Iterative window size estimation on self-similarity measurement for network traffic anomaly detection

Abstract

An iterative method for estimating the optimum sample time (or simply window size) in self-similarity measurement of network traffic is introduced. The main purpose of this measurement is to identify anomaly in network traffic. When the network traffic is close to the self-similarity model, it is considered as normal while otherwise it is not. Since, this model is related to a long-range dependence process, providing data in long period of time will increase the closeness of the network traffic towards the model. On the other hand, increasing the time range is one of the factors that will increase detection loss probability where an intrusive pattern may hide inside the normal data. Thus, the purpose of this method is to minimize the curve-fitting error on self-similarity measurement and detection loss probability in anomaly detection. This iterative method was applied to network traffic data provided by Lincoln Lab, Massachuset Institute of Technology (MIT). The result has shown, that this method is able to estimate an optimum window size that is capable to reduce detection loss probability and maintain a low error rate.