ANOMALY DETECTION USING HOLT-WINTERS FORECAST MODEL Alex Soares de Moura RNP – Rede Nacional de Ensino e Pesquisa Rua Lauro Müller, 116 sala 1103 – Rio de Janeiro, Brazil alex@rnp.br Sidney Cunha de Lucena UNIRIO – Universidade Federal do Estado do Rio de Janeiro Av. Pasteur, 458 CCET sala 111 – Rio de Janeiro, Brazil sidney@uniriotec.br ABSTRACT Attacks against networks and its services are permanent concerns for Internet service providers and datacenters. Several methods for anomaly detection in high-speed links have been researched in the last years. This article evaluates a simple method based on the Holt-Winters forecast model to verify significant changes at the pattern of traffic parameters normally affected in the presence of anomalies. This work also proposes and evaluates the use of filters to increase the effectiveness of the method for the detection of specific types of attacks. Results confirm the usefulness of this proposal to detect malicious traffic related to a TCP SYN flood attack and to the propagation of the Slammer worm, both applied to real traffic samples from the Brazilian NREN. KEYWORDS Anomaly detection, Holt-Winters forecast model, entropy, DoS attacks. 1. INTRODUCTION Hosting and collocation services have been commonly used by clients of different magnitudes. The increase in the popularity of these solutions, where providers host wide spread network services like email and web sites in their own clouds, in conjunction with the progressive lower prices of broadband access, promotes a correspondent increase in the providers’ network traffic. In consequence, more attention to security issues is needed once the probability of an attack increases as the number of clients grows. Because of this growing picture, a reactive way of dealing with security problems may lead to a decrease in services credibility. So, it becomes important for providers to adopt a proactive way to detect anomalous traffic that may be flowing through the network, in order to take the respective countermeasures as soon as possible. Several methods were proposed in the past years concerning anomaly detection, not all of them proper to be used in Internet Service Providers (ISPs). The work in Silveira 2010 provides a taxonomy for event detection methods that can be used for anomaly detection. The methods are structured as: signature-based (used by IDSes), based on control data (inspects DNS messages or BGP feeds, for example), based on application-specific data (to search for security problems of a specific application), based on non-aggregate traffic data (looks for anomalies at the traffic of a specific host) and based on aggregate traffic data (analyzes the traffic on network links). Considering high volume traffic and the need to detect anomalies of different types, detection based on aggregate traffic is more appropriate for ISPs. It is worth noting that an anomaly is not necessarily caused by malicious activity. For example, link failures or abrupt routing changes also cause traffic anomalies. For this reason, it is also necessary to use root cause analysis to distinguish what kind of problem has been detected (Silveira and Diot 2010). Root cause analysis is out of scope of the present work.