Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies

• Published in: IEEE transactions on dependable and secure computing Vol. 4; no. 1; pp. 56 - 70
• Main Authors: Scherrer, A., Larrieu, N., Owezarski, P., Borgnat, P., Abry, P.
• Format: Journal Article
• Language: English
• Published: Washington IEEE 01.01.2007; IEEE Computer Society; Institute of Electrical and Electronics Engineers
• Subjects: Agglomeration; Anomalies; Communication system traffic control; Computer crime; Computer memory; Computer Science; Denial of service attacks; DoS attack; Engineering Sciences; flash crowd; Internet; Internet service providers; Intrusion detection; Mathematical models; Networking and Internet Architecture; non-Gaussian long-range dependent process; Normal distribution; Parameter estimation; Quality of service; Signal and Image Processing; Statistical analysis; Statistics; Studies; Throughput; Time series; Traffic control; Traffic engineering; Traffic flow; Traffic statistical modeling; Web and internet services; non-Gaussian long-range dependent process; Internet traffic; Traffic statistical modeling; Statistical Signal Processing; DoS attack; flash crowd
• ISSN: 1545-5971; 1941-0018
• DOI: 10.1109/TDSC.2007.12

The goals of the present contribution are twofold. First, we propose the use of a non-Gaussian long-range dependent process to model Internet traffic aggregated time series. We give the definitions and intuition behind the use of this model. We detail numerical procedures that can be used to synthesize artificial traffic exactly following the model prescription. We also propose original and practically effective procedures to estimate the corresponding parameters from empirical data. We show that this empirical model relevantly describes a large variety of Internet traffic, including both regular traffic obtained from public reference repositories and traffic containing legitimate (flash crowd) or illegitimate (DDoS attack) anomalies. We observe that the proposed model accurately fits the data for a wide range of aggregation levels. The model provides us with a meaningful multiresolution (i.e., aggregation level dependent) statistics to characterize the traffic: the evolution of the estimated parameters with respect to the aggregation level. It opens the track to the second goal of the paper: anomaly detection. We propose the use of a quadratic distance computed on these statistics to detect the occurrences of DDoS attack and study the statistical performance of these detection procedures. Traffic with anomalies was produced and collected by us so as to create a controlled and reproducible database, allowing for a relevant assessment of the statistical performance of the proposed (modeling and detection) procedures