A wavelet-based anomaly detection for outbound network traffic

Monitoring and detecting network anomalies are indispensable activities for network administrators. Most anomaly detection techniques focus on inbound traffic (traffic from the Internet entering a customer network) rather than outbound traffic. However, anomalous inbound traffic patterns will be significantly different from anomalous outbound traffic. For network operators, outbound traffic is as important as inbound traffic because they can monitor unwanted activities in their networks to prevent it from affecting other networks. In this paper, we propose a statistic-based anomaly detection method for outbound traffic. Our method involves wavelet-based analysis and a statistical distance calculation of 3 month-long traces on outbound traffic from the computer center in Kasetsart University, which had about 1,300 users per day. We added six types of synthetic incidents to four original protocol-based time series (TCP SYN, TCP SYN/ACK, ICMP, and UDP) and investigated ability of our method to detect these anomalies. Our technique could discover short duration malicious behavior in a moderate volume of packets as well as long duration anomalous behavior in a small volume of packets. The experimental results include the detection accuracy and the false positive rates of several wavelet components, and they indicate that our technique is useful for detecting malicious and anomalous behavior in outbound traffic at a network edge.