A DDoS Attacks Detection Based on Conditional Heteroscedastic Time Series Models
Abstract
Dynamic development of various systems providing safety and protection to network infrastructure from novel, unknown attacks is currently an intensively explored and developed domain.In the present article there is presented an attempt to redress the problem by variability estimation with the use of conditional variation. The predictions of this variability were based on the estimated conditional heteroscedastic statistical models ARCH, GARCH and FIGARCH. The method used for estimating the parameters of the exploited models was determined by calculating maximum likelihood function. With the use of compromise between conciseness of representation and the size of estimation error there has been selected as a sparingly parameterized form of models. In order to detect an attack/anomaly in the network traffic there were used differences between the actual network traffic and the estimated model of the traffic. The presented research confirmed efficacy of the described method and cogency of the choice of statistical models.
References
Amini, M., Jalili, R., Shahriari, H. R. (2006). RTUNNID: A practical solution to real-time networkbased intrusion detection using unsupervised neural networks. Computers & Security, 25(6), 459-468
Amor, N. B., Benferhat, S., Elouedi, Z. (2004). Naive bayes vs decision trees in intrusion detection systems. In Proceedings of the 2004 ACM symposium on Applied computing (pp. 420-424). ACM
Andrysiak, T., Saganowski, Ł., Choras, M., Kozik, R. (2014). Network Traffic Prediction and Anomaly Detection Based on ARFIMA Model. In International Joint Conference SOCO’14-CISIS’14-ICEUTE’14 (pp. 545-554). Springer International Publishing
Baillie, R.T., Bollerslev, T., Mikkelsen, H.O. (1996). Fractionally integrated generalized autoregressive conditional heteroskedasticity. Journal of econometrics, 74(1), 3-30
Bollerslev, T. (1986). Generalized autoregressive conditional heteroskedasticity. Journal of econometrics, 31(3), 307-327
Bozdogan, H. (1987). Model selection and Akaike’s information criterion (AIC): The general theory and its analytical extensions. Psychometrika, 52(3), 345-370
Box, G. E., Jenkins, G. M., Reinsel, G. C. (2011). Time series analysis: forecasting and control (Vol. 734). John Wiley & Sons
Brockwell, P. J., Davis, R. A. (2006). Introduction to time series and forecasting. Springer Science & Business Media
Chebrolu, S., Abraham, A., Thomas, J.P. (2005). Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4), 295-307
Chandola, V., Banerjee, A., Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3), 15
Choras, M., Saganowski, Ł., Renk, R., Hołubowicz, W. (2012). Statistical and signal-based network traffic recognition for anomaly detection. Expert Systems, 29(3), 232-245
Crato, N., Ray, B.K. (1996). Model selection and forecasting for long-range dependent processes. Journal of Forecasting, 15(2), 107-125
Debar, H., Becker, M., Siboni, D. (1992). A neural network component for an intrusion detection system. In Research in Security and Privacy, 1992. Proceedings., 1992 IEEE Computer Society Symposium on (pp. 240-250). IEEE
Engle, R. F. (1982). Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation. Econometrica: Journal of the Econometric Society, 987-1007
Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C. (2005). Evaluating Pattern Recognition Techniques in Intrusion Detection Systems. In PRIS (pp. 144-153)
Esposito M., Mazzariello C., Oliviero F., Romano S.P., Sansone C. (2005). Real Time Detection of Novel Attacks by Means of Data Mining Techniques, ICEIS, 3, 120-127
Fiszeder, P. (2009). Modele klasy GARCH w empirycznych badaniach finansowych. Wydawnictwo Naukowe Uniwersytetu Mikołaja Kopernika
Global IT Security Risks Survey 2014 Distributed Denial Of Service Attacks, Kaspersky Lab (2014) https://press.kaspersky.com
Hu, L., Bi, X. (2011). Research of DDoS attack mechanism and its defense frame. In 2011 3rd International Conference on Computer Research and Development (Vol. 4, pp. 440-442)
Jackson, K.A. (1999). Intrusion detection system (IDS) product survey. Los Alamos National Laboratory, Los Alamos, NM, LA-UR-99-3883 Ver, 2, 1-103
Kim, J., Bentley, P. J., Aickelin, U., Greensmith, J., Tedesco, G., Twycross, J. (2007). Immune system approaches to intrusion detection - a review. Natural computing, 6(4), 413-466
Lakhina, A., Crovella, M., Diot, C. (2004). Characterization of network-wide anomalies in traffic flows. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement (pp. 201-206). ACM.
Lee, W., Stolfo, S.J. (2000). A framework for constructing features and models for intrusion detection systems. ACM transactions on Information and system security (TiSSEC), 3(4), 227-261
Li, W. (2004). Using genetic algorithm for network intrusion detection. Proceedings of the United States Department of Energy Cyber Security Group, 1-8
Li, X., Ye, N. (2001). Decision tree classifiers for computer intrusion detection. Journal of Parallel and Distributed Computing Practices, 4(2), 179-190
Lu, W., Ghorbani, A. A. (2009). Network anomaly detection based on wavelet analysis. EURASIP Journal on Advances in Signal Processing, 2009, 4
Moradi, M., Zulkernine, M. (2004). A neural network based system for intrusion detection and classification of attacks. In Proceedings of the 2004 IEEE international conference on advances in inteligent systems-theory and applications
Raport CERT Orange Polska za rok 2014, Integrated Solutions, (2014) http://www.orange.pl/ocp-http/PL/Binary2/2000001/4096003938.pdf
Rodriguez, A. C., de los Mozos, M. R. (2010). Improving network security through traffic log anomaly detection using time series analysis. In Computational Intelligence in Security for Information Systems 2010 (pp. 125-133). Springer Berlin Heidelberg
Saganowski, Ł., Goncerzewicz, M., Andrysiak, T. (2013). Anomaly Detection Preprocessor for SNORT IDS System. In Image Processing and Communications Challenges 4 (pp. 225-232). Springer Berlin Heidelberg
Seredynski, F., Bouvry, P. (2005). Some issues in solving the anomaly detection problem using immunological approach. In Parallel and Distributed Processing Symposium, 2005. Proceedings. 19th IEEE International (pp. 188b-188b). IEEE
SNORT - Intrusion Detection System, https://www.snort.org/
Tayefi, M., Ramanathan, T. V. (2012). An Overview of FIGARCH and Related Time Series Models. Austrian Journal of Statistics, 41(3), 175-196
Taylor, S. (1986). Modelling Financial Time Series, Wiley, Chichester,
Ye, N., Chen, Q., Emran, S.M., Noh, K. (2000). Chi-square statistical profiling for anomaly detection. In IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop June 6-7, 2000 at West Point, New York (pp. 187-193)
