Dynamic Modeling of Internet Traffic for Intrusion Detection
- PDF / 1,961,489 Bytes
- 14 Pages / 600.03 x 792 pts Page_size
- 55 Downloads / 262 Views
Research Article Dynamic Modeling of Internet Traffic for Intrusion Detection Khushboo Shah,1 Edmond Jonckheere,2 and Stephan Bohacek3 1 Nevis
Networks Inc., Mountain View, CA 94043, USA of Electrical Engineering, University of Southern California, Los Angeles, CA 90089, USA 3 Department of Electrical and Computer Engineering, University of Delaware, Newark, DE 19711, USA 2 Department
Received 27 May 2005; Revised 15 February 2006; Accepted 18 May 2006 Recommended by Frank Ehlers Computer network traffic is analyzed via mutual information techniques, implemented using linear and nonlinear canonical correlation analyses, with the specific objective of detecting UDP flooding attacks. NS simulation of HTTP, FTP, and CBR traffic shows that flooding attacks are accompanied by a change of mutual information, either at the link being flooded or at another upstream or downstream link. This observation appears to be topology independent, as the technique is demonstrated on the so-called parking-lot topology, random 50-node topology, and 100-node transit-stub topology. This technique is also employed to detect UDP flooding with low false alarm rate on a backbone link. These results indicate that a change in mutual information provides a useful detection criterion when no other signature of the attack is available. Copyright © 2007 Khushboo Shah et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
1.
INTRODUCTION
Attacks on the network have become commonplace and with them intrusion detection systems (IDSs), firewalls, virus scanning, and the like have become parts of an ever growing arsenal of defense tools [1, 2]. If some knowledge of the nature of the attack is available, it would be easily recognizable by pattern recognition techniques. Hence, signature-based IDS is perhaps the most popular IDS technique [3, 4]. However, when a new attack strikes, no such signature is available, in which case the only hope is through anomaly detection [5], meaning detection of some deviation of the overall system behavior from what is considered normal. Anomaly detection can be host-based or network-based. Host-based anomaly detection is at the end user level, while networkbased detection is at the level of network data. The present paper is relevant to the latter, in the sense that it detects intrusion by analysis of the signals at some link. Within network-based anomaly detection, most techniques are count-based where the rate of occurrence (i.e., the number of events in a time period) or the absolute value of some count is monitored. A sufficiently large deviation of the count from its nominal value is assumed to signify an attack. Change-point detection schemes such as cumsum [6] or exponentially weighted moving average may be used to detect when the deviation of the count occurs [7]. For
example, TCP-SYN attacks are detected by monitoring the arrival rate of TCP-SYN p
Data Loading...
