anomaly Detection. In: Daras, N., Rassias, T. (eds) Modern Discrete Mathematics and Analysis . Springer Optimization and Its Applications, vol 131. Springer, Cham. https://doi.org/10.1007/978-3-319-74325-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-74325-7_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74324-0
Online ISBN: 978-3-319-74325-7
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)