An approach to detecting anomalies in a self-similar network traffic

Aim. The effects of cyber attacks cause failures of network elements, theft of information and other unlawful actions. Cyber attacks are often accompanied by untypical traffic activity and anomalies. The paper aims to develop an approach to detecting anomalies in network traffic by identifying the degree of self-similarity of the traffic using fractal analysis and statistical methods. Methods. The paper uses methods of mathematical statistics, mathematical analysis, fractal analysis. Results. The paper suggests an approach to identifying anomalies in network traffic by evaluating self-similarity and using statistical methods for improving the accuracy of cyber attack detection. At the first stage, the Hurst exponent is calculated for the reference traffic. At the second stage, actual traffic is divided into optimal time intervals; for each interval, the Hurst exponent is calculated. If the identified value of the Hurst exponent differs from the one obtained for the reference traffic, it is decided that there is an anomaly. At the final stage, statistical analysis is used in order to precisely localise the anomaly. The authors analysed fractal and statistical methods that resulted in the identification of more efficient methods to be used as part of the proposed approach. For fractal analysis, the DFA method was proposed, while for statistical analysis, the ARFIMA method was proposed. Conclusion. The suggested approach allows identifying cyber attacks in real time or near-real time.

1. Perov R.A., Lauta O.S., Kribel A.M., Fedulov Yu.V. Complex method for detecting cyber attacks based on integration of fractal analysis and statistical methods. High Tech in Earth Space Research 2022;2:44-51. DOI: 10.36724/2409-5419-2022-14-2-44-51. (in Russ.)

2. Uskov E.D., Korepanova N.L. [Analysis of informative features of network traffic anomalies in corporate networks]. Modern innovations 2019;3(31):13-16. (in Russ.)

3. Suvorov A.O., Suvorova V.A. [Data mining of network traffic for identifying computer intrusions]. Iskusstvenniy Intellekt i Prinyatie Resheniy 2019;1:62-73. DOI: 10.14357/20718594190106. (in Russ.)

4. Barsukov I.S., Riapolov M.P., Bobreshov A.M. [An algorithm for analysing fractal properties of traffic for detecting network anomalies]. [Radar location, navigation, communication: Proceedings of the XXVI International Science and Engineering Conference] 2020;4:302-311. (in Russ.)

5. Barsukov I.S., Riapolov M.P., Bobreshov A.M. [Using fractal properties of network traffic for detecting LDoS attacks in dedicated server networks]. Nelineyny mir 2019;17(2):34-39. DOI: 10.18127/j20700970-201902-04. (in Russ.)

6. Barsukov I.S., Riapolov M.P. [Using fractal properties of traffic in digital communication networks for detecting network anomalies]. Proceedings of Voronezh State University 2018;3:73-81. (in Russ.)

7. Muller N.V., Mladova T.A. The complex analysis of time series using fractal and wavelet analysis. Scholarly Notes of Komsomolsk-na-Amure State Technical University 2020;7(47):20-25. (in Russ.)

8. Latyshev O.G., Kazak O.O. Trend analysis of the rock mass properties on the basis of fractal representation of spatial ranges. News of the Ural State Mining University 2018;2(50):79-84. DOI: 10.21440/2307-2091-2018-2-79- 84. (in Russ.)

9. Tumbinskaya M.V., Bayanov B.I., Rakhimov R.Zh. at al. [Analysis and prediction of malicious network traffic in cloud services]. Biznes-informatika 2019;13(1):71-81. (in Russ.)

10. Kribel A.M., Perov R.A., Lauta O.S. et al. [Model of identifying anomalies in network traffic of a data communication network amid computer attacks]. News of the Tula state university. Technical sciences 2022;5:228-239. (in Russ.)

11. Lauta O.S., Karpov M.A., Kribel A.M. et al. [Analysis of the process of self-similarity of network traffic as an approach to identifying cyber attacks against computer networks]. In: [State of the art and prospects of development of the modern information security science, April 21-22, 2021, Anapa]. P. 311-327. (in Russ.)

12. Tatarnikova T.M. Statistical methods for studying network traffic. Informatsionno-upravliaiushchie sistemy [Information and Control Systems] 2018;5:35-43. (in Russ.)

13. Katz J.O., McCormick D.L. The Encyclopedia of Trading Strategies. Moscow: Alpina Publishing; 2002.

14. Yamkin V.N. [Financial dealing. A technical analysis]. Moscow: IKF Omeg-L; 2005. (in Russ.)

15. Grebenshchikova A.A., Yelagin V.S. [An overview of the autoregressive model and the ARIMA integrated running average for network traffic prediction]. In: [Topical problems of information telecommunications in science and education. Saint Petersburg, February 24-25, 2021. Vol. 1]. Saint Petersburg: The Bonch-Bruevich Saint Petersburg State University of Telecommunications; 2021. P. 266-271. (in Russ.)

16. Diusekenov D.S., Tiumentsev E.A. [A comparative analysis of recurrent neural networks and the ARIMA autoregressive model with regard to the prediction of nonstationary time series]. In: [Applied mathematics and fundamental computer science. Omsk, May 16-21, 2022]. Omsk: Omsk State Technical University; 2022. P. 86-87. (in Russ.)

17. Simonov P.M., Garafutdinov R.V. [Simulation and prediction of financial instrument rates using econometric models and fractal analysis]. Perm University Herald. Economy 2019;14(2):268-288. doi:10.17072/1994-9960- 2019-2-268-288. (in Russ.)

18. Bukhari A.H., Raja M.A.Z., Sulaiman M. et al. Fractional Neuro-Sequential ARFIMA-LSTM for Financial Market Forecasting. IEEE Access 2020;8:71326-71338. DOI: 10.1109/ACCESS.2020.2985763.