Abstract

Fast and efficient detection of anomalies is essential for maintaining a robust and secure network. This research presents a method of anomaly detection based on adaptive Wiener filtering of noise followed by ARMA modeling of network flow data. We dynamically calculate noise and traffic signal statistics using network-monitoring metrics for traffic features such as average port, high port, server ports, and peered ports. The underlying approach is tested on near-real-time Internet traffic in the wide-area network (WAN) of Ohio University. The average port feature is determined to be the most informative measure in the estimation process. High port, server ports, and peered ports are used for confirmation of the anomaly detection result. We empirically determine that most of the network features obey Gaussian-like distributions. Experiments reveal that the method is highly effective in predicting anomalies in network traffic flow and preventing any hazard that they may cause.