Network Anomaly Detection Based On Statistical Approach And Time Series Analysis

Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. Then we defined the extent to which the network traffic differs from the normal network traffic behavior as an indicator of anomaly. Then we propose several judgement approaches to detect the anomaly.Nevertheless traffic of different kinds of protocol has different kind of statistical distribution. No single distribution can match the network traffic distribution. Some former research works have provided evidence for this conclusion. Our experiment also verified its correctness with the real data. So we adapt the Gaussian mixture distribution model to match the unknown distribution of the target network traffic.We adapt the EM algorism which is well known in the field of AI to estimate the distribution parameter of Gaussian mixture distribution model. If only the statistical signature of unusual fluctuation or change in the network traffic reachs the extent we define, an alarm will be triggered.We adapt the time series analysis as our judgement approach. In the first approach, Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some thing like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly. Our experiment result finally demonstrate the effectiveness of our approach.