I. J. Compuer Nework and Informaon Secury, 2015, 9, 10-18 Publshed Onlne Augus 2015 n MECS (hp://www.mecs-press.org/) DOI: 10.5815/jcns.2015.09.02 Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss Jarosław Bernack Wrocław Unversy of Technology, Wrocław, Poland Emal: Jaroslaw.Bernack@pwr.edu.pl Grzegorz Kołaczek Wrocław Unversy of Technology, Wrocław, Poland Emal: Grzegorz.Kolaczek@pwr.edu.pl Absrac In hs paper a few mehods for anomaly deecon n compuer neworks wh he use of me seres mehods are proposed. The specal neres was pu on Brown's exponenal smoohng, seasonal decomposon, nave forecasng and Exponenal Movng Average mehod. The valdaon of he anomaly deecon mehods has been performed usng expermenal daa ses and sascal analyss whch has shown ha proposed mehods can effcenly deec unusual suaons n nework raffc. Ths means ha me seres mehods can be successfully used o model and predc a raffc n compuer neworks as well as o deec some unusual or unrequred evens n nework raffc. Index Terms Anomaly deecon, me seres mehods, nework raffc, predcng/forecasng, sascal analyss. I. INTRODUCTION Anomaly s regarded as a devaon from he ypcal/expeced behavor. Deecng anomales s very mporan n order o provde sably and predcably n nework raffc. Anomales can be defned n varous ways, for nsance as mproper work of devces or applcaons or as an aack, and so on. One of he way of deecng unypcal suaons, s forecasng. The goal of hs work s o presen and evaluae seleced mehods whch can be used o deec anomalous evens n nework raffc. One way o deec anomales n neworks s o forecas values descrbng nework raffc wh algorhms used n me seres analyss and nex o compare he resuls of predcon wh he values measured n real nework. To verfy hs hypohess he followng algorhms were mplemened: Brown's exponenal smoohng, seasonal decomposon, exponenal movng average and nave forecasng. We creaed wo me seres: one wh undsurbed ypcal nework raffc daa and he second conanng dsurbed daa (nework raffc wh unypcal, anomalous evens). The daa se wh anomalous evens were creaed by "overloadng" he nework. Specfcally, n boh me seres he me beween sen packes s analyzed - for hs purpose we used a response me from server for each packe and compued he dfferences beween adjacen packes. Response me from server has been derved from by a nework snffer Wreshark whch can also smulae a compuer nework. Nex, he fuure values of he me seres are forecased based on he daa n he seres whou abnormal suaons. Then, hese daa are compared wh a me seres conanng unypcal suaons (anomales). Comparson of seres reles on checkng wheher real daa (from he npu me seres wh no-anomales) s greaer han daa forecased. The comparson of resuls s made wh he use of sascal analyss. Above approach s esed n specally prepared es envronmen. The oher mehod of anomaly deecon nvesgaed durng he research s Exponenal Movng Average (EMA). The proposed exenson o EMA mehod generaes opnons abou secury level usng analyss of he observed nework raffc. The opnons are formulaed usng subjecve logc heory and hey corresponds o he anomaly level of he monored value descrbng nework raffc [23]. The paper s organzed as follows: Secon 2 s an overvew of mehods for anomaly deecon. Secon 3 conans a shor descrpon of algorhms whch are used n me seres analyss. In secon 4 a mehod based on movng average for anomaly deecon s descrbed and he resuls of expermenal evaluaon. Nex secon descrbes he approach o anomaly deecon usng predcon mehods and presens resuls of expermens where proposed predcon mehod was used. Secon 6 concludes hs work. II. RELATED WORKS "Tme seres - a seres of observaons a varous momens of me'' [6]. The me seres analyss has wo man goals: deecng he naure of he occurrence by he sequence of observaon, and predcon he fuure values of he me seres [12]. Tme seres mehods are wdely used for deecng varous unypcal suaons, for nsance modelng a nework raffc and deecng anomales. In [18], varous anomales are deeced whn compuer neworks, wh use of daa from some nework probes, such as png or racer. Aforemenoned probng
Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss 11 ools can delver daa, such as packe loss, number of collsons, delay n packe delvery, Tme To Lve, and so on. Anomaly deecng can be realzed wh use of mehods, such as: fuzzy cognve maps, sascal analyss, fne sae machnes or paern machng. For example, paern machng can be used n order o buld raffc profle for a gven nework. Such profle can be modeled as a vecor conanng daa, lke packe loss, number of collsons, ec. These profles can be caegorzed by e.g. me of day/week. When new daa does no f n gven profle, an anomaly s saed. In paper [11], mehodology ARIMA was used n order o deec unypcal suaons n nework raffc. Auhors conduced expermens n whch here were used wo ypes of raffc: one wh normal varaons whch can be descrbed by some rules and are predcable, and second wh unypcal suaons, where sudden and unpredcable changes can appear. Expermens showed ha ARIMA s able o denfy anomales n nework raffc successfully. The paper [13] conans comprehensve overvew of varous echnques for anomaly deecon. Consdered are sascal mehods, Bayesan neworks, machne learnng, Markov models, cluserng algorhms lke Expecaon- Maxmzaon, mehods of compuaonal nellgence (genec algorhms, neural neworks) and daa mnng echnques, such as: classfcaon, assocaon rules, ec. Paper [5] presens he use of machne learnng, Bayesan neworks, cluserng, neural neworks, Markov models for nruson deecon. An approach presened n work [22] uses he ARIMA/GARCH model n order o raffc modelng and predcon. A lnear me seres ARIMA was lnked wh non-lnear GARCH model and compared wh FARIMA model. Expermens showed ha ARIMA/GARCH modelng s more effcen and has beer predcon accuracy. In [2] msuses n TCP/IP nework were analyzed. Expermens showed ha Mullayer percepron archecure can successfully deec unypcal suaons n a nework. A supervsed learnng echnque known as back-propagaon algorhm was used for ranng he arfcal neural nework. In [14] a mehod for deecng oulers (anomales) n wreless sensor neworks s proposed. A K-neares neghbor (KNN) algorhm s used n order o group smlar anomalous groups of daa (clusers). Auhors conduced an expermen on daa colleced from he Grea Duck Island Projec [17]. Conduced research confrmed ha proposed mehod works well. In [16] sascal mehods were used for deecng unypcal suaons n large neworks. The Kalman fler was used o model he normal raffc. The anomalous daa were obaned by addng (.a.) Gaussan nose no npu sgnal. There were used smple sascs mehods, such as analyss of varance, and Recever Operaon Characersc (ROC) curves, whch assessed he performance of hs mehod. In [20], a payload-based anomaly deecor called PAYL s presened. I uses unsupervsed mehods for modelng nework raffc. A payload's sandard devaon s compued durng he ranng phase and hen he Mahalanobs dsance s compued o calculae he smlary beween new daa and pre-compued daa. The comparson of daa s based on a defned olerance hreshold. For expermens, here were used daa from 1999 DARPA IDS daase and a lve daase colleced on Columba CS deparmen nework. Expermens showed ha accuracy of hs mehod s very hgh. Generally, ARIMA mehodology s wdely used for denfcaon of varous unypcal suaons. However, ARIMA s a complex echnque ha s no easy o use and mposes a number of requremens ha mus be fulflled by an npu me seres. In our approach, we propose a mehod based on Exponenal Movng Average and n he second par on Brown's exponenal smoohng algorhm and seasonal decomposon. These mehods are easer o be mplemened n real world applcaons and do no requre parcular crera for an npu me seres. III. METHODS FOR NETWORK TRAFFIC LEVEL PREDICTION A. Forecasng wh he use of Brown exponenal smoohng The smples verson of Brown's mehod s usually used for a seres wh no rend and flucuaons are resuls of random facors. Each new smoohed value s calculaed as a weghed average of he curren observaon and he prevous smoohed observaon. A forecas s consruced n he followng way: y X (1) ( 1) y 1 where: X - denoes observed values of seres, y - smoohed values, α - exponenal smoohng parameer (smoohng facor) from he nerval (0, 1]. Parameer α s se as follows: α 1 - f α value s close o 1, he forecas ncludes he hgh degree ex-pos errors of prevous forecass; α 0 - he forecas ncludes he low degree ex-pos errors of prevous forecass. B. Forecasng wh Seasonal decomposon where: y - seres, T - rend, C - cyclcal componen, S - season, I - random error. y TC S I (2)
12 Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss Mos common rend, cyclcal componen or season can represen observaons n daly/weekly cycles. The nformaon abou he rend or season can faclae predcng some knd of behavor. For nsance, f daly nework analyss conduced n some perod of me ndcaes ha he mos raffc s observed every evenng, hs could mean ha effcen hardware resources are needed n order o handle requess. C. Nave forecasng Nave forecasng s a rval mehod ha reles on he fac ha he value from he prevous perod (-1) s allocaed o he perod mmedaely precedng as a forecas. Ths mehod assumes ha a me seres of lengh n values, consss of n perods where one perod s a sngle value n a me seres. The forecas s consruced as follows: y (3) y 1 where: y - forecas se a me, y -1 - he acual value n he prevous perod -1. D. Movng average mehod The mehod of movng average s a smple forecasng echnque, generally used for me seres whou a endency. The movng average forecas s consruced as follows: 1 * 1 y k k y (4) where: y * - forecas se a me, y - observed values of seres k - smoohng consan deermned by forecaser Mehod of movng average characerze ha calculaed from a larger me seres srongly smoohes seres, bu slower reacs o he changes n he forecased varable. On he oher hand, when a forecas s calculaed from a smaller me seres, faser reflecs changes n he me seres, bu random flucuaons wll have a greaer nfluence. IV. EXPONENTIAL MOVING AVERAGE FOR DETECTING ANOMALIES IN COMPUTER NETWORK TRAFFIC As was menoned n he prevous secon, he proposed mehod for deecon of secury relaed problems n nework raffc benefs from he me seres analyss. The anomalous behavor of he sysems s deermned usng he values for he behavoral arbues whn a specfc conex. An observaon mgh be an anomaly n a gven conex, bu an dencal daa nsance (n erms of behavoral arbues) could be consdered normal n a dfferen conex. Conexual anomales have been mos commonly explored n me-seres daa [15][21]. One of he earles works n me-seres anomaly deecon was proposed by Fox [3]. Some of he me seres anomaly deecon approaches uses basc regresson based models [19]. Anoher varan s ha deecs anomales n mulvarae me-seres daa generaed by an Auoregressve Movng Average [4]. Any observaon s esed o be anomalous by comparng wh he covarance marx of he auoregressve process. If he observaon falls ousde he modeled error for he process, s declared o be an anomaly. An exenson o hs echnque s made by usng Suppor Vecor Regresson [10]. Anoher example of anomaly deecon n me-seres daa has been proposed by Basu and Meckeshemer [1]. For a gven nsance n a meseres he auhors compare he observed value o he medan of he neghborhood values. The frs proposed mehod of anomaly deecon n me seres can be appled o deec anomales n varous ypes of values measured durng he nework raffc measuremen. The only requremen s ha he values mus consue me seres (e.g. he nework nodes memory and CPU usage level, a number of ncomng and ougong byes, ec.). The deeced anomales can be relaed o varous ypes of aacks. For example, hgh level of CPU ulzaon level or remarkably greaer volume of daa receved by a servce usually can be observed durng denal of servce (DoS) aacks [24]. Oher more specfc ypes of aacks e.g. raffc njecon aack also can be deeced by me seres anomaly deecon mehods. As hs ype of aack mposes exra processng effor of a servce, should be noced durng CPU ulzaon level analyss [25]. Anoher example of an aack, a rufflng aack dsrups user requess spacng and creaes raffc burss or abnormal nerarrval mes, wha can be noced a me seres descrbng ncomng or ougong raffc and number of user requess. The proposed analyss of me seres performed o deec anomalous sae of communcaon beween neracng servces s done n four seps. The frs one s a feaure selecon. A selecon algorhm chooses among a se of canddae feaure funcons. A feaure funcon appled a hs sage of he projec developmen s he funcon compung average number of byes sen/receved by he servce durng he fxed me wndow. The second sep s a parameer esmaon. In general approach a new feaure funcon s added o a model and he weghs of all feaure funcons are updaed. Colleced hsorcal daa abou servce behavor (feaures values) are compared wh he curren feaure value. Afer hs sep he model of servce behavor s consruced. Ths model s bul by erang seps 1 and 2 unl a predefned soppng creron s me. The demonsraed n hs secon funconaly of me seres anomaly deecon assumes he exsence of one preseleced feaure funcon (as descrbed above), so he model of he nework raffc s fxed. Fnally, he las sep s anomaly deecon. A large dfference beween he dsrbuon of he seleced feaure value and a baselne dsrbuon derved from ranng
Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss 13 daa ndcaes an anomaly. The formal creron for anomaly deecon and mplemenaon of hese four seps performed by anomaly deecon module s presened below. A. Anomaly deecon and secury level evaluaon The proposed soluon assumes ha a ypcal behavor of he mos compuer sysems shows some perodcy, e.g. number of processes execued durng he day me or daa ransferred. The lengh of he characersc perod vares from sysem o sysem bu ypcally he mos sgnfcan correlaons n sysem parameers values can be noced n a day and a week long perods. The general dea of one of he mplemened deecon algorhms s as follows. Frs, me seres s creaed (from he sarng pon of measuremen x 1 he curren -h elemen): evaluaed n he followng way: Fg.1. Tme Seres Analyss for Anomaly Deecon X T, ={x 1, x 2, x 3,, x j, x j+1,, x } where elemens of X T, are values of measured daa volume ransferred n he sysem monored. Apar from X T, me seres wo oher famles of sub-me seres are analyzed by anomaly deecon algorhm. The frs one: X S, ={x, x +P, x +2P,, x +kp } and x (6) X T, T, 2 ( x X T j T, ), j 1 1 (7) where elemens of X S, are values aken from X T, and where each wo subsequen elemens are n a dsance of P. P s a value descrbng perod lengh, n our case equals o 24 hours (1 workng day). The second famly of sub-me seres: X L, ={ x, x +1, x +2,, x +P-1 } where elemens of X L, are all subsequen values aken from me seres X T, from a parcular -h perod of observaon (Fg.1). For each one of he above descrbed famles of me seres are evaluaed he exponenally weghed movng average values usng sandard Exponenal Movng Average (EMA) formula: X T, X T, 1 w* ( x X T, 1) (5) where X T, s exponenal movng average calculaed for X, me seres a -h pon and w s a coeffcen T wh emprcally assgned value. In he correspondng way he values of exponenal movng average of X L, and X S, are calculaed. The observed values characerzng behavor of nework are analyzed n hree dmensonal space (me seres X T,, X L,I, X S, ). Ths muldmensonal analyss mproves he precson of anomaly deecon [9]. Especally, akng hree dmensons ogeher allows for beer undersandng he seasonal and rends changes appearng n he me seres. For each me seres he esmaes of approprae sandard devaon (T,) and local dfference ( T, ) are The T, esmaes he measure of varably of X T, n me seres values and T, evaluaes how much he curren observaon dffers from he average a he curren me pon. The values S,, L, and S,, L, for wo remanng me seres are calculaed n he corresponden way. Usng defned over here esmaes of sandard devaon we defne he opnon = b, d, u abou secury level of a nework raffc observed. The formal defnon of dsbeleve value n me seres analyss durng secury level evaluaon process s gven by he followng formula [1][7][8][9]: d 2 2 1 S, L, mn, 1 2 3 S, L, The dsbeleve value d ranges from 0 o 1. When deeced anomaly s relavely small (near he average values) he d value wll be near 0. Whle we observe he hgh devaon from he earler observed values (hree mes greaer han sandard devaon) he dsbeleve value d equals o 1. The uncerany value u n opnon = b, d, u abou secury level of he monored communcaon lnk s evaluaed usng he followng formula: (8) 0 f d 1 u mn (1 S, d), f d 1 (9) L,
14 Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss Fg.2. Traffc Injecon Aack Fg.3. Traffc Rufflng Aack where S, L, denoes he proporon beween esmaes of varance calculaed for he las perod of observaon and he varance calculaed for all observaons from X S, subme seres. B. Evaluaon of anomaly deecon usng Exponenal Movng Average The es scenaro nvesgaes he feasbly o deec anomales relaed o some specfc secury hreas as raffc njecon and raffc rufflng. In he frs example of hs scenaro aacks have been smulaed by dsurbng he daa volume ransmed by a servce by njecng some malcous raffc. A he begnnng, he ypcal raffc generaed by sandard nework servces has been capured durng es phase. Nex, he capured raffc has been reengneered o smulae raffc njecon and rufflng aacks. Usng cpreplay ool he prevously capured raffc has been resend 7 mes (cpreplay -- loop=7 --nf1=eh0 u1_u2.pcap). Smulaneously, usng algorhm descrbed earler n prevous secon and daa sream provded by sandard nework servces me seres characerzng ypcal raffc volume of nework was creaed. The anomaly deecon algorhm recognzes he raffc characersc as ypcal behavor and repors as an even whou rsk opnon = b=1, d=0, u=0. Afer some 2 nervals he malcous raffc has been njeced. The addonal packes have been generaed by creplay ool (cpreplay --loop=30 --nf1=eh1 u1_u2.pcap) and new values of me seres descrbng raffc volume relaed o seleced nework servces have been analyzed by deecon algorhm. The algorhm deecs ha raffc volume has been changed and generaes repors wh correspondng value of opnon abou nework secury level = b<1, d>0, u>0. The plo of he changes n opnon values for each of he measuremen nervals llusraes Fgure 2. As he njeced raffc nfers more me seres elemens he dsbelef ncreases. Afer some me he addonal packes, as hey are generaed wh he consan dsrbuon of packes ner-deparure me value, do no more ncreases dsbelef values. The uncerany value u grows (and decreases) n he correspondng way o he changes nroduced by he addonal raffc volume. The nex raffc relaed aack scenaro shows he smulaed raffc rufflng. The ypcal raffc generaed by nework servces has been smulaed n he analogous way as n prevous example. Afer some 2 nervals he aack sars and n a consequence he raffc has been dsruped. The rufflng aack has been smulaed by modfcaon of he packes generaor parameers values o cpreplay --mulpler=5.2 --nf1=eh0 u1_u2.pcap whch means ha he capured raffc has been repled 5.2 mes faser han was capured. The plo of he changes n severy and nensy values llusraes Fgure 3. Ths expermen shows ha hs ype of aack generaes more flucuaons n dsbelef value han he raffc njecon
Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss 15 aack. I s he effec of he overlappng dfferen perods of he ypcal and malcous raffc. Ths ype of aack a communcaon lnks nfers he me seres n more complcaed way wha can be seen n Fgure 3. Ths dfference can also be used o dsngush dfferen ype of aacks agans neworks. The aack ype recognon usng colleced from secury evaluaon module values of dsbelef s he neresng am for he furher research. V. EVALUATION OF ANOMALY DETECTION USING PREDICTION METHODS The goal of he second expermen s o verfy he possbly of anomaly deecon wh he applcaon of forecasng mehods. We forecas raffc nework wh use of me seres mehods (descrbed n Secon III) and compare forecased values wh he real raffc. Durng hs expermen he me beween sen packes s analyzed - for hs purpose we used a response me from server for each packe and compued he dfferences beween values relaed o adjacen packes. Response me from server has been derved from a nework snffer Wreshark. Ths sofware s also able o smulae a compuer nework. We used hs program o generae wo me seres - hs procedure s descrbed n he nex par of he paper. A. Preparaon of an expermen The frs sage of he expermen s preparaon of wo me seres - daa ses whch wll be used o analyze he effcency of used mehodology. For hs purpose, a nework snffer called Wreshark was used as a es envronmen for smulang a compuer nework raffc. Wreshark can allow capurng nework packages and he daa descrbng hese packages (ner ala packe ransmsson me, response me from server, ype of proocol, and so on) can be expored no a XML fle. We used an nformaon abou response me from server and creaed wo me seres: 1. A me seres wh undsurbed (non-anomaly) daa; hs me seres conans mes of responses from server durng he normal raffc. These daa were capured, when here were no unypcal suaons, lke a nework load. 2. A me seres conanng unusual suaons; n order o generae he second me seres wh unusual suaons, a normal nework load was dsruped by runnng several webses offerng onlne move wachng, web games and also used "bos'' whose am s o open graphcally demandng webse. I resuled n ncreased he nework server response me. assumed hreshold value of he relevan sae value obaned from he model; 3. Anomaly - he value of he nework sae whch exceeds he assumed hreshold value of he relevan sae value obaned from he model; 4. The level of hreshold value (olerance) was assumed a 0.2 second as he maxmum value n he npu daase. We assumed ha exceedng hs value (boh posve or negave) s found as an anomaly. B. Mehod for anomaly deecon n me seres The descrbed n secon III algorhms were mplemened o predc fuure values of he me seres. The predcon s done wh daa ses whou abnormal suaons. Then, predced values are compared wh a me seres conanng unypcal suaons (anomales). Comparson of seres s performed by calculang he dsance beween predced value and he currenly observed value. C. Expermenal resuls An expermen was conduced as follows: On he bass of me seres wh undsurbed daa here were generaed wh dfferen models (whch are me seres wh forecass generaed by used algorhms); Model resuls were compared wh me seres conanng unypcal suaons (obaned n a way descrbed n Secon III); Generae a graph showng he sze of dfferences provded by he model n relaon o he values whn me seres wh anomales. All of descrbed algorhms were mplemened n MATLAB. In he X-axs here s me (n seconds) of packes ransmsson, Y-axs conans he response me from he server. The graphs above show he me dfference beween forecass of he model and npu me seres conanng anomales. Bolded fragmens on he graph denoe values ha do no f n he assumed olerance. We addonally assumed ha an anomaly s when real value s greaer han value forecased (consderng he level of 0.2 second). The followng assumpons have been made: 1. A model - me seres of forecass generaed by algorhms (descrbed n secon III); 2. A normal sae - he value of he nework sae (response me) whch does no exceed he Fg.4. The Comparson of Inpu Tme Seres (Wh Tolerances) Wh Forecass Generaed By Seasonal Decomposon
16 Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss The sascal analyss used he followng daa (samples): (1) A me seres wh undsurbed (non anomalous) daa; (2) A seres of forecass generaed by seasonal decomposon; (3) A seres of forecass generaed by nave mehod; (4) A seres of forecass generaed by Brown's exponenal smoohng; (5) A seres of forecass generaed by movng average mehod. Fg.5. The Comparson of Inpu Tme Seres (Wh Tolerances) Wh Forecass Generaed By Brown's Exponenal Smoohng All sascal ess were made a sgnfcance level α = 0.05. Before selecng a proper es, each of aforemenoned seres was analyzed by Lllefors es n order o check s dsrbuon. The resuls of a Lllefors es are presened n Table 1. Table 1. Resuls of Lllefors es Sample Sascal es value p-value (1) 0.140238 0.000049 (2) 0.247245 <0.000001 (3) 0.248172 <0.000001 (4) 0.233225 <0.000001 (5) 0.33142 <0.000001 Fg.6. The Comparson of Inpu Tme Seres (Wh Tolerances) Wh Forecass Generaed By Nave Mehod None of analyzed samples come from a normal dsrbuon. Therefore, for furher analyss an ANOVA Kruskal-Walls es (non-paramerc) was used. The sascal es value was equal 160.365856 and he p- value was < 0.00001. I means ha medans of consdered samples dffer sgnfcanly. The vsualzaon of ANOVA Kruskal-Walls es can be seen n boxplos presened n Fgures 8 and 9. Fg.8. Boxplo of Average Values Fg.7. The Comparson of Inpu Tme Seres (Wh Tolerances) Wh Forecass Generaed By Movng Average Mehod D. Sascal analyss The verfcaon of he effcency of used algorhms was based on sascal comparson ha he me seres conanng anomales do no dffer sgnfcanly from he forecass generaed by forecas algorhms. Fg.9. Boxplo of Medans
Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss 17 Nex, a POST-HOC analyss (based on U Mann- Whney es) was made n order o deermne whch seres dffer sgnfcanly. Resuls of U Mann-Whney es are presened n a Table 2. Table 2. Resuls of U Mann-Whney es Sample Sascal es value p-value (1) and (2) 2023.5 0.0001 (1) and (3) 1745 0.0001 (1) and (4) 4955.5 0.914781 (1) and (5) 4048 0.019799 Above analyss showed ha seres 1 and 4 (forecass generaed by Brown's exponenal smoohng) do no dffer sgnfcanly. Ths means ha forecass generaed by hs algorhm s close o values n me seres wh anomales. Nave mehod of forecasng, seasonal decomposon and movng average mehod deeced sascally less anomales. VI. CONCLUSIONS In hs paper mehods for deecng unypcal suaons n a nework raffc were proposed and evaluaed. The proposed mehod of secury level evaluaon usng modfed Exponenal Movng Average wh subjecve logc opnons shows how he anomaly deecon and me seres analyss can be used o deec and o classfy secury relaed problems n compuer neworks. Also presened resuls of expermens and her sascal analyss showed ha forecasng Brown's exponenal smoohng s effcen and can be used for deecng abnormal suaons n, for example compuer neworks. Brown s forecasng mehod can be very useful n real world neworks as s a lgh-wegh mehod of daa analyss. In fuure work s planned o work ou a mehod for selecng he opmal "me wndow" for modelng a nework raffc. The mporance of hs problem depends on he varey of raffc flow. A dfferen mes of day he raffc s dfferen - for nsance n "rush hours" s expeced ha he raffc wll be ncreased, and durng he ngh hours - he raffc s supposed o be smaller. I could be consdered, how o defne anomales - wheher s he ncrease of raffc or s reducon, resulng for nsance from a hardware falure. REFERENCES [1] S. Basu, M. Blenko., and R.J. Mooney, A probablsc framework for sem-supervsed cluserng. In Proceedngs of he 10h ACM SIGKDD Inernaonal Conference on Knowledge Dscovery and Daa Mnng. ACM Press, 2007, pp. 59 68. [2] J. Cannady, "Arfcal Neural Neworks for Msuse Deecon", In: Naonal Informaon Sysems Secury Conference, School of Compuer and Informaon Scences, Nova Souheasern Unversy, For Lauderdale, 1998, pp.443-456. [3] A.J. Fox,. Oulers n me seres. J. Royal Sas. Soc. Seres B 34(3), 1972, pp.350 363. [4] P. Galeano, D. Pea, and R.S. Tsay, Ouler deecon n mulvarae me seres va projecon pursu. Sascs and economercs workng arcles Deparameno de Esadsca y Economerca, Unversdad Carlos III, 2004. [5] P. Garca-Teodoro, J. Daz-Verdejo, G. Maca-Fernandez, E. Vazquez, "Anomaly-based nework nruson deecon: Technques, sysems and challenges", Compuers & Secury 28(2009), Elsever, 2009, pp.18-28. [6] I.A. Ibragmov, "Tme seres, Encyclopeda of Mahemacs" hp://www.encyclopedaofmah.org/ndex.php?le=tme _seres&oldd=16499 (las access: February 12, 2015). [7] A. Jøsang, "A Merc for Trused Sysems". In: Proceedngs of he 21s Naonal Secury Conference, NSA, 1998, pp.68-77. [8] A. Jøsang, "Condonal Inference n Subjecve Logc", In he proceedngs of he 6h Inernaonal Conference on Informaon Fuson, Carns, 2003, pp.279-311. [9] G. Kolaczek, K. Juszczyszyn, "Smar Secury Assessmen of Composed Web Servces". Cybernecs and Sysems 41(1), 2010, pp.46-61. [10] J. Ma and S. Perkns, Onlne novely deecon on emporal sequences In Proceedngs of he 9h ACM SIGKDD Inernaonal Conference on Knowledge Dscovery and Daa Mnng. ACM Press, 2003, pp.613 618. [11] H.Z. Moayed, M.A. Masnad-Shraz, "Arma Model for Nework Traffc Predcon and Anomaly Deecon", Informaon Technology, ITSm 2008. Inernaonal Symposum on (Vol:4), Kuala Lumpur, Malaysa, 2008. [12] Onlne manual on sascs, Tme seres analyss hp://www.sasof.pl/exbook/sahome_sa.hml. (las access: February 12, 2015)(n Polsh). [13] A. Pacha, J.-M. Park, "An overvew of anomaly deecon echnques: Exsng soluons and laes echnologcal rends", Compuer Neworks 51, Elsever, 2007, pp.3448 3470. [14] S. Rajasegarar, C. Lecke, M. Palanswam, J. Bezdek, "Dsrbued anomaly deecon n wreless sensor neworks", ARC Specal Research Cener for Ulra- Broadband Informaon Neworks. [15] S. Salvador and P. Chan, Learnng saes and rules for me-seres anomaly deecon, Tech. rep. 2003 CS 2003 05, Deparmen of Compuer Scence, Florda Insue of Technology Melbourne. [16] A. Soule, K. Salamaoan, N. Taf, "Combnng Flerng and Sascal Mehods for Anomaly Deecon", IMC '05 Proceedngs of he 5h ACM SIGCOMM conference on Inerne, USENIX Assocaon Berkeley, CA, USA 2005, pp.31-31. [17] R. Szewczyk, A. Manwarng, J. Polasre, J. Anderson, D. Culler, "An analyss of a large scale haba monorng applcaon" n Inernaonal conference on Embedded neworked sensor sysems, ACM Press, 2004, pp. 214 226. [18] M. Thoan, C. J, "Anomaly Deecon n IP Neworks", IEEE ransacons on sgnal processng, Vol. 51, No. 8, 2003, pp.2191-2204. [19] R.S. Tsay, D. Pea, and A. E. Pankraz, Oulers n mulvarae me seres. Bomerka 87(4), 2000, pp.789 804. [20] K. Wang, S. Solfo, "Anomalous Payload-Based Nework Inruson Deecon", Compuer Scence Deparmen, Columba Unversy, Lecure Noes n Compuer Scence 3224, 2004, pp.203-222. [21] A.S. Wegend, M. Mangeas, and A.N. Srvasava, Nonlnear gaed expers for me-seres: Dscoverng
18 Anomaly Deecon n Nework Traffc Usng Seleced Mehods of Tme Seres Analyss regmes and avodng overfng. In. J. Neural Sys. 6, 4, 1995, pp. 373 399. [22] B. Zhou, D. He, Z. Sun, "Traffc Modelng and Predcon usng ARIMA/GARCH model", Neja Ince, A., Topuz, E. (Eds.), Sprnger, 2006, pp.101-121. [23] V. Baro, S. S. Chauhan, B. Pael, "Feaure Selecon for Modelng Inruson Deecon", IJCNIS, vol.6, no.7, 2014, pp.56-62. DOI: 10.5815/jcns.2014.07.08. [24] A. Bhandar, A.L Sangal, K. Kumar, "Desnaon Address Enropy based Deecon and Traceback Approach agans Dsrbued Denal of Servce Aacks", IJCNIS, vol.7, no.8, 2015, pp.9-20, DOI: 10.5815/jcns.2015.08.02. [25] A. P. Sngh, M. D. Sngh, "Analyss of Hos-Based and Nework-Based Inruson Deecon Sysem", IJCNIS, vol.6, no.8, 2014, pp.41-47, DOI: 10.5815/jcns.2014.08.06. Auhors Profles Jarosław Bernack, born n 1989. Ph. D. canddae n Wrocław Unversy of Technology, Poland. Hs man research neress nclude crypography, anonymy and prvacy, nellgen e-learnng sysems and compuer neworks. Grzegorz Kołaczek, born n 1973. Ph. D. and assocae professor n Wroclaw Unversy of Technology. Hs man research neress nclude compuer and nework secury, servce orened sysems, bg daa analyss and opmzaon.