| The growing number of exploits and malicious activities impose serious threats on network stability. To avoid network service outage and economic loss, various methods have been proposed for network anomaly detection. Network traffic characterization concentrates on network traffic analysis for profiling traffic properties so that network anomaly can be detected through the deviation from normal traffic.;This thesis work pursues a systematic method through which abrupt changes of traffic behavior can be captured as a part of traffic characterization. Since aggregated traffic possesses a strong temporal correlation with local stationarity across time scales, energy distribution as a representation of autocorrelation function can be a good guidance for network traffic characterization. Due to the localization in time and frequency space, wavelet analysis is a natural choice for analyzing traffic time series extracted from real traffic traces. Through the wavelet analysis, energy distributed over scales can be constructed via the variance of wavelet coefficients with low computational complexity. With the energy distribution based on wavelet analysis, we characterize the network traffic on the Internet. Energy distribution changes with limited variation over time if the traffic keeps its characteristics. In other words, energy distribution variation between two consecutive observation points can tell changes in the characteristics (behavior) of the observed traffic.;As a practical application of the energy distribution variation analysis, we have considered cases of DDoS attacks and worm propagation. Our experimental results show that energy distribution variation markedly changes, causing a "spike" when traffic behaviors are affected by those attacks. In contrast, normal traffic exhibits a remarkably stationary energy distribution. This spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack.;This thesis work also includes an extensive discussion of implementation issues. Parameter selection, wavelet transform implementation, and attack response methods have been studied under designed experiments. An attack defense system with both detection and response units has been delivered as an add-on module of NS-2 platform. |
