Time based anomaly detection using residual polynomial fitting on aggregate traffic statistic

Flashcrowd and Distributed Denial of Service (DDoS) almost has similar symptom across network and server. But security element such Intrusion Detection System (IDS) must handle both differently. If IDS cannot differentiate flashcrowd and DDoS attack, Quality of Service of legal user traffic in flashcrowd will degraded. So it is important for IDS to differentiate between flashcrowd and DDoS. Many earlier comparison method could sense the anomalous event, but not pay much attention to identify which flow was the anomaly. We presented residual calculation between windowed aggregate traffic statistical value combination. With residual calculation among statistical percentile 10^th and mean, a high accuracy of flashcrowd and DDoS differentiation of synthetic anomalous event gained. This method could directly identify the anomalous flow and perform visual analysis to detect the start to end of both event.