Volume Based Anomaly Detection using LRD Analysis of Decomposed Network Traffic

Network traffic intrusions increase day by day in computer systems. This poses major security threats to computer networks. In this paper, we present an effective approach for anomaly detection in network traffic. We investigate the long-range dependence (LRD) behavior of decomposed network traffic subgroups in different directions with respect the enterprise network. If the network traffic exhibits LRD behavior during normal conditions, then deviation from this property can indicate an abnormality in the traffic. We analyze and evaluate recent Internet traffic captured at King Saud University (KSU). The results and analysis of the proposed approach show that the presence of short duration anomalies affect the LRD behavior of certain traffic subgroups, namely the subgroups in the control plane traffic while the aggregated whole traffic still exhibits LRD. These results show how this approach significantly reduces the amount of traffic to analyze, and more importantly it can detect abnormal behavior that is not detected when looking the traffic as a whole.