Time series forecasting with model selection applied to anomaly detection in network traffic

Abstract

Abstract In herein article an attempt of problem solution connected with anomaly detection in network traffic with the use of statistic models with long or short memory dependence was presented. In order to select the proper type of a model, the parameter describing memory on the basis of the Geweke and Porter-Hudak test was estimated. Bearing in mind that the value of statistic model depends directly on quality of data used for its creation, at the initial stage of the suggested method, outliers were identified and then removed. For the implementation of this task, the criterion using the value of interquartile range was used. The data prepared in this manner were useful for automatic creation of statistic models classes, such as ARFIMA and Holt-Winters. The procedure of calculation of model parameters’ optimal values was carried out as a compromise between the models coherence and the size of error estimation. Then, relations between the estimated network model and its actual parameters were used in order to detect anomalies in the network traffic. Considering the possibility of appearance of significant real traffic network fluctuations, procedure of updating statistic models was suggested. The results obtained in the course of performed experiments proved efficacy and efficiency of the presented solution.