An improved
system and method for detecting network anomalies comprises, in one implementation, a
computer device and a network anomaly
detector module executed by the
computer device arranged to electronically sniff network traffic data in an
aggregate level using a windowing approach. The windowing approach is configured to view the network traffic data through a plurality of
time windows each of which represents a sequence of a feature including packet per second or flow per second. The network anomaly
detector module is configured to execute a
wavelet transform for capturing properties of the network traffic data, such as long-range dependence and self-similarity. The
wavelet transform is a multiresolution transform, and can be configured to decompose and simplify statistics of the network traffic data into a simplified and
fast algorithm. The network anomaly
detector module is also configured to execute a bivariate Cauchy-
Gaussian mixture (BCGM)
statistical model for
processing and modeling the network traffic data in the
wavelet domain. The BCGM
statistical model is an approximation of α-stable model, and offers a closed-
form expression for probability density function to increase accuracy and analytical tractability, and to facilitate parameter estimations when compared to the α-stable model. Finally, the network anomaly detector module is further configured to execute a
generalized likelihood ratio test for detecting the network anomalies.