Special Issue Paper
Anomaly diagnosis based on regression and classification analysis of statistical traffic features
Article first published online: 30 SEP 2013
Copyright © 2013 John Wiley & Sons, Ltd.
Security and Communication Networks
How to Cite
Liu, L., Jin, X., Min, G. and Xu, L. (2013), Anomaly diagnosis based on regression and classification analysis of statistical traffic features. Security Comm. Networks. doi: 10.1002/sec.843
- Article first published online: 30 SEP 2013
- Manuscript Accepted: 13 JUN 2013
- Manuscript Revised: 8 JUN 2013
- Manuscript Received: 22 MAR 2013
- intrusion detection;
- feature regression and classification;
- traffic measurement;
- anomaly diagnosis
Traffic anomalies caused by Distributed Denial-of-Service (DDoS) attacks are major threats to both network service providers and legitimate customers. The DDoS attacks regularly consume and exhaust the resources of victims and hence result in abnormal bursty traffic through end-user systems. Additionally, malicious traffic aggregated into normal traffic often show dramatic changes in the traffic nature and statistical features. This study focuses on early detection of traffic anomalies caused by DDoS attacks in light of analyzing the network traffic behavior. Key statistical features including variance, autocorrelation, and self-similarity are employed to characterize the network traffic. Further, artificial neural network and support vector machine subject to the performance metrics are employed to predict and classify the abnormal traffic. The proposed diagnosis mechanism is validated through experiments where the datasets consist of two groups. The first group is the Massachusetts Institute of Technology Lincoln Laboratory dataset containing labeled DoS attack. The second group collected from DDoS attack simulation experiments covers three representative traffic shapes resulting from the dynamic attack rate configuration, namely, constant intensity, ramp-up behavior, and pulsing behavior. The experimental results demonstrate that the developed mechanism can effectively and precisely alert the abnormal traffic within short response period. Copyright © 2013 John Wiley & Sons, Ltd.