Real-Time Diagnosis of Network Anomaly Based on Statistical Traffic Analysis

Distributed Denial-of-Service (DDoS) attacks are critical threats to both network service providers and legitimate network users. DDoS attacks often overwhelm or exhaust the resources of victims and typically result in abnormal bursty traffic passing through victim systems. In this paper, we develop a mechanism for diagnosing traffic anomalies caused by DDoS attacks on the basis of analyzing the behaviour of network traffic. The traffic in communication networks has been shown to exhibit statistical self-similar phenomena that can be characterized by the so-called Hurst parameter. Therefore, in the proposed mechanism the Hurst parameter coupled by variance and autocorrelation are employed as the key performance metrics to spot the anomalies of network traffic. The proposed diagnosis mechanism is validated through experiments where the datasets consist of two groups. The first group is obtained from the MIT Lincoln Laboratory DOS attack dataset. The second group is collected from our DDoS attack simulation experiments, which cover three representative traffic shapes resulting from three different DDoS attack behaviours, namely, constant intensity, ramp-up behaviour and pulse behaviour. The experimental results show that the developed mechanism can alert the DDoS attack schemes within short respond time.