Безопасность информационных технологий (Mar 2019)
Method for detection of network traffic anomalies which is based on its self-similar traffic structure
Abstract
The paper presents a method for detecting network traffic anomalies taking into account its self-similar structure. It is assumed that network traffic is a self-similar structure and is modeled by fractal Brownian motion. Existing methods of detecting network anomalies are studied. The result of scientific work is a new method for detecting network traffic anomalies. This method is based on a semi-controlled method of anomaly detection, which allows the process to be almost autonomous from human intervention. In addition, the method can be classified as a group of statistical methods, which makes it quite easy to implement. In contrast to the existing methods, this method uses samples of optimal volumes obtained in the minimum but sufficient time. This anomaly detection algorithm consists of two parts: calculation of samples (reference values) and comparison of the received traffic with the standard (analysis of network traffic anomalies). The calculation of standards is based on the calculation of the values of the self-similarity parameter (Hurst parameter) for some indicators from the package headers. The algorithm of anomaly search underlying the method can be used both to search for incoming anomalies (network attacks) and to search for anomalies in outgoing traffic (DLP-system).
Keywords
