Network Traffic Analytics for Internet Service Providers—Application in Early Prediction of DDoS Attacks

  • Apostolos P. Leros
  • Antonios S. AndreatosEmail author
Part of the Intelligent Systems Reference Library book series (ISRL, volume 149)


In this chapter an approach for modelling intra-values forecasts of a time-series Network Traffic using a mean reverting stochastic process (MRSP) is presented. An autoregressive model of order n, AR(n), formalized in state space, with its unobservable coefficients estimated by a Kalman filter using n past time series observations produces [AR(n)-KF] estimates, which constitute the mean reverting part of the process. A Brownian motion multiplied by a diffusion (or volatility) term constitutes the stochastic part of the process. The determinant and trace of the Kalman filter error covariance matrix multiplied by the process itself is used to capture the diffusion dynamics in the intra-values time-series. The proposed algorithm is designed especially for network traffic and it does not assume stationary data. The method was tested using real traffic data from GRnet concerning our institutional network. Experimental as well as simulation results based on real daily data from the GRnet IP traffic demonstrate the applicability of the model. The proposed MRSP algorithm was able to identify successfully unusual activities contained in the test datasets and produce proper warnings. Applications on real-time D/DoS bandwidth-flooding attack detection, are also presented.


Network traffic Mean reverting stochastic process Autoregressive model State space Kalman filter Time-series prediction Router bandwidth demand prediction DDoS bandwidth-flooding attack detection 


  1. 1.
    Anderson, B.D.O., Moore, J.B.: Optimal filtering. In: Kailath, T. (ed.) Information and System Sciences Series. Prentice-Hall, Inc., Englewood Cliffs, N.J. (1979)Google Scholar
  2. 2.
    Anjali, T., Scoglio, C., Chen, L.C., Akyildiz, I.F., Uhl, G.: ABEst: an available bandwidth estimator within an autonomous system. In: IEEE Global Telecommunications Conference, Nov 2002Google Scholar
  3. 3.
    Arbor Networks: Worldwide infrastructure security reports series (2005–2012) (2012).
  4. 4.
    Bougioukou, A.P., Leros, A.P., Papakonstantinou, V.: Modelling of non-stationary ground motion using the mean reverting stochastic process. Appl. Math. Model. 32, 1912–1932 (2008)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Brockwell, P.J., Davis, R.A.: Introduction time series and forecasting. Springer, New York (2002)CrossRefGoogle Scholar
  6. 6.
    Commandeur, J.J.F., Koopman, S.J.: Practical Econometrics: An Introduction to State Space Time Series Analysis. Oxford University Press, New York (2007)zbMATHGoogle Scholar
  7. 7.
    Cox, J.C., Ingersoll, Jonathan E., Ross, Stephen A.: A theory of the term structure of interest rates. Econometrica 53(2), 385–408 (1985)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Geva, M., Herzberg, A., Gev, Y.: Bandwidth distributed Denial of service: attacks and defenses. IEEE Secur. Priv. 12, 54–61 (2013)CrossRefGoogle Scholar
  9. 9.
    Giannopoulos, I.K., Leros, A.P., Leros, A.K., Tsaramirsis, G.: A stochastic model with an adaptive proportional controller for the evolution of user-router bandwidth demand for quality of service (QoS) aspects. In: Ad Hoc and Sensor Wireless Networks (2014)Google Scholar
  10. 10.
    Giannopoulos, I.K., Leros, A.P., Leros, A.K.: A model for the evolution of router bandwidth. In: WCE2015, pp. 547–551 (2015)Google Scholar
  11. 11.
    Higham, D.J.: An algorithmic introduction to numerical simulation of stochastic differential equations. SIAM Rev. 43(3), 525–546 (2001)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Kuan Hoong, P., Tan, I.K.T., Yik Keong, C.: Bit torrent network traffic forecasting with ARIMA. IJCNC 4(4) (2012)Google Scholar
  13. 13.
    Lipschutz, S., Lipson, M.L.: Linear Algebra, 4th edn. In: Schaum’s Outline Series. The McGraw-Hill Companies, Inc. (2009)Google Scholar
  14. 14.
    Ludwing, A.: Stochastic Differential Equations: Theory and Applications. Wiley (1973)Google Scholar
  15. 15.
    Mahanta, D., Ahmed, M., Bora, U.J.: A study of bandwidth management in computer networks. Int. J. Innov. Technol. Explor. Eng. 2(2) (2013)Google Scholar
  16. 16.
    Maybeck, P.: Stochastic Models, Estimation and Control, vol. I. Academic Press (1979)Google Scholar
  17. 17.
    Mitrokotsa, A., Douligeris C.: DDoS attacks and defense mechanisms: a classification. In: 3rd IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2003)Google Scholar
  18. 18.
    Mohamed, A.H., Schwarz, K.P.: Adaptive Kalman filtering for INS/GPS. J. Geodesy 73(4), 193–203 (1999)CrossRefGoogle Scholar
  19. 19.
    Moussas, V.C., Daglis, M., Kolega, E.: Network traffic modeling and prediction using multiplicative seasonal ARIMA models. In: Proceedings of the 1st International Conference on Experiments/Process/System Modeling/Simulation/Optimization, Athens, 6–9 July 2005Google Scholar
  20. 20.
    Moussas, V.C., Pappas, S.S.: Adaptive network anomaly detection using bandwidth utilization data. In: Proceedings of the 1st International Conference on Experiments/Process/System Modeling/Simulation/Optimization, Athens, 6–9 July 2005Google Scholar
  21. 21.
    Moussas, V.C.: Network traffic flow prediction using multi-model partitioning algorithms. In: Tsahalis, D.T. (ed) Proceedings of the 2nd SCCE International Conference “From Scientific Computing to Computational Engineering”, Athens, 5–8 July 2006Google Scholar
  22. 22.
    Moussas, V.C.: Adaptive traffic modelling for network anomaly detection (chapter 1). In: Daras, N.J. (ed). Springer (2016)Google Scholar
  23. 23.
    Oetiker, T.: Multi Router Traffic Grapher (MRTG) tool, Software Package and Manuals (2018).
  24. 24.
    Oetiker, T.: MRTG: Multi Router Traffic Grapher (2018).
  25. 25.
    Oetiker, T.: Round Robin Database Tool (RRD tool), Software Package and Manuals (2018).
  26. 26.
    P. T. Inc.: Prolexic Attack Report, Q3 2011–Q4 2012 (2011/2012).
  27. 27.
    Shu, Y., Yu, M., Liu, J., Yang, O.W.W.: Wireless traffic modeling and prediction using seasonal ARIMA models. In: IEEE International Conference on Communication, ICC’03, vol. 3, May 2003Google Scholar
  28. 28.
    Thottan, M., Ji, C.: Detection in IP networks. IEEE Trans. Signal Process. 51(8), 2191–2204 (2003)CrossRefGoogle Scholar
  29. 29.
    White Paper: Understanding fiber ethernet bandwidth vs. end user experience.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Automation, School of Technological ApplicationsTechnological Educational Institute of Sterea ElladaPsachna, EviaGreece
  2. 2.Division of Computer Engineering and Information ScienceHellenic Air Force Academy, Dekeleia Air Force BaseDekeleia, AtticaGreece

Personalised recommendations