### Week 12: Time Series Forecasting and Threat Detection 

Understand how time series analysis can be used to monitor system logs and detect unusual patterns that might indicate an attack.

Articles on "DDoS detection using time series analysis."

Research how a company could use time series analysis to detect a DDoS attack. Write a short summary of your findings.

---

####  How time series analysis detects a DDoS attack?

Time series analysis detects DDoS attacks by identifying significant deviations from normal network traffic patterns, such as sudden spikes in volume or changes in traffic characteristics like unique source IPs. Techniques include using models like Auto-Regressive (AR) or ARIMA to detect abrupt changes between time windows, monitoring features like the number of unique source IPs (USIP) for anomalous spikes, or using entropy to measure changes in data distribution. Deep learning models also analyze these time-series data to learn temporal patterns and classify attacks. 

It detects DDoS attacks by analyzing network traffic data for sudden, abnormal patterns that deviate from normal behavior. Methods involve modeling normal traffic patterns using time series models like AR or ARIMA and then detecting anomalies by identifying significant changes in traffic features, such as spikes in volume or a sharp increase in unique source IPs. Some approaches use statistical techniques like entropy to identify patterns in spoofed addresses, while others use machine learning to classify time series data representing packet-level statistics. 

#### Core Principles and Methods
- Detecting abrupt changes: The analysis tracks a metric over time, such as request volume. It compares a "test" time window against a "reference" window to spot sudden, abnormal changes that indicate an attack.
- Monitoring specific features: 
    - Number of unique source IPs (USIP): A common indicator is a drastic increase in the number of unique source IP addresses, as DDoS attacks often use a large number of spoofed or compromised machines to flood a target.
    - Entropy: This measures the randomness or unpredictability of traffic. An attack often changes the distribution of source and destination addresses, which can be detected as a change in entropy.
- Modelling traffic behavior: 
    - Auto-Regressive (AR) or ARIMA models: These statistical models can predict what normal traffic should look like. An attack is flagged when the actual traffic deviates significantly from the model's prediction.
    - Deep learning models: Advanced models like LSTMs and Transformers can be trained on time-series data to learn complex temporal patterns that distinguish normal traffic from attack patterns.
- Comparing time series:
    - Dynamic Time Warping (DTW): This method measures the similarity between two time series, even if they are distorted in time. It can be used to compare current traffic patterns to a known baseline or to another series to detect anomalies. 

#### Key methods
- Anomaly detection: Systems create a baseline of normal network traffic over time. A DDoS attack is then identified by the sudden and significant deviation from this baseline, such as a sudden spike in the number of requests or a dramatic increase in unique source IP addresses.
- Time series modeling: Statistical models like Auto-Regressive (AR) or Auto-Regressive Integrated Moving Average (ARIMA) are used to predict normal traffic behavior. When actual traffic deviates significantly from the model's prediction, it flags an attack.
- Sliding window comparison: A common technique is to compare a "reference" time window of normal traffic with a "test" window. An abrupt change between the two windows can indicate an attack has started.
- Feature extraction: Analysis is based on key features of the traffic, such as the number of unique source IPs (USIP) or packet-level statistics.
- Machine learning: Advanced methods use deep learning models like LSTM or Transformers to learn complex temporal patterns in multivariate time series data to distinguish between normal and malicious traffic.
- Entropy analysis: This method measures the randomness of network data. A DDoS attack can increase the randomness of the data in a way that is detectable by changes in the entropy metric, especially when combined with spoofed source addresses. 

#### Real-world application
- Time series analysis is used by some platforms to analyze logs and metrics in real-time, allowing them to detect and react to attacks more quickly.
- The analysis can pinpoint not only the presence of an attack but also its start time and location, which is valuable for forensic analysis and mitigation. 

---

### Time Series for DDoS Detection

1. The Time Series Metric (What to Track)
    The most suitable network metric for detecting a high-volume DDoS attack is one that quantifies the load on the system.

    Primary Metrics:
    - Total Inbound Bytes/Packets per Minute: This directly measures the volume of traffic flooding the network. A DDoS attack is a massive surge in this count.
    - Connection Rate (New Connections per Second): Tracks the initiation of sessions, which spike dramatically during connection-based attacks (e.g., SYN floods).

    Suitability for Time Series: These metrics are ideal because they exhibit strong cyclostationarity (e.g., high during business hours, low at 3 AM), providing a clear, predictable rhythm. This rhythm defines the expected normal behavior, making any deviation easy to spot.

2. Establishing the Baseline (Defining "Normal")
    The goal is to create a model that only predicts normal, stable network behavior.

    Role of Cyclostationarity: The daily and weekly cycles (cyclostationarity) are critical because they account for the regular, expected fluctuations in traffic (e.g., the predictable drop every weekend). A forecasting model like Prophet or SARIMA is built specifically to model this periodic behavior.

    Role of Stationarity: The concept of achieving stationarity (e.g., through differencing) helps define a stable expectation by removing the long-term trend (e.g., the network growing 10% every year). This ensures the model's parameters remain reliable and aren't skewed by non-stop growth, allowing us to focus on the predictable short-term dependencies (autocorrelation).

3. Identifying the Anomaly (Flagging the Attack)
    An anomaly is detected when the actual traffic significantly deviates from the forecast.
    - Forecast Error ($\mathbf{Y_t - \hat{Y}_t}$): The model forecasts the Expected Normal Traffic ($\hat{Y}_t$). A DDoS attack causes the Actual Traffic ($Y_t$) to spike far above this forecast. The difference is the Residual Error or Forecast Error.
    - Threshold Trigger: The system calculates the normal tolerance for the forecast error (often based on the standard deviation of past, non-attack residuals).
        - If the Residual Error during the attack is several standard deviations above the normal error tolerance (e.g., $3\sigma$ or $4\sigma$), it triggers an alert.
    - Benefit: This method minimizes false alarms because the model already accounts for the high traffic peaks that occur during normal business hours. Only traffic beyond the scope of any normal peak is flagged.

In summary:

- Metric: High-volume attacks (DDoS) are monitored using metrics like Total Inbound Bytes per Minute or New Connection Rate, which quantify network load.
- Baseline: Normal network behavior is defined by its cyclostationarity (predictable daily/weekly cycles), which is modeled using techniques like Prophet or SARIMA.
- Stationarity: Applying differencing to remove the long-term trend ensures the model's statistical base is stable, making the prediction reliable and not biased by continuous growth.
- Detection: An attack is detected when the Actual Traffic ($Y_t$) causes the Residual Error (difference from the Expected Normal Forecast ($\hat{Y}_t$)) to exceed a predefined threshold, typically set at a high multiple of the model's normal error standard deviation.
- Result: This time series approach allows companies to establish a dynamic, data-driven threshold, significantly reducing false positives compared to simple static limits.