# Anomaly Detection in IoT Communication Network Based on Spectral Analysis and Hurst Exponent

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Literature Review

## 3. Self-Similarity and Multifractal Spectrum Dependences

#### 3.1. Self-Similarity Statistical Factor

- $X$ is the stochastic time process analyzed in a specified time scale $s,t$,
- $R$ the autocorrelation function.

#### 3.2. Multifractal Spectrum

- $F$ is a subset of the $n$-dimensional Euclidean space,
- $A$ determines the set of $n$-dimensional spheres, where $F\subseteq A$,
- $\delta $ is the diameter of the coverage $A$, which is the diameter of the largest of the spheres belonging to the coverage,
- ${N}_{\delta}\left(A\right)$means the minimum number of spheres that are part of the coverage with a diameter of $\delta $.

## 4. The Methodology of Network Traffic Anomaly Detection Study

## 5. Results

#### 5.1. Network Traffic Stationery and Spectrum Analysis—General Information

#### 5.2. Case of Normal Traffic State

#### 5.3. Case of Anomaly Detection

## 6. Conclusions

## Author Contributions

## Funding

## Acknowledgments

## Conflicts of Interest

## References

- Koucheryavy, A.; Prokopiev, A. Ubiquitous Sensor Networks Traffic Models for Telemetry Applications, Smart Spaces and Next Generation Wired/Wireless Networking. Book Ser.
**2011**, 6869, 287–294. [Google Scholar] - Marwat, S.N.K.; Mehmood, Y.; Khan, A.; Ahmed, S.; Hafeez, A.; Kamal, T.; Khan, A. Method for Handling Massive IoT Traffic in 5G Networks. Sensors
**2018**, 18, 3966. [Google Scholar] [CrossRef] [PubMed] [Green Version] - Mazurek, M.; Dymora, P. Network Anomaly Detection Based on the Statistical Self-Similarity Factor, Analysis and Simulation of Electrical and Computer Systems Lecture Notes in Electrical Engineering; Springer: Cham, Switzerland; Heidelberg, Geramny; New York, NY, USA; Dordrecht, The Netherlands; London, UK, 2015; Volume 324, pp. 271–287. [Google Scholar]
- Wójcicki, R. Nowe metody modelowania samopodobnego ruchu w sieciach w oparciu o procesy Poissona z markowską modulacją. Studia Inform.
**2005**, 26, 23–40. [Google Scholar] - Paxson, V.; Floyd, S. Wide Area Traffic: The Failure of Poisson Modeling; IEEE/ACM Transactions on Networking; IEEE Press: Piscataway, NJ, USA, 1995. [Google Scholar]
- Abry, P.; Wendt Jaffard, S.; Helgason, H.; Goncalvès, P.; Pereira, E.; Gharib, C.I.; Gaucherand, P.; Doret, M. Methodology for Multifractal Analysis of Heart Rate Variability: From LF/HF Ratio to Wavelet Leaders. In Proceedings of the 32 Annual International Conference of the IEEE Engineering in Medicine and Biology Society IEEE Engineering in Medicine and Biology Society, Buenos Aires, Argentina, 31 August–4 September 2010. [Google Scholar]
- Jiang, Z.; Xie, W.; Zhou, W.; Sornette, D. Multifractal analysis of financial markets. arXiv
**2018**, arXiv:1805.04750. [Google Scholar] [CrossRef] [PubMed] [Green Version] - Cekli, S.; Uzunoglu, C.P.; Ugur, M. Monofractal and Multifractal Analysis of Discharge Signals in Transformer Pressboards. Adv. Electr. Comput. Eng.
**2018**, 18, 69–77. [Google Scholar] [CrossRef] - Izal, M.; Morató, D.; Magaña, E.; García-Jiménez, S. Computation of Traffic Time Series for Large Populations of IoT Devices. Sensors
**2019**, 19, 78. [Google Scholar] [CrossRef] [PubMed] [Green Version] - Bai, L.; Yao, L.; Kanhere, S.; Wang, X.; Yang, Z. Automatic Device Classification from Network Traffic Streams of Internet of Things. In Proceedings of the 2018 IEEE 43rd Conference on Local Computer Networks (LCN), Chicago, IL, USA, 1–4 October 2018; pp. 1–9. [Google Scholar]
- Lopes, R.; Betrouni, N. Fractal and Multifractal Analysis: A Review. Med Image Anal.
**2009**, 13, 634–649. [Google Scholar] [CrossRef] [PubMed] - Stolojescu, C.; Isar, A. A comparison of some Hurst parameter estimators. IEEE Conf. Pap.
**2012**. [Google Scholar] [CrossRef] - Hajiheidari, S.; Wakil, K.; Badri, M.; Navimipour, N.J. Intrusion detection systems in the Internet of things: A comprehensive investigation. Comput. Netw.
**2019**, 160, 165–191. [Google Scholar] [CrossRef] - Willinger, W.; Leland, W.E.; Taq, M.S.; Wilson, D. On the self-similar nature of Ethernet traffic (extended version). IEEE/ACM Trans. Netw.
**1994**, 2, 1–15. [Google Scholar] - Liu, Y.; Ding, D.; Ma, K.; Gao, K. Descriptions of Entropy with Fractal Dynamics and Their Applications to the Flow Pressure of Centrifugal Compressor. Entropy
**2019**, 21, 266. [Google Scholar] [CrossRef] [Green Version] - Komolafe, T.; Quevedo, A.V.; Sengupta, S. Statistical evaluation of spectral methods for anomaly detection in static networks. Netw. Sci.
**2019**, 7, 319–352. [Google Scholar] [CrossRef] [Green Version] - D’Alconzo, A.; Drago, I.; Morichetta, A.; Mellia, M.; Casas, P. A Survey on Big Data for Network Traffic Monitoring and Analysis. IEEE Trans. Netw. Serv. Manag.
**2019**, 16, 800–813. [Google Scholar] [CrossRef] [Green Version] - Sebestyen, G.; Hangan, A. Anomaly detection techniques in cyber-physical systems. Acta Univ. Sapientiae Inform.
**2017**, 9, 101–118. [Google Scholar] [CrossRef] [Green Version] - Harish, B.S.; Kumar, S.V.A. Anomaly based Intrusion Detection using Modified Fuzzy Clustering. Int. J. Interact. Multimed. Artif. Intell.
**2017**, 4, 54–59. [Google Scholar] [CrossRef] [Green Version] - Frecon, J.; Fontugne, R.; Didier, G.; Pustelnik, N.; Fukuda, K.; Abry, P. Non-Linear Regression for Bivariate Self-Similarity Identification-Application to Anomaly Detection in Internet Traffic Based On a Joint Scaling Analysis of Packet Aand Byte Counts. In Proceedings of the 2016 IEEE International Conference on Acoustics, Speech and Signal Processing, Shanghai, China, 20–25 March 2016; pp. 4184–4188. [Google Scholar]
- Yu, S.J.; Koh, P.; Kwon, H.; Kim, D.S.; Kim, H.K. Hurst Parameter based Anomaly Detection for Intrusion Detection System. In Proceedings of the 2016 IEEE International Conference on Computer and Information Technology (CIT), Nadi, Fiji, 8–10 December 2016; pp. 234–240. [Google Scholar] [CrossRef]
- Chen, D.; Hu, H.P.; Chen, J.G. A novel method for network anomaly detection using superstatistics. In Proceedings of the CISIS 2008: The Second International Conference On Complex, Intelligent and Software Intensive Systems, Barcelona, Spain, 4–7 March 2008; pp. 595–598. [Google Scholar]
- Willinger, W.; Paxso, V. Where Mathematics Meets theInternet. Not. AMS
**1998**, 45, 961–970. [Google Scholar] - Sheluhin, O.I.; Smolskiy, S.M.; Osin, A.V. Self-Similar Processes in Telecommunications; John Wiley & Sons Ltd.: West Sussex, UK, 2007. [Google Scholar]
- Jędruś, S. Modelowanie multifraktalne natężenia ruchu sieciowego z uwzględnieniem samopodobieństwa statystycznego. Telekomunikacja cyfrowa – Technologie i Usługi, T4, 2001/2002, pp. 10–22. Available online: http://yadda.icm.edu.pl/baztech/element/bwmeta1.element.baztech-f7671f8a-1c46-4380-bd55-8ed2fdd5f0fe (accessed on 6 September 2019).
- Dymora, M.B.P.; Mazurek, M. Analiza Ruchu w Sieci Komputerowej w Oparciu o Modele Multifraktalne. In Zeszyty Naukowe Politechniki Rzeszowskiej; RUTJEE: Rzeszów, Poland, 2017. [Google Scholar]
- Qian, B.; Rasheed, K. Hurst Exponent and Financial Market Predictability. In Proceedings of the 2nd IASTED International Conference on Financial Engineering and Applications, Cambridge, MA, USA, 8–10 November 2004; pp. 203–209. [Google Scholar]
- Cheng, Q.; Agterberg, F.P. Multifractal Modeling and Spatial Statistics. Mat. Geol.
**1996**, 28, 1–16. [Google Scholar] [CrossRef] - Mazurek, M.; Dymora, P. Network anomaly detection based on the statistical self-similarity factor for HTTP protocol. Przegląd Elektrotechniczny, ISSN 0033-2097, R. 90 NR 1/2014. 2014, pp. 127–130. Available online: http://www.pe.org.pl/articles/2014/1/30.pdf (accessed on 6 September 2019).
- Available online: http://www.caida.org (accessed on 22 September 2019).

**Figure 3.**Distribution of Legendre spectra (

**left graph**) and significant deviation spectra (

**right graph**) for the 2016 sample B.

**Figure 4.**Distribution of Legendre spectra (

**left graph**) and large deviation spectra (

**right graph**) for the 2018 sample A.

**Figure 5.**Legendre spectra for the 2018 sample A of obtained by values determined by measuring values (

**left graph**) and distribution of Legendre spectra for the 2018 sample B (

**right graph**).

**Figure 6.**The distribution of the significant deviation spectra (

**left graph**) and the measure of value (

**right graph**) for the 2018 sample B.

**Figure 7.**Distribution of Legendre spectra (

**left graph**) and significant deviation spectra (

**right graph**) for the 2016 sample A.

**Figure 8.**Legendre spectra obtained for samples A (

**left graph**) and B (

**right graph**) in 2016, determined by a measure of values.

**Table 1.**Aggregate summary of all network traffic samples undergoing long-term and multifractal analysis.

Sample A | 21.01.2016 | 18.02.2016 | 17.03.2016 | 06.04.2016 | |||||

Data sample | Total traffic | Data sample | Total traffic | Data sample | Total traffic | Data sample | Total traffic | ||

Packets | 30,000 | 0.11% | 30,000 | 0.13% | 30,000 | 0.12% | 30,000 | 0.12% | |

Sum (B) | 16,358,450 | 0.12% | 20,949,888 | 0.13% | 17,086,840 | 0.11% | 17,311,577 | 0.12% | |

Average packet size (B) | 545.3 | 105.07% | 698.35 | 97.95% | 569.58 | 90.27% | 577.07 | 101.25% | |

Standard deviation | 641.94 | 664.71 | 643.85 | 647 | |||||

Variance | 412,083.62 | 441,836.27 | 414,548.32 | 418,606.55 | |||||

Sample B | Packets | 30,000 | 0.10% | 30,000 | 0.11% | 30,000 | 0.10% | 30,000 | 0.11% |

Sum (B) | 29,437,075 | 0.10% | 27,055,282 | 0.11% | 26,745,757 | 0.10% | 25,476,884 | 0.10% | |

Average packet size (B) | 981.8 | 97.70% | 901.87 | 100.55% | 891.55 | 98.63% | 849.26 | 98.64% | |

Standard deviation | 637.8 | 657.51 | 657.67 | 668.28 | |||||

Variance | 406,793.04 | 432,314.43 | 432,533.21 | 446,601.62 | |||||

Sample A | 15.03.2018 | 19.04.2018 | 17.05.2018 | ||||||

Data sample | Total traffic | Data sample | Total traffic | Data sample | Total traffic | ||||

Packets | 30,000 | 0.12% | 30,000 | 0,10% | 30,000 | 0.09% | |||

Sum (B) | 28,970,063 | 0.12% | 25,059,464 | 0,10% | 29,103,826 | 0.10% | |||

Average packet size (B) | 965.95 | 101.05% | 835.34 | 98,28% | 970.16 | 108.65% | |||

Standard deviation | 640.95 | 668.4 | 655.87 | ||||||

Variance | 410,819.45 | 446,761.09 | 430,159.96 | ||||||

Sample B | Packets | 30,000 | 0.22% | 30,000 | 0,19% | 30,000 | 0.14% | ||

Sum (B) | 8,479,210 | 0.22% | 10,544,621 | 0,19% | 10,450,452 | 0.14% | |||

Average packet size (B) | 282.65 | 99.18% | 351.5 | 100,43% | 348.36 | 101.27% | |||

Standard deviation | 470.87 | 529.91 | 531.98 | ||||||

Variance | 221,722.74 | 280,803.74 | 282,998.98 |

Date of Packets Collection | Sample A | Sample B |
---|---|---|

2016.01.21 | 0.697 | 0.719 |

2016.02.18 | 0.702 | 0.777 |

2016.03.17 | 0.736 | 0.753 |

2016.04.06 | 0.733 | 0.738 |

2018.03.15 | 0.734 | 0.618 |

2018.04.19 | 0.787 | 0.581 |

2018.05.17 | 0.753 | 0.634 |

Average | 0.735 | 0.689 |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Dymora, P.; Mazurek, M.
Anomaly Detection in IoT Communication Network Based on Spectral Analysis and Hurst Exponent. *Appl. Sci.* **2019**, *9*, 5319.
https://doi.org/10.3390/app9245319

**AMA Style**

Dymora P, Mazurek M.
Anomaly Detection in IoT Communication Network Based on Spectral Analysis and Hurst Exponent. *Applied Sciences*. 2019; 9(24):5319.
https://doi.org/10.3390/app9245319

**Chicago/Turabian Style**

Dymora, Paweł, and Mirosław Mazurek.
2019. "Anomaly Detection in IoT Communication Network Based on Spectral Analysis and Hurst Exponent" *Applied Sciences* 9, no. 24: 5319.
https://doi.org/10.3390/app9245319