Analysis of the Impact of Intensive Attacks on the Self-Similarity Degree of the Network Traffic Pedro R. M. In´ acio IT-Networks and Multimedia Group Department of Computer Science University of Beira Interior and Nokia Siemens Networks Portugal S.A. Rua Irm˜ aos Siemens, no. 1 2720-093 Amadora, Portugal pedro.inacio@nsn.com M´ ario M. Freire and Manuela Pereira IT-Networks and Multimedia Group Department of Computer Science University of Beira Interior Rua Marquˆ es de ´ Avila e Bolama 6201-001 Covilh˜ a, Portugal mario@di.ubi.pt Paulo P. Monteiro Institute of Telecommunications University of Aveiro and Nokia Siemens Networks Portugal S.A. Rua Irm˜ aos Siemens, no. 1 2720-093 Amadora, Portugal paulo.1.monteiro@nsn.com Abstract The research on how to use self-similarity for intrusion detection is not unfounded, as the scaling properties seem to partially define the very nature of aggregated traffic, and may become a potential differentiating factor in the pres- ence of an anomaly. This paper explains how network inten- sive attacks can be injected into simulated traces of traffic, to then evolve to their analysis using a fast windowed ver- sion of the Variance Time (VT) estimator, optimized for the purpose of estimating the self-similarity degree in a point- by-point manner. The estimator is also applied to a trace of the well known Massachusetts Institute of Technology / Defense Advanced Research Projects Agency (MIT/DARPA) data set, leading to the conclusion that, during an attack, the insertion of a constant component may induce a signifi- cant increase of the local scope self-similarity degree, which may be used to suspect of the malicious activities and trig- ger further monitoring mechanisms. 1. Introduction Since the developments that unfold the so-called frac- tal nature of network aggregated traffic [9, 6], the con- cept of self-similarity has gathered special interest from the telecommunications research community, being the subject of many contributions along the years [1, 5, 11, 14], where it was observed from many different perspectives. Some focus on how the self-similar traces can be modeled [10], others try to understand how that affects the way traffic is handled along its path to a destination [11], others aim for the development of tools for the estimation of the parame- ters of long-range dependence [5], and others yet describe it as a model for well behaved traffic and propose it to identify anomalies [1, 12]. A tool for intrusion detection inspired in the self-similar properties of the traffic embodies, obviously, a traffic char- acterization mechanism, as it basis its operation on an as- sumption of normality, and aims for enhancing the differ- ences to that normality, possibly introduced by malicious activities. As the statistical properties that a method like this tries to explore, apply to some of the most general as- pects of the traffic, it should be emphasized that it actually strives for categorizing traffic in the dark. Such mechanisms may exhibit many advantages, for they do not need to match a database of signatures with the traffic stream they are ob- serving, nor to look too deeply into the contents of the pack- ets. Despite that, they may suffer from a lack of precision due to the fact that they are not using all the available infor- The Second International Conference on Emerging Security Information, Systems and Technologies 978-0-7695-3329-2/08 $25.00 © 2008 IEEE DOI 10.1109/SECURWARE.2008.28 107 The Second International Conference on Emerging Security Information, Systems and Technologies 978-0-7695-3329-2/08 $25.00 © 2008 IEEE DOI 10.1109/SECURWARE.2008.28 107