Distance measures for signal processing and pattern recognition
Signal Processing
NADIR: an automated system for detecting network intrusion and misuse
Computers and Security
On the self-similar nature of Ethernet traffic (extended version)
IEEE/ACM Transactions on Networking (TON)
Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Modeling and simulation of self-similar variable bit rate compressed video: a unified approach
SIGCOMM '95 Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Experimental queueing analysis with long-range dependent packet traffic
IEEE/ACM Transactions on Networking (TON)
Data networks as cascades: investigating the multifractal nature of Internet WAN traffic
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
System identification (2nd ed.): theory for the user
System identification (2nd ed.): theory for the user
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Proceedings of the 11th international conference on World Wide Web
Self-Similar Network Traffic and Performance Evaluation
Self-Similar Network Traffic and Performance Evaluation
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
An Overview of Tes Processes and Modeling Methodology
Performance Evaluation of Computer and Communication Systems, Joint Tutorial Papers of Performance '93 and Sigmetrics '93
On the relationship between file sizes, transport protocols, and self-similar network traffic
ICNP '96 Proceedings of the 1996 International Conference on Network Protocols (ICNP '96)
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Aberrant Behavior Detection in Time Series for Network Monitoring
LISA '00 Proceedings of the 14th USENIX conference on System administration
Multifractality in TCP/IP traffic: the case against
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue: Long range dependent trafic
Fractal-Based Point Processes
Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds
NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Cluster processes: a natural language for network traffic
IEEE Transactions on Signal Processing
A statistical test for the time constancy of scaling exponents
IEEE Transactions on Signal Processing
Wavelet analysis of long-range-dependent traffic
IEEE Transactions on Information Theory
Self-similar processes in communications networks
IEEE Transactions on Information Theory
A wavelet-based joint estimator of the parameters of long-range dependence
IEEE Transactions on Information Theory
A Markovian approach for modeling packet traffic with long-range dependence
IEEE Journal on Selected Areas in Communications
On the use of fractional Brownian motion in the theory of connectionless networks
IEEE Journal on Selected Areas in Communications
Proceedings of the 2007 workshop on Large scale attack defense
LaasNetExp: a generic polymorphic platform for network emulation and experiments
Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities
Long-range dependence and on-chip processor traffic
Microprocessors & Microsystems
Beyond Shannon: Characterizing Internet Traffic with Generalized Entropy Metrics
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Maximum likelihood estimation of the flow size distribution tail index from sampled packet data
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
A note on simulation of LRD network traffic
IMCAS'09 Proceedings of the 8th WSEAS international conference on Instrumentation, measurement, circuits and systems
Self-similarity and long-range dependence in teletraffic
MUSP'09 Proceedings of the 9th WSEAS international conference on Multimedia systems & signal processing
Detection of multiple changes in fractional integrated ARMA processes
IEEE Transactions on Signal Processing
A cascade architecture for DoS attacks detection based on the wavelet transform
Journal of Computer Security
AINTEC '09 Asian Internet Engineering Conference
An evaluation of automatic parameter tuning of a statistics-based anomaly detection algorithm
International Journal of Network Management
Proceedings of the 6th International COnference
A database of anomalous traffic for assessing profile based IDS
TMA'10 Proceedings of the Second international conference on Traffic Monitoring and Analysis
0day anomaly detection made possible thanks to machine learning
WWIC'10 Proceedings of the 8th international conference on Wired/Wireless Internet Communications
Distributed denial-of-service attack detection scheme-based joint-entropy
Security and Communication Networks
Improving an SVD-based combination strategy of anomaly detectors for traffic labelling
Proceedings of the Asian Internet Engineeering Conference
Hi-index | 0.01 |
The goals of the present contribution are twofold. First, we propose the use of a non-Gaussian long-range dependent process to model Internet traffic aggregated time series. We give the definitions and intuition behind the use of this model. We detail numerical procedures that can be used to synthesize artificial traffic exactly following the model prescription. We also propose original and practically effective procedures to estimate the corresponding parameters from empirical data. We show that this empirical model relevantly describes a large variety of Internet traffic, including both regular traffic obtained from public reference repositories and traffic containing legitimate (flash crowd) or illegitimate (DDoS attack) anomalies. We observe that the proposed model accurately fits the data for a wide range of aggregation levels. The model provides us with a meaningful multiresolution (i.e., aggregation level dependent) statistics to characterize the traffic: the evolution of the estimated parameters with respect to the aggregation level. It opens the track to the second goal of the paper: anomaly detection. We propose the use of a quadratic distance computed on these statistics to detect the occurrences of DDoS attack and study the statistical performance of these detection procedures. Traffic with anomalies was produced and collected by us so as to create a controlled and reproducible database, allowing for a relevant assessment of the statistical performance of the proposed (modeling and detection) procedures.