Long-Memory Dependence Statistical Models for DDoS Attacks Detection


  • Tomasz Andrysiak
  • Łukasz Saganowski
  • Mirosław Maszewski
  • Piotr Grad


DDoS attacks detection method based on modelling the variability with the use of conditional average and variance in examined time series is proposed in this article. Variability predictions of the analyzed network traffic are realized by estimated statistical models with long-memory dependece ARFIMA, Adaptive ARFIMA, FIGARCH and Adaptive FIGARCH. We propose simple parameter estimation models with the use of maximum likelihood function. The choice of sparingly parameterized form of the models is realized by means of information criteria representing a compromise between brevity of representation and the size of the prediction error. In the described method we propose using statistical relations between predicted and analyzed network traffic in order to detect abnormal behavior possibly being a result of a network attack. Performed experiments confirmed effectiveness of the analyzed method and cogency of the statistical models.


-, (2015). Kali Linux,https://www.kali.org/ (last access: Dec. 2015)

-, (2015). Prolexic Quarterly Global DDoS Attack Report https://sm.asisonline.org/ASIS%20SM%20Documents/Prolexic%20Quarterly%20Global%20DDoS%20Attack%20Report.pdf (last access: Dec. 2015)

-, (2015). SNORT - Intrusion Detection System, https://www.snort.org/ (last access: Dec. 2015)

Andersen, T.G., Bollerslev, T. (1998). ARCH and GARCH models. Encyclopedia of Statistical Sciences

Axelsson, S. (2000). Intrusion detection systems: A survey and taxonomy (Vol. 99). Chalmers University of Technology, Goteborg, Sweden: Technical report

Baillie, R.T., Bollerslev, T., Mikkelsen, H. (1996). Fractionally Integrated Generalized Autoregressive Conditional Heteroscedasticity, Journal of Econometrics, 74(1), 3-30

Baillie, R.T., Morana, C. (2009). Modelling long memory and structural breaks in conditional variances: An adaptive FIGARCH approach. Journal of Economic Dynamics and Control, 33(8), 1577-1592

Beran, J. (1994). Statistics for long-memory processes (Vol. 61). CRC press

Bollerslev, T. (1986). Generalized Autoregressive Conditional Heteroscedasticity, Journal of Econometrics, 31(3), 307-327

Box, G.E., Jenkins, G.M., Reinsel, G.C., Ljung, G.M. (2015). Time series analysis: forecasting and control. John Wiley & Sons

Brockwell, P.J., Davis, R.A. (2006). Introduction to time series and forecasting. Springer Science & Business Media

Chandola, V., Banerjee, A., Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3), 15

Crato, N., Ray, B.K. (1996). Model selection and forecasting for long-range dependent processes. Journal of Forecasting, 15(2), 107-125

Engle, R. (1982). Autoregressive conditional heteroscedasticity with estimates of the variance of UK inflation. Econometrica, 50, 987- 1008

Gabriel, V.J., Martins, L.F. (2004). On the forecasting ability of ARFIMA models when infrequent breaks occur. Econometrics Journal, 7(2), 455-475

Geweke, J., Porter-Hudak, S. (1983). The estimation and application of long memory time series models. Journal of time series analysis, 4(4), 221-238

Granger, C.W., Joyeux, R. (1980). An introduction to long-memory time series models and fractional differencing. Journal of time series analysis, 1(1), 15-29

Haslett, J, Raftery, A.E. (1989). Space-time modelling with long-memory dependence: assessing Ireland’s wind power resource. Applied Statistics, 38(1), 1-50

Hosking, J.R. (1981). Fractional differencing. Biometrika, 68(1), 165-176.

Hu, L., Bi, X. (2011, March). Research of DDoS attack mechanism and its defense frame. In 2011 3rd International Conference on Computer Research and Development

Hurst, H. (1951). The long-term storage capacity of reservoirs Transactions of American Society Civil Engineer

Hyndman, R.J., Khandakar, Y. (2008). Automatic time series forecasting: the forecast Package for R. Journal of Statistical Software, 27(3), 1-22

Jackson, K. A. (1999). Intrusion detection system (IDS) product survey. Los Alamos National Laboratory, Los Alamos, NM, LA-UR-99-3883 Ver, 2, 1-103

Kayacik, H G., Zincir-Heywood, A.N., Heywood, M.I. (2005, October). Selecting features for intrusion detection: A feature relevance analysis on KDD 99 intrusion detection datasets. In Proceedings of the third annual conference on privacy, security and trust

Kumarasamy, S. (2009). An effective defence mechanism for Distributed Denial-of-Service (DDoS) attacks using router-based techniques. International Journal of Critical Infrastructures, 6(1), 73-80

Lakhina, A., Crovella, M., Diot, C. (2004, October). Characterization of network-wide anomalies in traffic flows. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement (pp. 201-206). ACM

Lee, W., Stolfo, S.J. (2000). A framework for constructing features and models for intrusion detection systems. ACM transactions on Information and system security (TiSSEC), 3(4), 227-261

Mirkovic, J., Prier, G., Reiher, P. (2002, November). Attacking DDoS at the source. In Network Protocols, 2002. Proceedings. 10th IEEE International Conference on (pp. 312-321). IEEE

Robinson, P.M. (1995). Log-periodogram regression of time series with long range dependence. The annals of Statistics, 1048-1072

Tayefi, M., Ramanathan, T.V. (2012), An Overview of FIGARCH and Related Time Series Models, Austrian Journal of Statistics, 41(3), 175-196






Most read articles by the same author(s)