Network anomaly detection for railway critical infrastructure based on autoregressive fractional integrated moving average
Tomasz Andrysiak , Łukasz Saganowski , Wojciech Mazurczyk
AbstractThe article proposes a novel two-stage network traffic anomaly detection method for the railway transportation critical infrastructure monitored using wireless sensor networks (WSN). The first step of the proposed solution is to find and eliminate any outlying observations in the analyzed parameters of the WSN traffic using a simple and fast one-dimensional quartile criterion. In the second step, the remaining data is used to estimate autoregressive fractional integrated moving average (ARFIMA) statistical models describing variability of the tested WSN parameters. The paper also introduces an effective method for the ARFIMA model parameters estimation and identification using Haslett and Raftery estimator and Hyndman and Khandakar technique. The choice of the “economically” parameterized form of the model was based on the compromise between the conciseness of representation and the estimation of the error size. To detect anomalous behavior, i.e., a potential network attack, the proposed detection method uses statistical relations between the estimated traffic model and its actual variability. The obtained experimental results prove the effectiveness of the presented approach and aptness of selection of the statistical models.
|Journal series||EURASIP Journal on Wireless Communications and Networking, ISSN 1687-1499|
|Publication size in sheets||0.65|
|Keywords in English||Anomaly detection, Statistical mode,l Network traffic prediction, Critical infrastructure, Transportation system management|
|project||The Develpment of Digital Communicatios. Project leader: Siuzdak Jerzy,
, Phone: +48 22 234-7232, start date 27-04-2015, end date 31-12-2016, IT/2015/statut, Completed
|Score|| = 20.0, 27-03-2017, ArticleFromJournal|
= 20.0, 27-03-2017, ArticleFromJournal
|Publication indicators||: 2016 = 1.529 (2) - 2016=1.558 (5)|
|Citation count*||1 (2018-02-01)|
* presented citation count is obtained through Internet information analysis and it is close to the number calculated by the Publish or Perish system.