Anomaly Detection with Ensemble Empirical Mode Decomposition for Secure QUIC Communications: A Simple Use Case

QUIC (Quick UDP Internet Connections) proposed by Google is a new secure general-purpose network transport protocol. Compared with TCP and TLS, QUIC combines the advantages of many other protocols and is a new multiplexing and secure transmission protocol. However, with the development of network technology and the gradual expansion of network scale, the network environment has become increasingly complex, and network security has become increasingly severe. QUIC network monitoring faces enormous challenges. Based on the self-similarity of QUIC traffic, an anomaly detection method for QUIC traffic based on Ensemble Empirical Mode Decomposition (EEMD) is proposed in this paper. By decomposing the network traffic, several Intrinsic Mode Functions (IMFs) and a residual trend term are obtained, and then several IMF components with low frequency and low noise are selected for reconstruction. Calculate the Hurst value of the reconstructed signal and judge whether the QUIC network has been attacked by comparing the change of the Hurst value before and after adding abnormal traffic. The simulation experiment verifies the effectiveness and accuracy of the method.