Analysis of the Impact of Intensive Attacks on the Self-Similarity Degree of the Network Traffic

The research on how to use self-similarity for intrusion detection is not unfounded, as the scaling properties seem to partially define the very nature of aggregated traffic, and may become a potential differentiating factor in the presence of an anomaly. This paper explains how network intensive attacks can be injected into simulated traces of traffic, to then evolve to their analysis using a fast windowed version of the Variance Time (VT) estimator, optimized for the purpose of estimating the self-similarity degree in a point-by-point manner. The estimator is also applied to a trace of the well known Massachusetts Institute of Technology / Defense Advanced Research Projects Agency (MIT/DARPA) data set, leading to the conclusion that, during an attack, the insertion of a constant component may induce a significant increase of the local scope self-similarity degree, which may be used to suspect of the malicious activities and trigger further monitoring mechanisms.