Traffic Anomaly Detection and Traffic Shaping for Self-similar Aggregated Traffic

A number of recent measurements and studies of real traffic from modern networks demonstrated that real traffic exhibits statistical self-similarity and is Long Range Dependent (LRD) [1]. The traditional models such as Poisson or Markovian, which are short-range dependent, are basically not applicable to model self-similar traffic. On the other hand, the dramatic expansion of networking applications makes network security a pressing issue. As more and more network facilities are connected to the internet, their vulnerabilities make it easy for an attacker to initiate attacks. For example, distributed denial of service (DDoS) has caused a huge economic loss to the victims. Therefore, the detection of traffic anomaly is important to the security of modern networks. Since traffic anomalies do not have rigid rules, capturing them is fundamentally essential to enhance the robustness and survivability of communication 7networks. In this paper, we propose a functional architecture to identify traffic anomalies and reduce the degree of self-similarity of network traffic. In particular, we focus on the self-similar aggregated traffic on the access devices of an optical switched network, such as edge routers and edge switches. As a large volume of traffic flows through these network access points at very high speed, these access points are most suitable for placing the anomaly detection systems. We will expound two anomaly detection methods: Multi-Time scaling Detection (MTD) and Tolerance Adjustable Detection (TAD). MTD generates the reference traffic model based on the incoming traffic, and can detect traffic anomalies by monitoring abrupt deviation/change from well-behaved traffic using the reference model. Since the trace on every time bin contains different burstiness characteristics, we introduce the burstiness compensation parameter to smooth the deviation error caused by the burstiness differences existed in the traffic data sets. TAD is a dynamic method and can adjust the tolerance requirement as well. In addition, we propose a traffic-shaping algorithm to smooth the outgoing aggregated traffic to reduce the degree of self-similarity. The rest of the paper is organized as follows. In section 2, we briefly introduce the definition of self-similarity. Section 3 describes the functional architecture of the edge device with a monitoring module. In section 4, we propose a traffic-shaping algorithm to decrease the Hurst Parameter of the output aggregated traffic. MTD and TAD methods are presented in section 5, and section 6 is the conclusion.