Detection of Network Attacks Using Hybrid ARIMA-GARCH Model

In this article, an attempt to solve the problem of attacks (anomalies) detection in the analyzed network traffic with the use of a mixed statistical model (hybrid) ARIMA-GARCH is presented. The introductory actions consisted in normalization of elements of the analyzed time series by means of the Box-Cox transformation. To determine, though, if the analyzed time series were characterized by heteroscedasticity, they were subjected to the White's test. For comparison, there were also tested with the use of differing statistical approaches (described by mean or conditional variance), realized by individual models of ARIMA and GARCH. The choice of optimal models' parameters was performed as a compromise between the coherence of the model and the size of estimation error. To detect attacks (anomalies) in the network traffic, there were used relations between the proper estimated model of the network traffic, and its real parameters. The presented experimental results confirmed fitness and efficiency of the proposed solutions.