Analysis and Detection of Anomalous Network Traffic

Rapid development of information and communications networks and the widespread distribution of smartphones have contributed to the steady increase in Internet utilization. This increase in Internet consumption has resulted in the creation of various services including web services, SNS (Social Networking Services), Internet banking, and remote processing systems, enhancing the quality of life globally. However, serious information security problems have surfaced alongside these services, leading to Internet privacy invasions and network attacks. This paper presents a process to detect anomalous traffic using selfsimilarity analysis in the ATMSim environment as a research method to resolve these problems. In order to measure anomalous traffic, normal traffic for each attack including ARP spoofing and DDoS was measured for 48 hours. Hadoop is employed to process the massive traffic data collected and MapReduce was used after storing the data in HDFS. The detection system ATMSim, which is a new platform operating on Hadoop, is used to identify anomalous traffic, and a comparative analysis of the normal and anomalous traffic was performed through a self-similarity analysis. The collected traffic was divided into four categories according to the attack method: normal LAN traffic, DDoS attack, ARP spoofing, and DDoS and ARP spoofing attacks. The anomalous traffic detection system ATMSim was used to simulate for each scenario and distinguish normal and anomalous traffic in order to determine whether real attacks can be effectively identified. Graphic and quantitative analyses based on the self-similarity estimation for the four different traffic types showed that, unlike normal traffic such as the LAN traffic, the graphic analysis revealed a burstiness phenomenon when anomalous traffic occurred and the self-similarity estimation values were also high.