Abstract
Analyzing network traffic behavior is essential for detecting network anomalies. However, it remains a challenge to effectively analyze this behavior for anomaly diagnosis. One promising approach is to decompose network traffic into control and data planes, and statistically analyze each plane's packet features. Both control and data planes behave similarly during benign traffic. However, any difference in the behavior of these planes may indicate an anomaly. In this work, We show that under normal conditions, the packet count distance between the two planes falls within a range of values. Consecutive outliers to these values may reveal the presence of anomalies. We exploit Dynamic Time Warping (DTW) to get the best alignment of the two planes and measure the Euclidean distance between their corresponding instances. We investigate our approach using recent Internet traffic captured at King Saud University. Results support our argument and show that the distance between the TCP control plane and corresponding data plane falls within a certain range of values during benign applications and exceeds these values during anomalous activities.