Petar Čisar, Sanja Maravić Čisar

DOI Number
First page
Last page


Anomaly detection is used to monitor and capture traffic anomalies in network systems. Many anomalies manifest in changes in the intensity of network events. Because of the ability of EWMA control chart to monitor the rate of occurrences of events based on their intensity, this statistic is appropriate for implementation in control limits based algorithms. The performance of standard EWMA algorithm can be made more effective combining the logic of adaptive threshold algorithm and adequate application of fuzzy theory. This paper analyzes the theoretical possibility of applying EWMA statistics and fuzzy logic to detect network anomalies. Different aspects of fuzzy rules are discussed as well as different membership functions, trying to find the most adequate choice. It is shown that the introduction of fuzzy logic in standard EWMA algorithm for anomaly detection opens the possibility of previous warning from a network attack. Besides, fuzzy logic enables precise determination of degree of the risk.


Network Anomaly Detection, EWMA, Fuzzy Rules, Membership Functions, Operators

Full Text:



S. Drew, Intrusion Detection FAQ: What is the Role of Security Event Correlation in Intrusion Detection?, SANS Institute, http://www.sans.org/security-resources/idfaq/role.php

P. Čisar and S. Maravić Čisar, “Network Statistical Anomaly Detection Based on Traffic Model. Annals of Faculty Engineering Hunedoara”, International Journal Of Engineering, Tome X-Fascicucle 3, , pp. 89–96, 2012.

N. Ye, Q. Chen and C.M. Borror, “EWMA forecast of normal system activity for computer intrusion detection”, IEEE Transactions on Reliability, vol. 53, no. 4, pp. 557–566, 2004.

M.S. Abadeh, H. Mohamadi and J. Habibi, “Design and analysis of genetic fuzzy systems for intrusion detection in computer networks”, Expert Systems with Applications, vol. 38, no. 6, 2011, pp. 7067–7075.

Z. Yu and J. Tsai, “Fuzzy Model Tuning for Intrusion Detection Systems”, In Proceedings of the International Conference on Autonomic and Trusted Computing, ATC 2006, 2006, pp. 193-204.

G. Spathoulas and S. Katsikas, “Reducing false positives in intrusion detection systems”, Computers & Security, vol. 29, no. 1, pp. 35–44, 2010.

A. Silva, E. Pontes and F. Zhou, “PRBS/EWMA based model for predicting burst attacks (Brute Froce, DoS) in computer networks”, In Proceedings of the International Conference on Digital Information Management (ICDIM), 2014.

H.H.W.J. Bosman, Anomaly detection in networked embedded sensor systems. University of Technology, Eindhoven, 2016

S. Senturk, N. Erginel, I. Kaya and C. Kahraman, “Fuzzy exponentially weighted moving average control chart for univariate data with a real case application”, Applied Soft Computing, vol. 22, pp. 1–10, 2014.

J.E. Dickerson, J. Juslin, O. Koukousoula, and J.A. Dickerson, “Fuzzy intrusion detection IFSA World Congress and 20th North American Fuzzy Information Processing Society (NAFIPS)”, In Proceedings of the International Conference, Vancouver, British Columbia, vol. 3, 2001, pp. 1506-1510.

J.E. Dickerson and J.A. Dickerson, “Fuzzy Network Profiling for Intrusion Detection”, In Proceedings of the NAFIPS 19th International Conference of the North American Fuzzy Information Processing Society, Atlanta, 2000, pp. 301-306.

K. Liston, Intrusion Detecion FAQ: Can you explain traffic analysis and anomaly detection?” SANS Institute, http://www.sans.org/security-resources/idfaq/anomaly_detection.php

G. Fengmin, Deciphering Detection Techniques: Part II Anomaly–Based Intrusion Detection. White Paper, McAfee Security, 2003, https://secure.mcafee.com/japan/products/pdf/Deciphering_Detection_


P. Čisar and S. Maravić Čisar, “Optimization Methods of EWMA Statistics”, Acta Polytechnica Hungarica, vol. 8, no. 5, pp. 73–87, 2011.

P. Čisar, S. Bošnjak and S. Maravić Čisar, “EWMA-based threshold algorithm for intrusion detection”, Computing and Informatics, vol. 29, Institute of informatics, Slovak academy of sciences, Bratislava, Slovakia, pp. 1089–1101, 2010.

P. Čisar, S. Bošnjak and S. Maravić Čisar, “EWMA Algorithm in Network Practice”, Int. J. of Computers, Communications & Control, vol. V, no. 2, 2010, pp. 160–170.

S.W. Roberts, Control Chart Tests Based on Geometric Moving Averages. Technometrics, 1959

NIST/SEMATECH e-Handbook of Statistical Methods (2008). http://www.itl.nist.gov/div898/handbook/


J.S. Hunter, The exponentially weighted moving average. Journal of Quality Technology 18, 1986, pp. 203–210.

J.M. Lucas and M.S. Saccucci, Exponentially Weighted Moving Average Control Schemes: Properties and Enhancements. Technometrics Vol. 32, No. 1, 1990, pp.1-29.

Engineering Statistics Handbook–EWMA Control Charts, http://www.itl.nist.gov/div898/handbook/


V. Siris and F. Papagalou, Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks, 2004, http://www.ist-scampi.org/publications/papers/siris-globecom2004.pdf

S. Sorensen, Competitive Overview of Statistical Anomaly Detection. White Paper, Juniper Networks, 2004

P. Čisar and S. Maravić Čisar, Network Statistics in Function of Statistical Intrusion Detection. Springer Publication, Studies in Computational Intelligence, Volume 313, Springer Verlag publication, 2010, pp. 27–35.

M. Hellmann, Fuzzy logic introduction. a Laboratories Antennas Radar Telecom, F.R.E CNRS 2272, Equipe Radar Polarimetrie, 2000, France

S.M.A. Naqshbandi and V.W. Samawi, “One-Rule Genetic-Fuzzy Classifier”, In Proceedings f the 2012 IEEE International Conference on In Computer Science and Automation Engineering (CSAE), vol. 2, 2012, pp. 204–208.

K. Subramanian, “Emerging intuitionistic fuzzy classifiers for intrusion detection system”, Journal of Advances in Information Technology 2.2, pp. 99–108, 2011.

Matlab & Simulink, “What Is Sugeno-Type Fuzzy Inference?”, http://www.mathworks.com/help/fuzzy/


B. Lazzerini, Fuzzy Logic Toolbox, http://www.unife.it/ing/lm.infoauto/tecniche-controllo/FIS_Estratto.pdf

Fuzzy Logic Toolbox User's Guide, http://www.mathworks.com/help/pdf_doc/fuzzy/fuzzy.pdf

O. Osanaiye, K.K.R. Choo and M. Dlodlo, “Change-Point Cloud DDoS Detection using Packet Inter-Arrival time”, In Proceedings of the 8th IEEE Computer Science & Electronic Engineering Conference (CEEC’16), Sept 28th -30th 2016, Essex, UK.

O. Osanaiye, A.S. Alfa and G.P. Hancke, “A Statistical Approach to Detect Jamming Attacks in Wireless Sensor Networks”, Sensors, vol. 18, no. 6, p. 1691, 2018.


  • There are currently no refbacks.

ISSN: 0353-3670 (Print)

ISSN: 2217-5997 (Online)

COBISS.SR-ID 12826626