Long-Memory Dependence Statistical Models for DDoS Attacks Detection
Abstract
DDoS attacks detection method based on modelling the variability with the use of conditional average and variance in examined time series is proposed in this article. Variability predictions of the analyzed network traffic are realized by estimated statistical models with long-memory dependece ARFIMA, Adaptive ARFIMA, FIGARCH and Adaptive FIGARCH. We propose simple parameter estimation models with the use of maximum likelihood function. The choice of sparingly parameterized form of the models is realized by means of information criteria representing a compromise between brevity of representation and the size of the prediction error. In the described method we propose using statistical relations between predicted and analyzed network traffic in order to detect abnormal behavior possibly being a result of a network attack. Performed experiments confirmed effectiveness of the analyzed method and cogency of the statistical models.References
-, (2015). Kali Linux,https://www.kali.org/ (last access: Dec. 2015)
-, (2015). Prolexic Quarterly Global DDoS Attack Report https://sm.asisonline.org/ASIS%20SM%20Documents/Prolexic%20Quarterly%20Global%20DDoS%20Attack%20Report.pdf (last access: Dec. 2015)
-, (2015). SNORT - Intrusion Detection System, https://www.snort.org/ (last access: Dec. 2015)
Andersen, T.G., Bollerslev, T. (1998). ARCH and GARCH models. Encyclopedia of Statistical Sciences
Axelsson, S. (2000). Intrusion detection systems: A survey and taxonomy (Vol. 99). Chalmers University of Technology, Goteborg, Sweden: Technical report
Baillie, R.T., Bollerslev, T., Mikkelsen, H. (1996). Fractionally Integrated Generalized Autoregressive Conditional Heteroscedasticity, Journal of Econometrics, 74(1), 3-30
Baillie, R.T., Morana, C. (2009). Modelling long memory and structural breaks in conditional variances: An adaptive FIGARCH approach. Journal of Economic Dynamics and Control, 33(8), 1577-1592
Beran, J. (1994). Statistics for long-memory processes (Vol. 61). CRC press
Bollerslev, T. (1986). Generalized Autoregressive Conditional Heteroscedasticity, Journal of Econometrics, 31(3), 307-327
Box, G.E., Jenkins, G.M., Reinsel, G.C., Ljung, G.M. (2015). Time series analysis: forecasting and control. John Wiley & Sons
Brockwell, P.J., Davis, R.A. (2006). Introduction to time series and forecasting. Springer Science & Business Media
Chandola, V., Banerjee, A., Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3), 15
Crato, N., Ray, B.K. (1996). Model selection and forecasting for long-range dependent processes. Journal of Forecasting, 15(2), 107-125
Engle, R. (1982). Autoregressive conditional heteroscedasticity with estimates of the variance of UK inflation. Econometrica, 50, 987- 1008
Gabriel, V.J., Martins, L.F. (2004). On the forecasting ability of ARFIMA models when infrequent breaks occur. Econometrics Journal, 7(2), 455-475
Geweke, J., Porter-Hudak, S. (1983). The estimation and application of long memory time series models. Journal of time series analysis, 4(4), 221-238
Granger, C.W., Joyeux, R. (1980). An introduction to long-memory time series models and fractional differencing. Journal of time series analysis, 1(1), 15-29
Haslett, J, Raftery, A.E. (1989). Space-time modelling with long-memory dependence: assessing Ireland’s wind power resource. Applied Statistics, 38(1), 1-50
Hosking, J.R. (1981). Fractional differencing. Biometrika, 68(1), 165-176.
Hu, L., Bi, X. (2011, March). Research of DDoS attack mechanism and its defense frame. In 2011 3rd International Conference on Computer Research and Development
Hurst, H. (1951). The long-term storage capacity of reservoirs Transactions of American Society Civil Engineer
Hyndman, R.J., Khandakar, Y. (2008). Automatic time series forecasting: the forecast Package for R. Journal of Statistical Software, 27(3), 1-22
Jackson, K. A. (1999). Intrusion detection system (IDS) product survey. Los Alamos National Laboratory, Los Alamos, NM, LA-UR-99-3883 Ver, 2, 1-103
Kayacik, H G., Zincir-Heywood, A.N., Heywood, M.I. (2005, October). Selecting features for intrusion detection: A feature relevance analysis on KDD 99 intrusion detection datasets. In Proceedings of the third annual conference on privacy, security and trust
Kumarasamy, S. (2009). An effective defence mechanism for Distributed Denial-of-Service (DDoS) attacks using router-based techniques. International Journal of Critical Infrastructures, 6(1), 73-80
Lakhina, A., Crovella, M., Diot, C. (2004, October). Characterization of network-wide anomalies in traffic flows. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement (pp. 201-206). ACM
Lee, W., Stolfo, S.J. (2000). A framework for constructing features and models for intrusion detection systems. ACM transactions on Information and system security (TiSSEC), 3(4), 227-261
Mirkovic, J., Prier, G., Reiher, P. (2002, November). Attacking DDoS at the source. In Network Protocols, 2002. Proceedings. 10th IEEE International Conference on (pp. 312-321). IEEE
Robinson, P.M. (1995). Log-periodogram regression of time series with long range dependence. The annals of Statistics, 1048-1072
Tayefi, M., Ramanathan, T.V. (2012), An Overview of FIGARCH and Related Time Series Models, Austrian Journal of Statistics, 41(3), 175-196