LONG-MEMORY DEPENDENCE STATISTICAL MODELS FOR DDOS ATTACKS DETECTION

Transcription

1 Image Processing & Communications, vol. 20, no. 4, pp DOI: /ipc LONG-MEMORY DEPENDENCE SAISICAL MODELS FOR DDOS AACKS DEECION OMASZ ANDRYSIAK ŁUKASZ SAGANOWSKI MIROSŁAW MASZEWSKI PIOR GRAD Institute of elecommunications, University of echnology & Life Sciences in Bydgoszcz ul. Kaliskiego 7, Bydgoszcz, Poland Abstract. DDoS attacks detection method based on modelling the variability with the use of conditional average and variance in examined time series is proposed in this article. Variability predictions of the analyzed network traffic are realized by estimated statistical models with long-memory dependence ARFIMA, Adaptive ARFIMA, FIGARCH and Adaptive FIGARCH. We propose simple parameter estimation models with the use of maximum likelihood function. Selection of sparingly parameterized form of the models is realized by means of information criteria representing a compromise between brevity of representation and the extent of the prediction error. In the described method we propose using statistical relations between the forecasted and analyzed network traffic in order to detect abnormal behavior possibly being a result of a network attack. Performed experiments confirmed effectiveness of the analyzed method and cogency of the statistical models. 1 Introduction Currently, DoS and DDoS attacks have become an important issue of broadly defined I infrastructure security. Victims of the attacks are often single personal computers as well as supercomputers and vast networks. he outcomes of such activities are experienced by regular Internet users, biggest companies dealing in new technologies that often provide mass services, and powerful governmental organizations of many countries. Despite of substantial effort and funds directed onto enhancing I security procedures, at present, we are not able to protect effectively against such attacks [24, 26]. Attacks such as Distributed Denial of Service (DDoS) use already known techniques of Denial of Service (DoS) realized with new technology. DoS attack has two crucial restrictions. Firstly, it is performed from a single computer whose Internet connection bandwidth is too low compared to the bandwidth of the victim. Secondly, while performing the attack from one computer the attacker may be subjected to a faster detection. herefore, DoS attack is often conducted on smaller servers containing WWW sites. Attacks on bigger objects, for instance a portal or

2 32. Andrysiak, Ł. Saganowski, M. Maszewski, P. Grad DNS server, require using a more sophisticated method - DDoS, i.e. Distributed Denial of Service, which was created as a response to DoS limitations [5]. he main difference between both methods concerns quantity factor. In DDoS an attack is performed not from a single computer, but simultaneously from numerous overtaken machines. he sole idea of DDoS attack is therefore simple. However, what constitutes a challenge is its preparation which sometimes lasts many months. he reason is obvious - it is necessary to take over so many computers that will make the attack successful. he period of preparations is the longer, the "more powerful" are the victim s system resources. here are a number of methods for conducting a DDoS attack. Firstly, free memory space is essential for every operational system to function. hus, successful allocation of the whole accessible memory by an attacker will, theoretically, either halt the system or significantly limit its performance. Due to such an attack even the most potent I systems functioning may be disturbed or stopped. he second method involves the knowledge and use of restrictions of file systems. he third means consists in using malfunctioning network applications or the kernel or errors in the operating system configuration. It is much easier to protect against the above mentioned kind of attack by proper configuration of such a system. Most of all, it is characteristic for DoS method, which in contrast with DDoS, usually is not based on sending a great number of requests. Errors in CP/IP stacks of different operational systems constitute an example here. In extreme cases, sending a few packages will be enough to remotely hang the server. he last method consists on creation of a network traffic that is too big for servers or routers to handle [12, 23]. Attacks of this kind are becoming a more and more serious problem. According to quarterly reports published by Prolexic company, within the last twelve months the number of DDoS attacks has risen by 22 per cent. Campaigns last longer-not 28.5 hours as previously, but 34.5 hours (a rise by 21 per cent) he average traffic generated during the attack is approximately 2 GB/s and is more or less 25 per cent greater than in he record so far was an attack on the Spamhaus, an organization dedicated to the fight against spam. In March 2013, a hostile network traffic was directed towards servers of that organization with the speed of 300 GB/s. However, according to Arbor company, most of attacks (over 60 per cent) still do not exceed 1 GB/s. Nevertheless, they still constitute a serious threat [23]. Currently, the DDos attacks cause numerous problems due to lack of effective protection mechanisms for I systems. he only method is a quick recognition of an attack in order to reduce the possible consequences. One of such means is identification of network traffic anomalies that result from a DDos attack. In this article we present the use of statistical estimation of ARFIMA, FIGARCH and their adaptive versions for the analyzed time series describing the given network traffic. Anomaly detection is realized on the basis of estimated models parameters and comparative analysis of network traffic profiles. his paper is organized as follows. After the introduction, in Section 2, the overview of DDoS attacks is presented. In Section 3 the definition of long-memory dependence and local Whittle s estimator for a test of long-memory dependence is shown. In Section 4 different statistical models for data traffic prediction are described in details. hen, in Section 5 the Anomaly Detection System based on ARFIMA and FIGARH models estimation is discussed. Experimental results and conclusion are given thereafter. 2 Overview of DDoS attacks Currently, DoS and DDoS attacks constitute an important issue of broadly defined I infrastructure security. Victims of the attacks are often single personal computers as well as supercomputers and vast networks. he outcomes of such activities are experienced by regular Inter-

3 Image Processing & Communications, vol. 20, no. 4, pp net users, biggest companies dealing in new technologies that often provide mass services, and powerful governmental organizations of many countries. Despite of substantial effort and funds directed onto enhancing I security procedures, at present, we are not able to protect effectively against such attacks. Attacks such as Distributed Denial of Service (DDoS) use already known techniques of Denial of Service (DoS) realized with new technology. DoS attack has two crucial restrictions. Firstly, it is performed from a single computer whose Internet connection bandwidth is too low compared to the bandwidth of the victim. Secondly, while performing the attack from one computer the attacker may be subjected to a faster detection. herefore, DoS attack is often conducted on smaller servers containing WWW sites. Attacks on bigger objects, for instance a portal or DNS server, require using a more sophisticated method - DDoS, i.e. Distributed Denial of Service, which was created as a response to DoS limitations. he main difference between both methods concerns quantity factor. In DDoS an attack is performed not from a single computer, but simultaneously from numerous overtaken machines. he sole idea of DDoS attack is therefore simple. However, what constitutes a challenge is its preparation, which sometimes lasts many months. he reason is obvious - it is necessary to take over so many computers that it will make the attack successful. he period of preparations is the longer, the "more powerful" are the victim s system resources [20, 28]. Why are the DDoS attacks so dangerous? Most of all, they are difficult to detect due to the fact that their source is greatly distributed. What is worse, the hosts administrators most often do not realize that they are actively participating in the attacks. he statistics are appalling - a survey carried out by University of California, San Diego, point that monthly there are performed approximately fifteen thousand DDoS attacks. here are a number of methods for conducting a DDoS attack. Firstly, free memory space is essential for every operational system. In case the whole available memory is allocated by the attacker, there is a theoretical possibility that the system will discontinue operating or its efficiency will substantially decrease. his kind of attack may hinder functioning of the best I systems. he second method depends on the use of limitations of file systems. he third means consists in using malfunctioning network applications or the kernel or errors in the operating system configuration. It is much easier to protect against the above mentioned kind of attack by proper configuration of such a system [23, 29]. Most of all, it is characteristic for DoS method, which in contrast with DDoS, usually is not based on sending a great number of requests. Errors in CP/IP stacks of different operational systems constitute an example here. In extreme cases sending a few packages will be enough to remotely hang the server. he last method involves creation of a sufficiently big network traffic for servers or routers to be unable to handle it [25, 2]. Attacks of this kind are becoming a more and more serious problem. According to quarterly reports published by Prolexic company, within the last twelve months, the number of DDoS attacks has risen by 22 per cent. Campaigns last longer - not 28.5 hours as previously, but 34.5 hours (a rise by 21 per cent). he average traffic generated during the attack is approximately 2 GB/s and is more or less 25 per cent greater than in he record so far was an attack on the Spamhaus, an organization dedicated to the fight against spam. In March 2013, a hostile network traffic was directed towards servers of that organization with the speed of 300 GB/s. However, according to Arbor company, most of attacks (over 60 per cent) still do not exceed 1 GB/s. Nevertheless, they still constitute a serious threat [21]. he reason for I systems being so vulnerable to DDoS attacks is that there is a lack of successful protection measures. he only possibility stays in rapid recognition of an attack and consequently easing the results of it. An example of such a method is identification of network traffic anomalies which are out-

4 34. Andrysiak, Ł. Saganowski, M. Maszewski, P. Grad comes of DDoS attacks [11, 10]. 3 Long-Memory in ime Series he long memory property, otherwise called the attribute of long-term dependence is reflected in a time series composed of observations autocorrelated with high order. Autocorrelation of high order implies that observations are dependent with no regard to distance between them. he long memory property was introduced by Hurst [21]. he most significant features of time series are characterized by the autocorrelation function (ACF) and partial autocorrelation function (PACF). When the long memory feature is present, the autocorrelation function falls slowly, at hyperbolic pace [11]. he time series with the attribute of long memory are characterized by low frequency disintegration in their spectral domain. Short memory of time series, on the other hand, implies that when the observations are isolated even for a short period they are not correlated. Such property is called autocorrelation of low order. he above described time series are not difficult to acknowledge because they behave distinctly in different domains, i.e. in ACF time domain they quickly disappear, and in spectral domain they present high frequency disintegrations [10]. 3.1 Definition of Long-Memory Dependence he long memory question, otherwise known as the feature of the long-memory dependence, manifests itself in the existence of high-order autocorrelation between the specified elements constituting the time series. case there is a long-memory feature, the autocorrelation function ACF falls at a hyperbolic rate, and the series in its spectral domain has a low frequency distribution [8]. ime series with the property of short memory though present low order autocorrelations (ACF disappears rapidly), and high frequency distributions in the In spectral domain. hus, a stochastic process X is described as having a long memory property with parameter d when its spectral density function f x (λ) satisfies the condition f x (λ) λ 2d, (1) If the long-memory parameter (fractional integration) d is positive, then the above condition is equivalent to hyperbolic disappearance of the autocorrelation function ρ k (Granger i Joyeux [17], Hosking [19], Beran [8]), so consequently ρ k c p k 2d 1, (2) where k + and constant c ρ > 0. he process is presented by means of parameter d. When d > 0, is infinite in the neighbourhood of zero, and the process has long memory property.short memory, on the other hand, appears when d < 0 and the spectral density is finite in zero. In case d < 0, the process is referred to as antipersistent due to negative memory and its spectral density function f x (λ) = Whittle s Estimator In literature, there can be found numerous methods of estimation of the long-memory parameter d. he methods can be divided into two substantial groups: parametric and semiparametric. Parametric estimators most often utilize the maximum likelihood estimation - M LE. Semiparametric errors, however, use the information included in periodogram computed exclusively for very low frequencies. As a result, they become robust in terms of short period disturbances reflected in realizations of the examined process [8]. In order to estimate the parameter d, in our studies we used the semiparametric method proposed by Robinson [29]so called the local Whittle s method. he value of parameter d estimator is calculated on the basis of periodogram for m the lowest frequencies describing

5 Image Processing & Communications, vol. 20, no. 4, pp long-term behaviour of the process. In one-dimensional case, the Whittle s local estimator is defined as an argument maximizing the following likelihood function Q (g, d) = 1 m [ m ln ( gλ 2d j j=1 ] ) I (λ j ) +, (3) gλ 2d j where λ i = 2πj for j = 1, 2,..., m are frequencies, and I (λ) = 1 2π t=1 x te itλ 2 is periodogram calculated from the sample x 1, x 2,..., x. An adequate choice of parameter m releases estimator d from the influence of short-term disturbances of the examined process X. he values of parameter d, which have shown compliance and asymptotic normality, are identical as in the case of GP H estimator [16]. Nevertheless, Whittle s estimator is more effective hence asymptotically it presents lower variance ( ) 1 ˆd = N d,. (4) 4m 4 Network raffic Prediction Based on Models with Long-Memory he use of autoregression with a moving average for fractional diversification is a method as a result of which we achieve ARFIMA model (Fractional Differenced Noise and Auto Regressive Moving Average). It is a combination of ARMA and ARIMA models, and was introduced by Grange, Joyeux and Hosking [17, 19]. A different method of defining time series is the ARCH model (Autoregressive Conditional Heteroskedastic Model), introduced by Engel [14]. which makes the process s conditional variance reliant on the previous values. Baillie, Bollerslev and Mikkelsen [6] further developed the above model into FIGARCH (Fractionally Integrated GARCH). he autocorrelation function of residuum squares of the model is falling hyperbolically. hus, the decrease of the autocorrelation function is quicker for small time series than in exponential case. Consequently, the autocorrelation function falls very slowly for high series. As a result of the mentioned features, owing to the autocorrelation function of the residuum squares of the model, FIGARCH is a long memory model [30]. 4.1 he ARFIMA model ARF IM A(p, d, q) model was proposed by Grange, Joyeux [17] and Hosking [19]. (1981), in order to analyze the long-memory property. For time series y t the ARFIMA model is written as: Φ(L)(1 L) d y t = Θ(L)ε t, t = 1, 2,..., (5) time series: y t, ε t (0, σ 2 ), white noise σ 2, Φ(L) = 1 φ 1 L φ 2 L 2... φ p L p (6) is the autoregressive polynomial and Θ(L) = 1 + θ 1 L + θ 2 L θ p L q (7) where L, (1 L) d are: shift operator (backward) and fractional differencing operator respectively. Binomial expansion is presented as follows: and (1 L) d = ( d k ( d k k=0 ) ( 1) k L k (8) ) ( 1) k Γ(d + 1)( 1) k = Γ(d k + 1)Γ(k + 1) = = Γ( d + k) Γ( d)γ(k + 1), (9) Γ( ) denotes the gamma function, d is the number of necessary differences to give a stationary series, and (1 L) d is the d th power of the differencing operator. he ARF IMA(p, d, q) process is stationary when d ( 0.5, 0.5), while if d (0, 0.5) the process reflects long memory property. aking the appropriate k differences, one can bring many non-stationary processes to

6 36. Andrysiak, Ł. Saganowski, M. Maszewski, P. Grad stationary processes satisfying the condition (1), thereby extending the concept of long memory onto the nonstationary processes [15]. ɛ t = z t ht, ɛ t Θ t 1 N (0, h t ), (14) 4.2 he Adaptive ARFIMA model Gallant (1984) have introduced a new long memory volatility process known as Adaptive ARF IMA, or A ARF IM A.hemodel is basically a regression with the conditional mean equation specified as a finite sum of harmonics, with a stationary long memory process disturbance, which is modeled as ARF IMA(p, d, q). Hence, the observable variable y t is specified as y t = ω t + u t, (10) where the conditional mean is a trigonometric expansion or order k, k [ ( ) ( )] 2πjt 2πjt ω t = ω 0 + γ j sin + δ j cos (11) j=1 and the disturbance process is the ARF IMA(p, d, q) process Φ (L) (1 L) d u t = Θ (L) ε t. (12) herefore, the Adaptive ARF IMA is based on a regular ARF IMA model with a time dependent intercept ω t, which is represented by linear combination of harmonic terms [7]. 4.3 he FIGARCH model he model enabling description of long-memory in variance series is known as F IGARCH(p, d, q) (Fractionally Integrated GARCH), and was proposed in 1996 by Baillie, Bollerslev and Mikkelsen [6]. he F IGARCH(p, d, q) model for time series y t can be written as: y t = µ + ɛ t, t = 1, 2,...Ω, (13) h t = α 0 + β (L) h t + [ + 1 β (L) [1 φ (L)] (1 L) d] ɛ 2 t, (15) unit variance, zero-mean process: z t, conditional positive time dependent variance: h t = E ( ɛ 2 t Θ t 1 ) and Θt 1 is the information set up to time t 1. When applied to the squared innovations (18), the F IGARCH(p, d, q) model of the conditional variance can be motivated as ARF IMA ϕ (L) (1 L) d ɛ 2 t = α 0 + (1 β (L)) ϑ t, ϑ t = ɛ 2 t h t, (16) where ϕ (L) = ϕ 1 L ϕ 2 L 2... ϕ p L p and β (L) = β 1 L + β 2 L β q L q and (1 β (L)) have all their roots outside the unit circle, L is the lag operator and d is the fractional integration parameter (0 < d < 1) [4]. As far as the values of parameters are concerned, it must be noticed that when d = 0 the FIGARCH model reduces to GARCH; however, when d = 1 it changes into IGARCH model. Nevertheless, FIGARCH does not always turn into GARCH model. he listed processes differ in terms of the influence of current variance on the forecasting values, and it is as follows: for GARCH (when it is stationary in broader sense) it falls to zero in exponential case; for IGARCH it has indefinite impact on conditional variance; and for FIGARCH it decreases to zero as in hyperbolic function [4, 30], i.e. more slowly than in GARCH. 4.4 he Adaptive FIGARCH model Baillie and Morana (2009) have introduced a new long memory volatility process known as Adaptive FIGARCH,

7 Image Processing & Communications, vol. 20, no. 4, pp or A-FIGARCH [7]. his model is designed to account for both long-memory and structural changes in the volatility processes of time series. Hence, the A- FIGARCH has a stochastic long memory component and a deterministic break process component. he A- FIGARCH(p,d,q,k) process can be derived from the FI- GARCH(p,d,q) process by allowing the intercept in the conditional variance equation to be time varying. conditional variance equation is given by he (1 β (L)) (h t ω t ) = [ 1 β (L) ϕ (L) (1 L) d] ε 2 t, (17) ω t = ω 0 + k j=1 [ γ j sin ( 2πjt ) + δ j cos ( 2πjt )]. (18) his model has components with long memory effect and a time-varying intercept. It allows for breaks, cycles and changes in drift. Even though ω t is smooth, it is capable of approximating abrupt regime switching [30]. 5 Parameters estimation of statistical model In the process of searching for an optimal prognostic model our target is not utilizing the greatest possible number of parameters which would perfectly describe the variability of the tested time series. Obviously, too large match of the analyzed series may cover not only the signal, but also any accidental noise. herefore, the aim of the research is finding such a model which, with the use of a limited number of statistically important parameters, will describe essential features of the examined time series reflecting the analyzed network traffic [13]. he universally applied methods of parameter estimation of the described models are MLE (Maximum Likelihood Estimation) or QMLE (Quasi-Maximum Likelihood Estimation). It results from the fact that both methods are relatively simple. What seems to be the problematic issue of this method is the necessity to outline the whole model, and in consequence, the vulnerability of the achieved estimator to possible errors in description of polynomials responsible for the process s dynamics. Having very complex model specifications, parameter estimation may be difficult and time-consuming. A separate issue is establishing the length of the series used for parameter estimation. If the model structure is stable than the best solution is to use possibly the longest series we have at our disposal. In case of lack of stability of the model structure (e.g. variability of parameters in time) it is more advisable to use shorter series. he results of empirical studies are diverse and do not depict directly a priori any of the above mentioned approaches [8, 11]. A universal criterion for choosing the model does not exist. Usually, the more complex the model is, the greater is the value of the likelihood function. herefore, there is a searching for a compromise between the number of model s parameters and the likelihood function values. he choice of an economical model is often made upon such information criteria as Akaike s or Schwarz s. In our research, for parameter estimation and the choice of the form of the model we used MLE or QMLE method and information criteria. his selection was made with regard to their comparative simplicity of solution and computing capability [18, 22, 30]. 6 Experiments and results For the purpose of experimental results we used traffic from the network configuration formerly presented in [24]. We utilized the same subset of network traffic features (see ab. 6). Moreover, it includes SNOR IDS with anomaly detection preprocessor [3]. We used the same subset of network traffic features (see ab. 6). SNOR serves as a sensor that gathers the traffic features. In order to test the possible application of the sug-

8 38. Andrysiak, Ł. Saganowski, M. Maszewski, P. Grad ab. 1: Network traffic features used for experiments raffic Feature raffic feature description f 1 number of CP packets f 2 in CP packets f 3 out CP packets f 4 number of CP packets in LAN f 5 number of UDP datagrams f 6 number of UDP datagrams in LAN f 7 number of ICMP packets f 8 out ICMP packets f 9 number of ICMP packets in LAN f 10 number of CP packets with SYN and ACK flags f 11 out CP packets (port 80) f 12 in CP packets (port 80) gested anomaly detection models we simulated real attacks by means of distribution of Kali Linux [1] since it includes various tools enabling conducting an attack on any layer of CP/IP stack. he imitated attacks belong to subsequent groups: application of specific DDoS, various port scanning, Syn Flooding, DDoS, packet fragmentation, DoS, spoofing, reverse shell, and others. Network traffic is presented by means of a time series with regard to a particular traffic feature. o calculate models discussed in subsections it is necessary to inspect if the time series have long memory features. he Whittle s long-memory test (see subsection 3.2) was utilized for the chosen network traffic feature (see ab. 2). he outcomes of parameter d calculations prove that it is possible to use models with long memory property to describe the network traffic behavior. In order to detect anomalies we compared parameters calculated for a model traffic deprived of anomalies (it was assumed that there were no anomalies in the network traffic during model parameter calculation). o detect suspicious occurrence in the traffic of models based on ARFIMA we calculated prediction interval (30 samples horizon). ab. 3 and 4 present a comparison of DR and FP obtained for ARFIMA, FIGARH and their adaptive equivalents. he best outcomes, as regards DR and FP, were achieved for ARFIMA. DR and FP values are related to the given traffic properties. ab. 2: Whittle s Estimator of the long-memory parameter d for time series representing network traffic. Feature ( m = 0.4 ) Bandwidth ( m = 0.5) ( m = 0.65) f f f f f f f f f f f f ab. 3: Detection Rate DR [%] for a given network traffic features raffic Feature ARFIMA A-ARFIMA FIGARH A-FIGARCH f , f f f f f f f f f f f Conclusion Cybersecurity of information systems is contemporarily a key research factor. he growing number of DDoS attacks, their expanding reach and complexity stimulate the rapid advancement of network defensive systems. he techniques of statistical anomaly detections are recently the most commonly used for monitoring as well as detecting the attacks. his article presents statistical long memory models such as ARFIMA, FIGARCH and their

9 Image Processing & Communications, vol. 20, no. 4, pp ab. 4: False Positive FP [%] for a given network traffic features raffic Feature ARFIMA A-ARFIMA FIGARH A-FIGARH f f f f f f f f f f f f adaptive versions. he mentioned models were utilized for estimation of the analyzed network traffic behavior. Another subject of research was the concept of time series, which reflect the parameters of the network traffic. Owing to the use of the local Whittle s estimator (a statistical test), it was established that time series evince the long-memory effect. Estimation of parameters and recognition of row of the models are performed as a compromise between the coherence of the model and size of its estimation error. Due to the use of the discussed models we achieved satisfying statistical estimations for the analyzed network traffic signals. he process of anomaly (attacks) detecting consist in comparison of estimated behavior parameters with real network traffic factors. he obtained results outstandingly signify that the anomalies found in the network traffic signals can be identified by the suggested methods. References [1] -, (2015). Kali Linux, (last access: Dec. 2015) [2] -, (2015). Prolexic Quarterly Global DDoS Attack Report 20Documents/Prolexic%20Quarterly%20Global% 20DDoS%20Attack%20Report.pdf (last access: Dec. 2015) [3] -, (2015). SNOR - Intrusion Detection System, (last access: Dec. 2015) [4] Andersen,.G., Bollerslev,. (1998). ARCH and GARCH models. Encyclopedia of Statistical Sciences [5] Axelsson, S. (2000). Intrusion detection systems: A survey and taxonomy (Vol. 99). Chalmers University of echnology, Goteborg, Sweden: echnical report [6] Baillie, R.., Bollerslev,., Mikkelsen, H. (1996). Fractionally Integrated Generalized Autoregressive Conditional Heteroscedasticity, Journal of Econometrics, 74(1), 3-30 [7] Baillie, R.., Morana, C. (2009). Modelling long memory and structural breaks in conditional variances: An adaptive FIGARCH approach. Journal of Economic Dynamics and Control, 33(8), [8] Beran, J. (1994). Statistics for long-memory processes (Vol. 61). CRC press [9] Bollerslev,. (1986). Generalized Autoregressive Conditional Heteroscedasticity, Journal of Econometrics, 31(3), [10] Box, G.E., Jenkins, G.M., Reinsel, G.C., Ljung, G.M. (2015). ime series analysis: forecasting and control. John Wiley & Sons [11] Brockwell, P.J., Davis, R.A. (2006). Introduction to time series and forecasting. Springer Science & Business Media [12] Chandola, V., Banerjee, A., Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3), 15

10 40. Andrysiak, Ł. Saganowski, M. Maszewski, P. Grad [13] Crato, N., Ray, B.K. (1996). Model selection and forecasting for long-range dependent processes. Journal of Forecasting, 15(2), [14] Engle, R. (1982). Autoregressive conditional heteroscedasticity with estimates of the variance of UK inflation. Econometrica, 50, [15] Gabriel, V.J., Martins, L.F. (2004). On the forecasting ability of ARFIMA models when infrequent breaks occur. Econometrics Journal, 7(2), [16] Geweke, J., Porter-Hudak, S. (1983). he estimation and application of long memory time series models. Journal of time series analysis, 4(4), [17] Granger, C.W., Joyeux, R. (1980). An introduction to long-memory time series models and fractional differencing. Journal of time series analysis, 1(1), [18] Haslett, J, Raftery, A.E. (1989). Space-time modelling with long-memory dependence: assessing Ireland s wind power resource. Applied Statistics, 38(1), 1-50 [19] Hosking, J.R. (1981). Fractional differencing. Biometrika, 68(1), [20] Hu, L., Bi, X. (2011, March). Research of DDoS attack mechanism and its defense frame. In rd International Conference on Computer Research and Development [21] Hurst, H. (1951). he long-term storage capacity of reservoirs ransactions of American Society Civil Engineer [22] Hyndman, R.J., Khandakar, Y. (2008). Automatic time series forecasting: the forecast Package for R. Journal of Statistical Software, 27(3), 1-22 [23] Jackson, K. A. (1999). Intrusion detection system (IDS) product survey. Los Alamos National Laboratory, Los Alamos, NM, LA-UR Ver, 2, [24] Kayacik, H G., Zincir-Heywood, A.N., Heywood, M.I. (2005, October). Selecting features for intrusion detection: A feature relevance analysis on KDD 99 intrusion detection datasets. In Proceedings of the third annual conference on privacy, security and trust [25] Kumarasamy, S. (2009). An effective defence mechanism for Distributed Denial-of-Service (DDoS) attacks using router-based techniques. International Journal of Critical Infrastructures, 6(1), [26] Lakhina, A., Crovella, M., Diot, C. (2004, October). Characterization of network-wide anomalies in traffic flows. In Proceedings of the 4th ACM SIG- COMM conference on Internet measurement (pp ). ACM [27] Lee, W., Stolfo, S.J. (2000). A framework for constructing features and models for intrusion detection systems. ACM transactions on Information and system security (issec), 3(4), [28] Mirković, J., Prier, G., Reiher, P. (2002, November). Attacking DDoS at the source. In Network Protocols, Proceedings. 10th IEEE International Conference on (pp ). IEEE [29] Robinson, P.M. (1995). Log-periodogram regression of time series with long range dependence. he annals of Statistics, [30] ayefi, M., Ramanathan,.V. (2012), An Overview of FIGARCH and Related ime Series Models, Austrian Journal of Statistics, 41(3),