This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/LCOMM.2016.2517622, IEEE
Communications Letters
1

A Novel DoS and DDoS Attacks Detection

Algorithm Using ARIMA Time Series Model and
Chaotic System in Computer Networks
Seyyed Meysam Tabatabaie Nezhad∗ , Mahboubeh Nazari† , and Ebrahim A. Gharavol∗
∗
Electrical Engineering Department, Imam Reza International University, Mashhad, Iran
†
Department of Mathematics, Ferdowsi University of Mashhad, Mashhad, Iran

Abstract—This article deals with the problem of detecting DoS network attacks. Frequently, time series models such as AR,
and DDoS attacks. First of all, two features including number of ARMA, FARIMA, etc. are used as proper tools for time series
packets and number of source IP addresses are extracted from forecasting [9]. Zhang et al. [3] proposed a prediction method
network traffics as detection metrics in every minute. Hence,
a time series based on the number of packets is built and based on an ARIMA model to predict DDoS attack through
normalized using a Box-Cox transformation. An ARIMA model is simulation studies with NS2. Yaacob et al. [4] introduce a
also employed to predict the number of packets in every following novel algorithm through using an ARIMA technique to detect
minute. Then, the chaotic behavior of prediction error time series potential attacks that may occur in computer networks. Their
is examined by computing the maximum Lyapunov exponent. method provide an early warning mechanism for the network
The local Lyapunov exponent is also calculated as a suitable
indicator for chaotic and non-chaotic errors. Finally, a set of administrator. Fachkha et al. [5] proposed an approach that
rules are proposed based on repeatability of chaotic behavior and is presented by a DDoS forecasting model. Anjali [6] and
enormous growth in the ratio of number of packets to number Chen et al. [7] -as the first step- perform preprocessing on the
of source IP addresses during attack times to classify normal network traffic by calculating the cumulative average of time
and attack traffics from each other. Simulation results show that series values in the time domain. Then the local Lyapunov
the proposed algorithm can accurately classify 99.5% of traffic
states. exponent is used as a suitable DDoS indicator. They also
assumed that the prediction error of an AR model is chaotic.
Index Terms—DoS and DDoS detection, Chaos, Lyapunov Furthermore, they used a neural network to improve the DDoS
exponent, Time series
detection accuracy. Because the cumulative average cannot
stabilize the variance of the data, it is not an appropriate input
I. I NTRODUCTION to an AR model [7]. In [8] Wu and Chen validate that the
Network attacks by a malicious node aiming to deny access error of the traffic prediction has chaotic characteristics. They
to resources on computer networks are called availability predict the network traffic using an exponential smoothing
based attacks. These forms of attacks are one of the most model instead of the forecasting method used in NADA [7].
serious security threats affecting network resources [1]. They The forecasting method based on exponential smoothing may
are commonly recognized as denial-of-service (DoS) attack. be inefficient in terms of accuracy [9]. Ramaki et al. [11]
When the attack is launched by more than one attacker, it is proposed two real-time methods based on stream mining for
called a distributed denial-of-service (DDoS) attack. During the DDoS attack detection and predicting the next goal of
DoS attack, intruders destroy their target(s) by sending a large the attacker. In the methods, a probabilistic approach based
number of packets that prevent legal users from having access on the Bayesian network concept is used for learning the
to network nodes. Usually, giant servers are capable enough specification of DDoS attack pattern and detecting it in alert
to endure a basic DoS attack from a single machine without streams. In this paper, it is proposed to combine the Box-
suffering performance losses [1]. The ability of an organization Cox based preprocessing, the ARIMA modeling, chaos based
to detect and preserve itself against DoS and DDoS attacks is analysis, and applying defined rules of classification in order
vital for its success. Without suitable detection and prevention to improve the efficiency of DoS/DDoS detection.
methods, an organization would be damaged by DoS and The remainder of the paper is organized as follows. Section II
DDoS attacks and suffers financial losses and reputational describes the proposed detection algorithm. Section III shows
damages [1]. There has been much research on DoS and the experimental results. Finally, a conclusion is provided in
DDoS attacks in order to accurately detect them in computer Section IV.
networks. In the following, related papers are reviewed.
Chonka et al. [2] proposed a novel DDoS detection al-
II. THE PROPOSED DETECTION ALGORITHM
gorithm which uses self-similarity theory for network traffic
modeling. The DDoS attack is detected by computing the In this section, the proposed algorithm, called TNA, is
local Lyapunov exponent. Furthermore, they claimed that briefly reviewed in Algorithm 1. The detailed explanation is
a neural network could improve the detection rate of the provided afterwards.

1089-7798 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/LCOMM.2016.2517622, IEEE
Communications Letters
2

Algorithm 1 Network traffic classification steps

Require: xi (the number of packets in every minute) and Ii
(source IP addresses of network nodes in every minute)
1: Data preprocessing using a Box-Cox transformation em-
ploying (1).
2: Forecasting based on an ARIMA model and calculating
the error based on (2).
3: Chaotic and non-chaotic errors classification by applying
a local Lyapunov exponent using (3) and (4).
4: Proposed a set of rules using (5) and (6).
5: Final decision based on (7).

A. Feature Selection

According to the number of packets in every minute (xi ), Fig. 3. Predicted values for time instants 101-960
the number of source IP addresses of network nodes in every
minute (Ii ), and dividing them to each other (yi = xi /Ii ), B. Data preprocessing Using Box-Cox
two time series (xi &yi ) are built as detection metrics Fig. 1
and Fig. 2 show these metrics, respectively. Since the non-constant variance is quite common in the time
series, data transformations are often used to improve the pre-
diction accuracy. A very popular type of data transformation to
deal with non-constant variance is the BoxCox transformation.
As a preliminary step before fitting an ARIMA model to time
series, the Box-Cox transformation has been recommended
in [9]. The one-parameter Box-Cox transformation of a time
series xi that depends on the power parameter α, is as follows:
{ (α)
x −1
(α) ( i α ), if α ̸= 0;
xi = (1)
ln(xi ), if α = 0.
The preprocessed data is denoted using xi .

C. Forecasting based on an ARIMA model and calculating the

error
Predicting models are important tools in forecasting the
time series. In order to better predict the normal traffic, an
Fig. 1. A time series based on number of packets for time instants 1-960
autoregressive integrated moving average (ARIMA) model [9]
is applied. Empirically L=100 is chosen as the ARIMA model
order. The first one-hundred samples of data are used for
predicting 101st sample(x̂101 ), and the data samples among
2-101 are employed for forecasting 102nd sample (x̂102 ).
By continuing this process, the data samples among time
indexes 101-960 are predicted. Finally, prediction error ∆xi
is calculated by subtracting the real traffic xi and the output
of Inverse Box-Cox on predicted traffic (x̂i ).
∆xi = (xi ) − (Inverse.Box.Cox(x̂i )). (2)
Fig. 3 and Fig. 4 demonstrate network traffic prediction and
error values of forecasting, respectively. In aforementioned
graphs, the first 100 samples are ignored because 2 is un-
defined for those samples.

D. Analysis of chaotic error in time series

Since error is inevitable in every forecasting system, it
Fig. 2. The ratio of packet numbers to number of source IP for time instants must be specifically analyzed. In order to determine whether
101-960 the prediction error has chaotic behavior or not, the largest

1089-7798 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/LCOMM.2016.2517622, IEEE
Communications Letters
3

Fig. 4. Error of predicted values for time instants 101-960 Fig. 5. The local Lyapunov exponent values for time instants 101-960

Lyapunov exponent is calculated [10]. As analyzed in [8], the

existence of a positive maximum Lyapunov exponent shows
that the chaotic behavior exists in prediction error values. This
means that prediction error possesses complexity behavior in
some time instants that can be further classified by computing
the local Lyapunov exponent in the next step.

E. Chaotic and non-chaotic errors classification by applying

a local Lyapunov exponent (exponential rate of error)
In this step, error value ∆xi is analyzed to classify chaotic
and non-chaotic errors, which is calculated using the local
Lyapunov exponent formula [8]:
1 ∆xi
λi = ln | |; (3)
ti ∆x1 Fig. 6. Non-chaotic(-1) and chaotic(1) errors for time instants 101-960
A positive value for λi demonstrates that the prediction error
∆xi has a complex behavior at this time instant. The predicted
value x̂i has much distance with respect to the real xi that Fig. 2. It is clear that during attack times, this ratio enormously
means a chaotic error. In fact, chaotic errors refer to abnormal grows. This fact and positive values for λi are used to detect
behavior. Furthermore, the negative value of λi shows non- attack traffics. Following behaviors simultaneously happen:
chaotic error on i-th time instant, because the prediction error 1) During attack times, the ratio of yi /y1 enormously
is so small. Non-chaotic errors refer to normal behavior. The grows (exponential growth). It means αi = ln | yyi1 | > 1
accuracy of the proposed procedure can be seen in Fig. 5. In 2) During attack times the dynamics of the traffic state
this figure, only at 160 time instants there exist chaotic states attracts to a stable state [2]. According to this fact, one
which are clearly marked with a positive λi . Now, to clearly can consider βi = ln | yyi−1 i
|≤1
represent the chaotic and non-chaotic errors as shown in Fig. 3) As mentioned in section E, during attack times the
6, a sign map is built to display the distinction, as follows: Lyapunov exponent remains positive for a while, due to
{ DoS/DDoS attacks nature. It is clearly shown in Fig. 1 as
−1, if λi < 0; well. If it is assumed that this situation is∑repeated in at
N1 (i) = (4) i
1, if λi > 0; least K consecutive minutes, then K = j=i−k+1 Nj .
Considering the repetitive number K, if the attack hap-
clearly, N1 (i)= -1 and 1 present chaotic and non-chaotic
pens at i = i0 , the system detects the attack with K-1
errors, respectively.
minutes of delay (cf. (5)). Hence, K should not be a
According to the dynamic characteristics of network traffic
large number. In this algorithm, K= 4 is selected.
during attack time, all of the chaotic states do not lead to attack
instant. Attack traffic will be detected in the next section. Finally, based on 5, traffic states, including normal and attack
are detected. The result is shown in Fig. 7.
{ ∑i
F. Normal and attack traffics detection step 1, if λi > 0, j=i−3 N1 (j) = 4, αi > 1, βi ≤ 1;
A(i) =
The ratio of packet numbers, xi , to number of source IP 0, Otherwise;
addresses, Ii , in each time instant (yi = xi /Ii ) is plotted in (5)

1089-7798 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/LCOMM.2016.2517622, IEEE
Communications Letters
4

TABLE II
C OMPARISON B ETWEEN D ETECTION R ATES O F A LGORITHMS

Algorithms Detection rate(%)

The proposed algorithm 99.5
Wu and Chen’s algorithm [8] 98.4
Anjali’s algorithm [6] 95
Chonka et al.’s algorithm [2] 94
Chen et al.’s algorithm [7] 93.75

IV. C ONCLUSIONS AND FUTURE WORKS

In this paper, a novel DoS and DDoS detection algorithm is
proposed, in which the number of packets time series variance
is fixed using the Box-Cox transformation. This choice causes
a better prediction based on an ARIMA model. In the next
step, error chaotic characteristics of time series are explored
Fig. 7. Normal(0) and attack(1) traffics detection for time instants 101-960 and the local Lyapunov exponent classify chaotic and non-
chaotic errors. Finally, based on the defined rules, normal
and attack traffics are classified from each other. Although, in
A(i)=0 and 1 represent normal and attack traffics, respectively. bursty time instants, the number of packets has a meaningfule
Furthermore, if the data set contains both DoS and DDoS difference with normal ones (they have positive Lyapanuv
traffics, the number of source IP addresses can be used to exponent), but they have not all properties of attack time
differentiate between DoS and DDoS attacks. The following instants such as features 1, 2, and 3 in the section F. Hence,
equation explores this issue: classification of attack and bursty traffics from each other
{ is an important issue. This fact is a good motivation to
0, if Ai = 1; Ii = 1 follow two goals in the future work. First, building a Darknet
D(i) = (6)
1, if Ai = 1; Ii > 1; dataset with DRDoS attack and bursty time instants using more
features (such as type of protocols, TTL values, geo-location
Clearly, D(i)=0 and 1 shows DoS and DDoS traffics, respec- of reflective IPs, etc.) and second, presenting an algorithm
tively. The above steps of the algorithm are summarized as based on chaos theory to classify attack and bursty traffic states
follows: from each other.


Normal, if Ai = 0 R EFERENCES
F D(i) = DoS, if Ai = 1, Di = 0 (7)

 [1] S. T. Zargar, J. Joshi, and D. Tipper, A survey of defense mechanisms
DDoS, if Ai = 1, Di = 1. against distributed denial of service (DDoS) flooding attacks, IEEE
Commun. Surv. Tutorials, vol. 15, no. 4, pp. 20462069, 2013.
[2] A. Chonka, J. Singh, and W. Zhou, Chaos theory based detection against
network mimicking DDoS attacks, IEEE Commun. Lett., vol. 13, no. 9,
pp. 717719, Sep. 2009.
III. EXPERIMENTAL RESULTS [3] G. Zhang, S. Jiang, G. Wei, and Q. Guan, A prediction-based detection
algorithm against distributed denial-of-service attacks, Proc. Int. Conf.
on Wireless. Commun. and Mobile. Comput, pp. 106110, 2009.
In the proposed algorithm, attack times are 54 minutes long [4] A. H. Yaacob, I. K. T. Tan, S. F. Chien, and H. K. Tan, ARIMA Based
continuously and almost all of them (51 out of 54) are correctly Network Anomaly Detection, Proc. Second Int. Conf. Commun. Softw.
detected. The proposed algorithm implemented on a Core i7 Networks, no. 1, pp. 205209, 2010.
[5] C. Fachkha, E. Bou-Harb, and M. Debbabi, Towards a Forecasting
Laptop with 2.3 GHZ CPU and 8GB RAM, using R software Model for Distributed Denial of Service Activities, 2013 IEEE 12th
environment. Furthermore, Box-Cox and ARIMA toolboxes Int. Symp. Netw. Comput. Appl., pp. 110117, 2013.
are also used in the mentioned software. Table I shows the [6] M. E. C. Science, Detection of DDoS Attacks based on Network Traffic
Prediction and Chaos Theory, vol. 5, no. 5, pp. 65026505, 2014.
confusion matrix and Table II is the detection rate of the [7] Y. Chen, X. Ma, X. Wu, DDoS Detection Algorithm Based on Pre-
proposed and previous algorithms. Although there are new processing Network Traffic Predicted Method and Chaos Theory, IEEE
data sets such as Darknet and CAIDA, but in order to fairly Commun. Lett., vol. 17, no. 5, pp. 10521054, May 2013.
[8] X. Wu and Y. Chen, Validation of Chaos Hypothesis in NADA and
compare the proposed algorithm with [8], Friday of week five Improved DDoS Detection Algorithm, IEEE Commun. Lett., vol. 17,
is used in standard DARPA1998 data set [12]. no. 12, pp. 23962399, Dec. 2013.
[9] M. Montgomery, Douglas C and Jennings, Cheryl L and Kulahci,
Introduction to Time Series Analysis and Forecasting. John Wiley &
TABLE I Sons, 2015.
CONFUSION MATRIX [10] M. Rosenstein, J. Collins, and C. de Luca, A practical method for
calculating largest Lyapunov exponents from small data sets, Phys. D-
Number of False Negative(s) Number of True Positive(s) Nonlinear Phenom., no. 617, 1993.
3 51 [11] A. A. Ramaki, M. Amini, and R. E. Atani, RTECA: Real time episode
Number of True Negative(s) Number of True Negative(s) correlation algorithm for multi-step attack scenarios detection, Com-
805 1 puter & Security., vol. 49, pp. 206-219, 2015.
[12] https://www.ll.mit.edu/ideval/data/1998/training/week5/index.html

1089-7798 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.