Modeling Protocol Based Packet Header Anomaly Detector for Network and Host Intrusion Detection Systems
This paper describes an experimental protocol based packet header anomaly detector for Network and Host Intrusion Detection System modelling which analyses the behaviour of packet header field values based on its layer 2, 3 and 4 protocol fields of the IS
- PDF / 738,620 Bytes
- 19 Pages / 430 x 660 pts Page_size
- 2 Downloads / 149 Views
Abstract. This paper describes an experimental protocol based packet header anomaly detector for Network and Host Intrusion Detection System modelling which analyses the behaviour of packet header field values based on its layer 2, 3 and 4 protocol fields of the ISO OSI Seven Layer Model for Networking. Our model which we call as Protocol based Packet Header Anomaly Detector (PbPHAD) Intrusion Detection System is designed to detect the anomalous behaviour of network traffic packets based on three specific network and transport layer protocols namely UDP, TCP and ICMP to identify the degree of maliciousness from a set of detected anomalous packets identified from the sum of statistically modelled individually rated anomalous field values. Keywords: Anomaly, Data base, Network Intrusion Detection System.
1 Introduction The advent of Intrusion Detection System (IDS) technologies have contributed a lot to the Network Security domain which have been the much talked about issues after a wave of the infamous ‘code red’ worm and its like i.e. ‘self propagating malicious code’ flooding and choking the internet traffic which almost caused a nearly catastrophic effect to the internet connected network infrastructures during this early part of the decade. Two major technologies which are commonly used in the design and development of the IDS are the signature based and anomaly based IDSs. We are focusing our IDS model based on the anomalous behaviour of the packet headers which behaves differently depending on the protocol used in the transmisson of a particular packet at network and transport layers. In this experiment, we used MIT Lincoln Lab 1999 off-line intrusion detection evaluation data set [1] as the training and testing data as this data set has become one of the de facto standards for test data set among the IDS researcher community. A lot of well documented experiments have been published using this data set i.e. [2], [3], [4], [5], [6], [7], [8] and [9]. By using a skilfully crafted publicly available data set with a large quantity of rich background traffic, we would foresee that the result of our experiment would be very appealing as it can be compared with the published results by a number of researchers from renowned research institutions. F. Bao et al. (Eds.): CANS 2007, LNCS 4856, pp. 209–227, 2007. © Springer-Verlag Berlin Heidelberg 2007
210
S.B. Shamsuddin and M.E. Woodward
The rest of the paper is organized as follows. In section 2, we discuss other related works in intrusion detection system. In section 3, we describe PbPHAD model which include its design concept, process flow and statistical modelling. In Section 4, we discuss PbPHAD experimental results on 1999 DARPA evaluation data set. In section 5, we compare PbPHAD experimental results with the 1999 DARPA IDS evaluation best system results on poorly detected attacks. In section 6, we discuss the conclusion of our experiment. We present our future work in section 7.
2 Related Work The fundamental inspiration behind our experiment was drawn fro
Data Loading...
