Traffic anomaly based detection: Anomaly detection by self-similar analysis

Denial of Service (DoS) is a hot topic phenomenon lately. The intensity of DoS attacks increasing every day with the discovery of a new attack with the same type which is Distributed Denial of Service (DDoS). Both, attack the victims by flooding a lot of packet to the traffic channels at a time. This makes the flow of packets to the victim´s becomes choked and victim do not get the desired package because the density of traffic on its network. Traffic anomaly based is a good technique to detect DDoS attack. Traffic anomaly can be used by several method. One of them is self-similarity. Self-Similarity methods is suitable to the network traffic behaviour. Self-Similarity is a scale of invariant which always have the same. Today, self-similarity has been a dominant framework for modelling network traffic. It will show a plot of the traffic will have in common, even though it has a different time., For the result we use kolmogorv-smirnov to differentiate the anomaly and normal condition in each step of self-similarity. In normal condition Kolmogorov-smirnov test always give 0 and for anomaly condition give 1 for each step. 0 means that data were analysed didn´t have a large difference. Otherwise data have a large difference. Hurst estimator provide 0,645 for normal condition. For anomaly condition, hurst estimator provide 1,443. This is compatible with previous research which states that the hurst exponent from nomal traffic will provide value between 0,5<H<1. And the anomaly traffic is outside the range.