Abstract
We propose a traffic anomaly detector operated in postmortem and real-time by passively monitoring packet headers of traffic. We analyze the correlation of destination IP addresses of outgoing traffic at an egress router. Based on statistical bounds on normal traffic patterns of the correlation signal of destination addresses, sudden changes can be used to detect anomalies in traffic behavior. For more computational efficiency, we suggest a correlation calculation using a simple data structure. These correlation data are processed through coefficient-selective discrete wavelet transform for effective and high-confidence detection. We present two kinds of mechanisms for postmortem and real-time detection modes. We evaluate the effectiveness of those two mechanisms by employing network traffic traces.
This work is supported by an NSF grant ANI-0087372, Texas Higher Education Board, Texas Information Technology and Telecommunications Taskforce and Intel Corp.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ramanathan, A.: WADeS: A Tool for Distributed Denial of Service Attack Detection, TAMU-ECE-2002-02, Master of Science Thesis (August 2002)
National Laboratory for Applied Network Research (NLANR), measurement and operations analysis team: NLANR network traffic packet header traces, accessed in (August 2002)
Barford, P., Kline, J., Plonka, D., Ron, A.: A Signal Analysis of Network Traffic Anomalies. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseille, France (November 2002)
Gil, T., Poletto, M.: MULTOPS: A Data-Structure for Bandwidth Attack Detection. In: Proceedings of the 10th USENIX Security Symposium, Washington, D. C., USA (August 2001)
Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the Source. In: 10th IEEE International Conference on Network Protocols, Paris, France (November 2002)
Kohler, E., Li, J., Paxson, V., Shenker, S.: Observed Structure of Addresses in IP Traffic. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseille, France (November 2002)
Garg, A., Reddy, A.: Mitigation of DoS attacks through QoS regulation. In: Proc. of IWQOS workshop (May 2002)
Smitha, K.I., Reddy, A.: Identifying long term high rate flows at a router. In: Proc. of High Performance Computing (December 2001)
Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling High Bandwidth Aggregates in the Network (Extended Version). In: ACM SIGCOMM Computer Communication Revies, July 2002, vol. 32(3) (2002)
Ioannidis, J., Bellovin, S.: Implementing Pushback: Router-Based Defense Against DDoS Attacks. In: Proceedings of Network and Distributed System Security Symposium, San Diego, California (February 2002)
Estan, C., Varghese, G.: New Directions in Traffic Measurement and Accounting. In: ACM SIGCOMM 2002, Pittsburgh, PA, USA (August 2002)
Cheng, C., Kung, H., Tan, K.: Use of spectral analysis in defense against DoS attacks. In: Proc. of IEEE Globecom (2002)
The MathWorks. Inc.: MatLab software, ver 6.1.0.450 Release 12.1 (May 2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, S.S., Reddy, A.L.N., Vannucci, M. (2004). Detecting Traffic Anomalies Using Discrete Wavelet Transform. In: Kahng, HK., Goto, S. (eds) Information Networking. Networking Technologies for Broadband and Mobile Networks. ICOIN 2004. Lecture Notes in Computer Science, vol 3090. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-25978-7_96
Download citation
DOI: https://doi.org/10.1007/978-3-540-25978-7_96
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23034-2
Online ISBN: 978-3-540-25978-7
eBook Packages: Springer Book Archive