An approach to detecting anomalies in a self-similar network traffic

Abstract

Aim. The effects of cyber attacks cause failures of network elements, theft of information and other unlawful actions. Cyber attacks are often accompanied by untypical traffic activity and anomalies. The paper aims to develop an approach to detecting anomalies in network traffic by identifying the degree of self-similarity of the traffic using fractal analysis and statistical methods. Methods. The paper uses methods of mathematical statistics, mathematical analysis, fractal analysis. Results. The paper suggests an approach to identifying anomalies in network traffic by evaluating self-similarity and using statistical methods for improving the accuracy of cyber attack detection. At the first stage, the Hurst exponent is calculated for the reference traffic. At the second stage, actual traffic is divided into optimal time intervals; for each interval, the Hurst exponent is calculated. If the identified value of the Hurst exponent differs from the one obtained for the reference traffic, it is decided that there is an anomaly. At the final stage, statistical analysis is used in order to precisely localise the anomaly. The authors analysed fractal and statistical methods that resulted in the identification of more efficient methods to be used as part of the proposed approach. For fractal analysis, the DFA method was proposed, while for statistical analysis, the ARFIMA method was proposed. Conclusion. The suggested approach allows identifying cyber attacks in real time or near-real time.