A technique for early detection of cyberattacks using the traffic self-similarity property and a statistical approach

The paper discusses a technique for detecting cyberattacks on computer networks, based on identifying anomalies in network traffic by assessing its self-similarity and determining the impact of cyber attacks using statistical methods. The proposed technique includes three stages, at which the analysis of the self-similarity property for the reference traffic is performed (using the methods of the Dickey-Fuller test, rescaled range, and detrended fluctuation), the analysis of the self-similarity property for the real traffic (by the same methods) and additional processing of time series with statistical methods (methods of moving average, Z-Score, and CUSUM). The issues of software implementation of the proposed approach and the formation of a dataset containing network packets are considered. The experimental results demonstrated the presence of self-similarity in network traffic and confirmed the high efficiency of the proposed method. This technique allows detecting cyberattacks in real or near real time.