Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Yufeng Chen,Yabo Dong,Dongming Lu,Yunhe Pan

DOI: https://doi.org/10.1007/11427995_50

2005-01-01

Abstract:Worms have been becoming a serious threat in web age because worms can cause huge loss due to the fast-spread property. To detect worms effectively, it is important to investigate the characteristics of worm traffic at individual source level. We model worm traffic with the multi-fractal process, and compare the multi-fractal property of worm and normal traffics at individual source level. The results show that the worm traffic possesses less multi-fractal property.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Sheng Zhang,QiFei Zhang,Xuezeng Pan,Xuhui Zhu

DOI: https://doi.org/10.1109/ETCS.2010.476

2010-01-01

Abstract:Distributed Denial-of-Service (DDos) attack is one of the high threats to the Internet. This paper proposes a measure based on Hurst coefficient to detect DDoS on Low-rate. The result of experiments shows that the measure can detect the DDoS intrusion hided in the normal data traffic in real time. © 2010 IEEE.

Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

XIAO Zheng-hong,PAN Mei-sen,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.02.099

2007-01-01

Abstract:Network traffic is one of the key properties in LAN as well as WAN,by wavelet analysis,the complex traffic times series can be decomposed into different frequent components.Based on wavelet decomposed,the self-similar of traffic can be used to detect anomaly behavior of network,a method of detecting attacks based on the deviation of Hurst parameter is presented.The changes of Hurst parameter are analyzed and compared in different time scale.Result shows the proposed approach can detect the possible presence of not only an anomaly,but also its location on data set.

Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

CS Gao,LX Han,ZW Cen,CB Chu

2001-01-01

Abstract:In this paper, penetrating from the mathematical perspective, we adopt the Daubechies DWT technique to analyze, model and simulate the collected Internet traffic trace in detail. We find that the real trace presents fractal/self-similar and multifractal nature by studying its scaling behavior. We develop a new multifractal model of the traffic and acquire the model parameters, We simulate the traffic using these parameters. The result shows that the new model in this paper characterizes fractal and multifractal more precisely than the previous model does. The research gives a new method to improve the network performance by capturing and characterizing the feature of the Internet traffics.

K.B.Chong,K.Y.Choo

DOI: https://doi.org/10.48550/arXiv.physics/0206012

2003-06-25

Abstract:Fractal behavior and long-range dependence have been observed in tele-traffic measurement and characterization. In this paper we show results of application of the fractal analysis to internet traffic via various methods. Our result demonstrate that the internet traffic exhibits self-similarity. Time-scale analysis show to be an effective way to characterize the local irregularity. Based on the result of this study, these two Internet time series exhibit fractal characteristic with long-range dependence.

Computational Physics,Data Analysis, Statistics and Probability

XING Ling,MA Qiang,XU Lei,JIANG Chun-xiao

DOI: https://doi.org/10.13190/j.jbupt.2015.05.009

2015-01-01

Abstract:In order to characterize local features of network redundant traffic on small-time scale more ac-curately, a new Cauchy-Laplace multifractal wavelet model was proposed. An algorithm for estimating pa-rameters of wavelets was also put forward. A joint distribution function was adopted to describe local fea-tures, i. e. , Cauchy and Laplace distributions were used to obtain the parameter multiply factors for heavy-tailed and spike features, respectively. A threshold for ratio of wavelets to scaling parameters, which decides how these two distributions affected redundant traffic modeling, was achieved by probabili-ty comparison. Experiments show that the proposed model can well characterize small-time scale multi-fractal features of network redundant traffic.

jing yuan,ruixi yuan,xi chen

DOI: https://doi.org/10.15837/ijccc.2014.1.870

IF: 2.635

2014-01-01

International Journal of Computers Communications & Control

Abstract:This paper proposes a novel detection engine, called the Wavelet-Recurrence-Clustering (WRC) detection model, to study the network anomaly detection problem that is widely attractive in Internet security area. The WRC model first applies the wavelet transform and recurrence analysis to calculate the multi-scale dynamic characteristics of network traffic, and then identifies network anomalies through the clustering algorithm with those dynamic characteristics. The evaluation results on DARPA 1999 dataset indicate that the WRC detection model can effectively improve the detection accuracy with a low false alarm

Weijie Hao,Qiang Yang,Zhiyi Li,Shiyan Hu,Bo Liu,Wei Ruan

DOI: https://doi.org/10.1109/jiot.2022.3210946

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Substation communication network (SCN) provides real-time, high-speed, and reliable data transmissions for the advanced monitoring and control functionalities, which are facing increasing cyberspace threats and attacks. Efficient threat perception and cyber situational awareness are essential to enhance secure and reliable SCN operations. This article explores multiscale SCN traffic pattern characteristics with holistic network traffic, separated network traffic for included devices (especially IoT devices) and separated network traffic of certain types of protocol. The proposed online traffic-oriented SCN traffic anomaly detection and cyber situational awareness models are designed for the network anomalies and cyber-attacks that could cause network traffic pattern variations. We leverage a fractional autoregressive integration moving average (FARIMA)-based dynamic threshold model to detect abnormal traffic patterns without sophisticated computations or deep packet inspection. The SCN real-time operation conditions are timely quantified through the statistical methods with the alliance of SCN topology and protocols. The cyber situational awareness model is further carried out to evaluate the most affected protocol and security risks of various devices in SCN using Grubbs' test. The experiment results are carried out based on a real 110-kV intelligent power substation. The numerical results confirm the comparative low mean square error (MSE) and low complexity of the online traffic characterization when forecasting holistic network traffic and separated network traffics. Furthermore, the timely and quantified cybersecurity risk analysis is conducted based on the SCN traffic with varying scales to detect cyberspace threats and identify the high-risk SCN devices and the most affected protocol.

Han Liangxiu,Cen Zhiwei,Chu Chunbo,Gao Chuanshan

DOI: https://doi.org/10.1016/S0960-0779(01)00159-X

2002-01-01

Abstract:In this paper, a new multifractal traffic model to capture the multifractal nature of modern Internet traffic was developed. Employing the algorithm of network traffic analysis (binomial inverse cascade process) to analyze the multifractal feature of traffic data and adopting the algorithm of network traffic synthesis (binomial cascade process) to model the network traffic, this approach gave an easy and efficient way to infer the model parameters from the measured traffic traces. Moreover, the traffic was simulated and analyzed using obtained parameters. It was found that the simulated traffic data were in a close fit to the real trace statistics. The analysis results showed that this model could capture the real network traffic very well.

Li,Yudong Chen,Yi Zhang

DOI: https://doi.org/10.48550/arxiv.0906.0426

2009-01-01

Abstract:In this short paper, we propose a new multi-fractal flow model, aiming to provide a possible explanation for the crossover phenomena that appear in the estimation of Hurst exponent for network traffic. It is shown that crossover occurs if the network flow consists of several components with different Hurst components. Our results indicate that this model might be useful in network traffic modeling and simulation.

GUO Shize,ZHANG Fan,SONG Zhuoxue,ZHAO Ziming,ZHAO Xinjie,WANG Xiaojuan,LUO Xiangyang

DOI: https://doi.org/10.11959/j.issn.2096−109x.2022004

2022-01-01

Abstract:Network attack detection plays a vital role in network security. Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection. The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol. With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled. Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”. The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows. The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator. Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows. Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space. On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Oleg I. Sheluhin,Sergey Y. Rybakov,Anna V. Vanyushina,,,

DOI: https://doi.org/10.36724/2409-5419-2023-15-1-57-64

2023-01-01

H&ES Research

Abstract:For building an effective network protection system in computer network against attacks, a promising direction is joint use of fractal analysis and data mining. It is proposed to increase the efficiency of network attacks classification by introducing additional fractal dimension (FD) statistics of attacks along with other attributes. In contrast to the well-known works, it is proposed to further improve the efficiency of classifying network attacks by using not only the average value, but also other statistical characteristics of the DF of attacks and normal traffic as information features. These can be variance, skewness and kurtosis coefficients that characterize the shape and parameters of the distribution of the RF. The effectiveness of the proposed method is evaluated using machine learning algorithms by assessing the quality of the binary classification of network attacks and normal traffic using the UNSW-NB15 database as an example. The following classification algorithms were used to classify the dataset: k-nearest neighbors (k-NN), multiple logistic regression (LR), decision tree (DTC), random forest (RF), ada boost. The following metrics were used to evaluate the effectiveness of the constructed models: accuracy (precision), recall (recall), F-score (F-score), ROC-curves, AUC-ROC. It is shown that the use of mean value, variance, skewness and kurtosis coefficients, which characterize the shape and distribution parameters of the statistical characteristics of the FD distribution as additional information features, makes it possible to increase the efficiency of attack classification by an average of 10%. K-NN and LR classification algorithms. For the DTC and RF algorithms, the greatest effect from the use of additional attributes is in reducing the training and testing time and is about 3.5 times for each of the algorithms.

English Else

G. Millán,G. Lefranc,R. Osorio-Comparán,V. Lomas-Barrie

DOI: https://doi.org/10.48550/arXiv.2107.05484

2021-05-12

Abstract:Fractal behavior and long-range dependence are widely observed in measurements and characterization of traffic flow in high-speed computer networks of different technologies and coverage levels. This paper presents the results obtained when applying fractal analysis techniques on a time series obtained from traffic captures coming from an application server connected to the Internet through a high-speed link. The results obtained show that traffic flow in the dedicated high-speed network link have fractal behavior when the Hurst exponent is in the range of 0.5, 1, the fractal dimension between 1, 1.5, and the correlation coefficient between -0.5, 0. Based on these results, it is ideal to characterize both the singularities of the traffic and its impulsiveness during a fractal analysis of temporal scales. Finally, based on the results of the time series analyses, the fact that the traffic flows of current computer networks exhibit fractal behavior with a long-range dependency is reaffirmed.

Networking and Internet Architecture,Signal Processing,Physics and Society