Use of Holt-Winters Method in the Analysis of Network Traffic: Case Study Maciej Szmit and Anna Szmit Technical University of Lodz, ul. Zeromskiego 116, 90-924 Lodz, Poland Maciej.Szmit@gmail.com Abstract. The article presents the results of analysis of a few kinds of network traffic using Holt-Winters method in the analysis of network traffic. The data were obtained from five real computer networks using Snort intruder detection system and preprocessor AnomalyDetection. Keywords: anomalies detection, IDS, Holt-Winters method. 1 Introduction Intruder Detection Systems (IDS) are software or hardware solutions used for detection of intrusion trials to a protected network or a host. It is done by monitoring of network traffic, usage of resources of a protected computer system or by the analysis of system logs in order to detect suspicious actions and then take appropriate steps, which in the majority of cases is generation of an alert that communicates a detected danger. As to the way of detecting attacks, misuses detection systems and anomaly detection systems can be distinguished. Misuse detection is the detection of defined behaviors which prove that an attack occurred whereas an anomaly detection takes for granted the existence of a predictive pattern of behaviors where their deviations are regarded as actions which can prove that a protected system was attacked. Misuse detection has, in the majority of cases, deterministic character (the rules matching the observed phenomena or action were found or not) and it is easier for algorithmization, whereas anomaly detection must refer more often to uncertain observations and has to use statistical methods 1 . One of the obvious areas in which predictive behavior patterns can be used is the anomaly-oriented analysis of computer network behavior, which in the literature is defined as NBAD – Network Behavioral Anomaly Detection, where single packages or a network traffic can be examined. The operation of 1 Statistical measures have been used in IDS systems since 1987 and the first IDS in which they were implemented was “Haystack” project conducted in Los Alamos National Laboratory (compare e.g. [1] p. 432). A. Kwiecień, P. Gaj, and P. Stera (Eds.): CN 2011, CCIS 160, pp. 224–231, 2011. c  Springer-Verlag Berlin Heidelberg 2011