Network traffic anomaly detection based on catastrophe theory

Although various methods have been proposed to detect anomalies, they are mostly based on the traditional statistical physics. The traditional statistical physics methods are based on the stationary hypothesis of the network traffic, which always ignore the real catastrophe process when anomalies occur. In order to reflect the catastrophe process of the abnormal network traffic, we present a non-stationary network traffic anomaly detection approach based on catastrophe theory. The cusp catastrophe model is selected to describe the catastrophe feature of the network traffic and the catastrophe distance is defined as an index to assess the deviation from the normal catastrophe model and the serial of catastrophe distance is the main feature to detect anomaly. We evaluate our approach using the 1999 intrusion evaluation data set of network traffic trace provided by The Defense Advanced Research Projects Agency (DARPA). Experiment results show that our approach can effectively detect network anomalies and achieve high detection probability and low false alarms rate.