Anomaly Detection Based on LRD Behavior Analysis of Decomposed Control and Data Planes Network Traffic Using SOSS and FARIMA Models

The detection of anomalies in network traffic, such as low volume attacks and abnormalities, has become a pressing problem in today's large volume of Internet traffic. To this end, various anomaly detection techniques have been developed, including techniques based on long-range dependence (LRD) behavior estimation of network traffic. However, the existing LRD-based techniques analyze the aggregated WHOLE (control plus data) traffic, which might not be sufficient to detect short-duration and low-volume attacks and abnormalities in the traffic. This is because such anomalies might pass unnoticed in large volume of the normal background traffic. To address this issue, we propose a method that examines the LRD behavior of control and data planes traffic separately, which improves the detection efficacy. For LRD behavior analysis, the proposed method integrates the correlation structures of second-order self-similar and fractional autoregressive integrated moving average models. The performance of the proposed method is empirically evaluated and validated over a relatively recent real Internet traffic captured at King Saud University's network. The analysis and results demonstrate that the proposed method efficiently detects such low volume and short duration attacks and abnormalities in the traffic, which would not be detected by merely analyzing the aggregated WHOLE traffic without decomposing it into control and data planes traffic.