Network anomaly detection based on logistic regression of nonlinear chaotic invariants

Abstract

Network anomaly detection has the essential goal of reliably identifying malicious activities within traffic observations collected at specific monitoring points, in order to raise alarms and timely trigger specific reactions and countermeasures. This, ideally, should be done also in presence of previously unknown phenomena, also known as zero-day attacks. However, distinguishing anomalous events due to attacks from normal spikes or sharp variations in traffic flows can become a classic “finding a needle in a haystack” problem, due to the very complex and unpredictable nature of Internet traffic, which is extremely affected by randomness and background noise effects. To face this challenge we leveraged machine learning for developing a novel network anomaly detection solution, based on the exploitation of nonlinear invariant properties of the Internet traffic. These properties, by capturing its chaotic and fractal features, are better suited to represent the more intrinsic and discriminative dynamics within an inductively learned model to be used for effectively classifying, through logistic regression, previously unseen traffic aggregates or individual flows into “normal” or “anomalous” ones. The results of the performance evaluation, obtained within a standard and reproducible experimental validation framework, show that the approach is able to effectively isolate very different kinds of volumetric Denial of Service attacks within the context of complex mixes of traffic flows, with really satisfactory accuracy and precision.