Network anomaly detection through nonlinear analysis

Nowadays every network is susceptible on a daily basis to a significant number of different threats and attacks both from the inside and outside world. Some attacks only exploit system vulnerabilities and their traffic pattern is undistinguishable from normal behavior, but in many cases the attack mechanisms combine protocol or OS tampering activity with a specific traffic pattern having its own particular characteristics. Since these traffic anomalies are now conceived as a structural part of the overall network traffic, it is more and more important to automatically detect, classify and identify them in order to react promptly and adequately. In this work we present a novel approach to network-based anomaly detection based on the analysis of non-stationary properties and “hidden” recurrence patterns occurring in the aggregated IP traffic flows. In the observation of the above transition patterns for detecting anomalous behaviors, we adopted recurrence quantification analysis, a nonlinear technique widely used in many science fields to explore the hidden dynamics and time correlations of statistical time series. Our model demonstrated to be effective for providing a deterministic interpretation of recurrence patterns originated by the complex traffic dynamics observable during the occurrence of “noisy” network anomaly phenomena (characterized by measurable variations in the statistical properties of the traffic time series), and hence for developing qualitative and quantitative observations that can be reliably used in detecting such events.