WAVE-CUSUM: Improving CUSUM performance in network anomaly detection by means of wavelet analysis C. Callegari*, S. Giordano, M. Pagano, T. Pepe Dept. of Information Engineering, University of Pisa, Via Caruso 16, 56122 Pisa, Italy article info Article history: Received 23 December 2011 Received in revised form 2 April 2012 Accepted 6 May 2012 Keywords: Network security Intrusion detection system Network anomaly detection CUSUM Wavelet analysis abstract The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management and many detection techniques, able to promptly reveal and identify network attacks, mainly detecting Heavy Changes in the network traffic, have been proposed. Among these, one of the most promising approach is based on the use of the CUSUM (CUmulative SUM). Nonetheless, CUSUM performance is strongly affected by its sensitivity to the presence of seasonal trends in the considered data. For this reason, in this paper we propose a novel detection method based on the idea of performing a pre-processing stage of the data by means of wavelets, aimed at filtering out such trends, before applying the CUSUM algorithm. The performance analysis, presented in the paper, demonstrates the efficiency of the proposed method, focusing on the performance improvements due to the pre-processing stage. ª 2012 Elsevier Ltd. All rights reserved. 1. Introduction In the last few years the Internet has experienced an explosive growth. Along with the wide proliferation of new services, the quantity and impact of attacks have been continuously increasing. The number of computer systems and their vulnerabilities have been rising, while the level of sophisti- cation and knowledge required to carry out an attack have been decreasing, as much technical attack know-how is readily available on Web sites all over the world. As a consequence, many research groups have focused their attention on developing novel detection techniques, able to promptly reveal and identify network attacks, mainly detecting Heavy Changes (HCs) in the traffic volume (Brutlag, 2000; Lakhina et al., 2004; Zhang et al., 2005; Thottan and Ji, 2003). Nevertheless the seasonal nature of the Internet traffic, characterized by cyclic variation (e.g., daily and weekly trends), makes somehow difficult to distinguish a network anomaly from a “normal” variation of the distribution of the traffic, taking to systems that are strongly affected by high percentages of false positives. For such a reason particular attention has to be devoted to the development of methods able to correctly filter out the seasonality of the data so as to reduce the number of false alarms. To this aim, in this work, we propose to use one of the most promising techniques for detecting changes in the traffic volume, namely the CUSUM (CUmulative SUM) algorithm (Salem et al., 2010), combined with a pre-filtering stage, real- ized by means of the wavelet transform. The main idea of the CUSUM (Basseville and Nikiforov, 1993) is to detect changes in the distribution of a given time * Corresponding author. E-mail addresses: christian.callegari@iet.unipi.it (C. Callegari), stefano.giordano@iet.unipi.it (S. Giordano), michele.pagano@iet.unipi. it (M. Pagano), teresa.pepe@iet.unipi.it (T. Pepe). Available online at www.sciencedirect.com journal homepage: www.elsevier.com/locate/cose computers & security 31 (2012) 727 e735 0167-4048/$ e see front matter ª 2012 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2012.05.001