Anomaly Detection Using Dynamic Time Warping

被引:20
作者
Diab, Diab M. [1 ]
AsSadhan, Basil [2 ]
Binsalleeh, Hamad [3 ]
Lambotharan, Sangarapillai [4 ]
Kyriakopoulos, Konstantinos G. [4 ]
Ghafir, Ibrahim [4 ]
机构
[1] King Saud Univ, Dept Comp Sci, Riyadh, Saudi Arabia
[2] King Saud Univ, Dept Elect Engn, Riyadh, Saudi Arabia
[3] Imam Mohammad Ibn Saud Islamic Univ, Dept Comp Sci, Riyadh, Saudi Arabia
[4] Loughborough Univ, Wolfson Sch Mech Elect & Mfg Engn, Loughborough, Leics, England
来源
2019 22ND IEEE INTERNATIONAL CONFERENCE ON COMPUTATIONAL SCIENCE AND ENGINEERING (IEEE CSE 2019) AND 17TH IEEE INTERNATIONAL CONFERENCE ON EMBEDDED AND UBIQUITOUS COMPUTING (IEEE EUC 2019) | 2019年
关键词
dynamic time warping; traffic analysis; control and data planes traffic; anomaly detection; distance measures;
D O I
10.1109/CSE/EUC.2019.00045
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
Analyzing network traffic behavior is essential for detecting network anomalies. However, it remains a challenge to effectively analyze this behavior for anomaly diagnosis. One promising approach is to decompose network traffic into control and data planes, and statistically analyze each plane's packet features. Both control and data planes behave similarly during benign traffic. However, any difference in the behavior of these planes may indicate an anomaly. In this work, We show that under normal conditions, the packet count distance between the two planes falls within a range of values. Consecutive outliers to these values may reveal the presence of anomalies. We exploit Dynamic Time Warping (DTW) to get the best alignment of the two planes and measure the Euclidean distance between their corresponding instances. We investigate our approach using recent Internet traffic captured at King Saud University. Results support our argument and show that the distance between the TCP control plane and corresponding data plane falls within a certain range of values during benign applications and exceeds these values during anomalous activities.
引用
收藏
页码:199 / 204
页数:6
相关论文
共 30 条
[1]  
AlShaalan R, 2013, 2013 10TH INTERNATIONAL CONFERENCE ON HIGH CAPACITY OPTICAL NETWORKS AND ENABLING TECHNOLOGIES (HONET-CNS), P141, DOI 10.1109/HONET.2013.6729773
[2]  
[Anonymous], 2017, GLOB DDOS ATT CYB SE
[3]  
[Anonymous], 2010, TECH REP
[4]  
[Anonymous], 2017, KASP LABS IT SEC RIS
[5]  
[Anonymous], 2019, CISC VIS NETW IND FO
[6]  
[Anonymous], 2018, Internet Security Threat Report
[7]  
AsSadhan B, 2008, 2008 IEEE INTERNATIONAL SYMPOSIUM ON PARALLEL & DISTRIBUTED PROCESSING, VOLS 1-8, P3658
[8]   Analysis of P2P, IRC and HTTP traffic for botnets detection [J].
AsSadhan, Basil ;
Bashaiwth, Abdulmuneem ;
Al-Muhtadi, Jalal ;
Alshebeili, Saleh .
PEER-TO-PEER NETWORKING AND APPLICATIONS, 2018, 11 (05) :848-861
[9]   Anomaly Detection Based on LRD Behavior Analysis of Decomposed Control and Data Planes Network Traffic Using SOSS and FARIMA Models [J].
AsSadhan, Basil ;
Zeb, Khan ;
Al-Muhtadi, Jalal ;
Alshebeili, Saleh .
IEEE ACCESS, 2017, 5 :13501-13519
[10]   Correlation based dynamic time warping of multivariate time series [J].
Banko, Zoltan ;
Abonyi, Janos .
EXPERT SYSTEMS WITH APPLICATIONS, 2012, 39 (17) :12814-12823
123