Spectrum analysis for detecting slow-paced persistent activities in network security

A slow-paced attack, such as slow worm or bot, can remain undetectable indefinitely by slowing down the pace of its movement. Detecting slow attacks based on traditional anomaly detection techniques may yield high false alarm rates. Since attacks are usually controlled by pre-programmed computer codes, their behaviors have regularity. In this paper, we track outbound connections of hosts by using a time series. Although the correlation among slow attacks´ connections is temporally weak; the regularity of these connections remains preserved in the time series. Accordingly, we focus on time series spectrum analysis, and propose a detection method to identify peculiar spectral patterns which can represent the occurrence of a recurring and persistent activity in the time domain. We use both synthesized traffic and real-world traffic to evaluate our method. The results show that our method is efficient and effective in detecting slow-paced persistent activities even in a noisy environment with legitimate traffic.