A DDoS Attacks Detection Based on Conditional Heteroscedastic Time Series Models

Tomasz Andrysiak, Łukasz Saganowski, Mirosław Maszewski, Piotr Grad


Dynamic development of various systems providing safety and protection to network infrastructure from novel, unknown attacks is currently an intensively explored and developed domain.In the present article there is presented an attempt to redress the problem by variability estimation with the use of conditional variation. The predictions of this variability were based on the estimated conditional heteroscedastic statistical models ARCH, GARCH and FIGARCH. The method used for estimating the parameters of the exploited models was determined by calculating maximum likelihood function. With the use of compromise between conciseness of representation and the size of estimation error there has been selected as a sparingly parameterized form of models. In order to detect an attack/anomaly in the network traffic there were used differences between the actual network traffic and the estimated model of the traffic. The presented research confirmed efficacy of the described method and cogency of the choice of statistical models.


Amini, M., Jalili, R., Shahriari, H. R. (2006). RTUNNID: A practical solution to real-time networkbased intrusion detection using unsupervised neural networks. Computers & Security, 25(6), 459-468

Amor, N. B., Benferhat, S., Elouedi, Z. (2004). Naive bayes vs decision trees in intrusion detection systems. In Proceedings of the 2004 ACM symposium on Applied computing (pp. 420-424). ACM

Andrysiak, T., Saganowski, Ł., Choras, M., Kozik, R. (2014). Network Traffic Prediction and Anomaly Detection Based on ARFIMA Model. In International Joint Conference SOCO’14-CISIS’14-ICEUTE’14 (pp. 545-554). Springer International Publishing

Baillie, R.T., Bollerslev, T., Mikkelsen, H.O. (1996). Fractionally integrated generalized autoregressive conditional heteroskedasticity. Journal of econometrics, 74(1), 3-30

Bollerslev, T. (1986). Generalized autoregressive conditional heteroskedasticity. Journal of econometrics, 31(3), 307-327

Bozdogan, H. (1987). Model selection and Akaike’s information criterion (AIC): The general theory and its analytical extensions. Psychometrika, 52(3), 345-370

Box, G. E., Jenkins, G. M., Reinsel, G. C. (2011). Time series analysis: forecasting and control (Vol. 734). John Wiley & Sons

Brockwell, P. J., Davis, R. A. (2006). Introduction to time series and forecasting. Springer Science & Business Media

Chebrolu, S., Abraham, A., Thomas, J.P. (2005). Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4), 295-307

Chandola, V., Banerjee, A., Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3), 15

Choras, M., Saganowski, Ł., Renk, R., Hołubowicz, W. (2012). Statistical and signal-based network traffic recognition for anomaly detection. Expert Systems, 29(3), 232-245

Crato, N., Ray, B.K. (1996). Model selection and forecasting for long-range dependent processes. Journal of Forecasting, 15(2), 107-125

Debar, H., Becker, M., Siboni, D. (1992). A neural network component for an intrusion detection system. In Research in Security and Privacy, 1992. Proceedings., 1992 IEEE Computer Society Symposium on (pp. 240-250). IEEE

Engle, R. F. (1982). Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation. Econometrica: Journal of the Econometric Society, 987-1007

Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C. (2005). Evaluating Pattern Recognition Techniques in Intrusion Detection Systems. In PRIS (pp. 144-153)

Esposito M., Mazzariello C., Oliviero F., Romano S.P., Sansone C. (2005). Real Time Detection of Novel Attacks by Means of Data Mining Techniques, ICEIS, 3, 120-127

Fiszeder, P. (2009). Modele klasy GARCH w empirycznych badaniach finansowych. Wydawnictwo Naukowe Uniwersytetu Mikołaja Kopernika

Global IT Security Risks Survey 2014 Distributed Denial Of Service Attacks, Kaspersky Lab (2014) https://press.kaspersky.com

Hu, L., Bi, X. (2011). Research of DDoS attack mechanism and its defense frame. In 2011 3rd International Conference on Computer Research and Development (Vol. 4, pp. 440-442)

Jackson, K.A. (1999). Intrusion detection system (IDS) product survey. Los Alamos National Laboratory, Los Alamos, NM, LA-UR-99-3883 Ver, 2, 1-103

Kim, J., Bentley, P. J., Aickelin, U., Greensmith, J., Tedesco, G., Twycross, J. (2007). Immune system approaches to intrusion detection - a review. Natural computing, 6(4), 413-466

Lakhina, A., Crovella, M., Diot, C. (2004). Characterization of network-wide anomalies in traffic flows. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement (pp. 201-206). ACM.

Lee, W., Stolfo, S.J. (2000). A framework for constructing features and models for intrusion detection systems. ACM transactions on Information and system security (TiSSEC), 3(4), 227-261

Li, W. (2004). Using genetic algorithm for network intrusion detection. Proceedings of the United States Department of Energy Cyber Security Group, 1-8

Li, X., Ye, N. (2001). Decision tree classifiers for computer intrusion detection. Journal of Parallel and Distributed Computing Practices, 4(2), 179-190

Lu, W., Ghorbani, A. A. (2009). Network anomaly detection based on wavelet analysis. EURASIP Journal on Advances in Signal Processing, 2009, 4

Moradi, M., Zulkernine, M. (2004). A neural network based system for intrusion detection and classification of attacks. In Proceedings of the 2004 IEEE international conference on advances in inteligent systems-theory and applications

Raport CERT Orange Polska za rok 2014, Integrated Solutions, (2014) http://www.orange.pl/ocp-http/PL/Binary2/2000001/4096003938.pdf

Rodriguez, A. C., de los Mozos, M. R. (2010). Improving network security through traffic log anomaly detection using time series analysis. In Computational Intelligence in Security for Information Systems 2010 (pp. 125-133). Springer Berlin Heidelberg

Saganowski, Ł., Goncerzewicz, M., Andrysiak, T. (2013). Anomaly Detection Preprocessor for SNORT IDS System. In Image Processing and Communications Challenges 4 (pp. 225-232). Springer Berlin Heidelberg

Seredynski, F., Bouvry, P. (2005). Some issues in solving the anomaly detection problem using immunological approach. In Parallel and Distributed Processing Symposium, 2005. Proceedings. 19th IEEE International (pp. 188b-188b). IEEE

SNORT - Intrusion Detection System, https://www.snort.org/

Tayefi, M., Ramanathan, T. V. (2012). An Overview of FIGARCH and Related Time Series Models. Austrian Journal of Statistics, 41(3), 175-196

Taylor, S. (1986). Modelling Financial Time Series, Wiley, Chichester,

Ye, N., Chen, Q., Emran, S.M., Noh, K. (2000). Chi-square statistical profiling for anomaly detection. In IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop June 6-7, 2000 at West Point, New York (pp. 187-193)


  • There are currently no refbacks.