A robust anomaly detection method using a constant false alarm rate approach

Abstract

With the rapid growth of information and communication technologies, the number of security threats in computer networks is substantially increasing; thus, the development of more proactive security warning measures is required. In this work, we propose a new anomaly detection method that operates by decomposing TCP traffic into control and data planes, which exhibit similar behaviors in the absence of attacks. The proposed method exploits the statistics of the cross-correlation function of the two planes traffic and the constant false alarm rate (CFAR) scheme for detecting anomalies of the underlying network traffic. Both the fixed and adaptive thresholding schemes are implemented. The adaptive thresholding is setup by adjusting the value of the threshold in accordance with the local statistics of the cross-correlation function of the two planes traffic. We evaluate the performance of the proposed method by analyzing the real traffic captured from a deployed network and traffic obtained from other publicly available datasets; we focus on TCP traffic with three different aggregated count features: packet count, IP address count, and port count sequences. Although both the fixed and adaptive thresholding schemes perform well and detect the presence of a distributed denial-of-service efficiently. The adaptive thresholding scheme is more reliable because it detects anomalies as they start.