In this paper we detect the traffic anomalies by monitoring the header data. Some attacks like denial of service led to develop the techniques for identifying the network traffic. If we have the efficient analysis tool we could prevent the network from the traffic before it could get attacked. We can analyze the network traffic with the help of, correlation of the destination IP address in the egress router. The address correlations are data transformed using the discrete wavelet transform for detecting the traffic anomalies. Results from trace-driven evaluation suggest that proposed approach could provide an effective means of detecting anomalies close to the source. We also present a multidimensional indicator using the correlation of port numbers and the number of flows as a means of detecting anomalies. Statistical Techniques for Detecting Traffic Anomalies through Packet Header Data
EXISTING SYSTEM:
There is no established existing system to prevent the network traffic. And so we are developing the statically analysis for detecting the traffic anomalies.
PROPOSED SYSTEM:
In this project we are going to detect the anomalies using the following three techniques.
Traffic Analysis at the Source:
We focus on analyzing the traffic at an egress router. Monitoring traffic at a source network enables early detection of attacks, to control hijacking of AD (administrative domain, e.g., campus) machines, and to limit the squandering of resources. There are two kinds of filtering based on traffic controlling point as shown in. Ingress filtering protects the flow of traffic entering into an internal network under administrative control. Ingress filtering is typically performed through firewall or IDS rules to control inbound traffic originated from the public Internet. On the other hand, egress filtering controls the flow of traffic leaving the administered network. Thus, internal machines are typically the origin of this outbound traffic in view of an egress filter. As a result, the filtering is performed at the campus edge. Outbound filtering has been advocated for limiting the possibility of address spoofing, i.e., to make sure
That source addresses correspond to the designated addresses for the campus. With such filtering in place, we can focus on destination addresses and port numbers of the outgoing traffic for analysis purposes.
General mechanism of detector
The first step is a traffic parser, in which the correlation signal is generated from packet header traces or NetFlow records as input. The first step is a traffic parser, in which the correlation signal is generated from packet header traces or NetFlow records as input. Fields in the packet header, such as destination addresses and port numbers, and traffic volume depending on the nature of the traffic, can be used as a signal. By this way we generate the signal Second step is to transform the signal using the discrete wavelet transform DWT.
Analyzing discrete domains such as address spaces and port Numbers poses interesting problems for wavelet analysis. We employ the correlation in different domains to generate the suitable signal for analysis. Finally we use the technique of finding the attack or the anomalies. this is done with the help of setting the threshold . And we are comparing the result with the historical data .and the anomalies are detected using the statically analysis. We report on our results employing correlation of destination addresses, port numbers and the distribution of the number of flows as monitored traffic signals.
Trace:
To verify the validity of our approach, we run our algorithm on four traces of network traffic. First, we examine our method on traces from the University of Southern California that contain real network attacks. Second, to inspect the performance of our detector on backbone links, we examine the mechanism on KREONet2 traces, which include over 230 organizations, from July 21, 2003, to July 28, 2003, that contain real worm attacks . In the trace employed, there were three major attacks and a few instantaneous probe attacks, which were judged by various forensic traffic analyses in advance. Third, to compare our method with Snort, we exploit a live network in Texas A&M University. Fourth, to evaluate the sensitivity of our detector’s performance over attacks of various configurations, we employ the attack-free traces from the NLANR (National Laboratory for Applied Network Research) , which are later superimposed with simulated virtual attacks.