Mining Frequency Content of Network Traffic for Intrusion Detection

This paper presents a novel network intrusion detection method that searches for frequency patterns within the time series created by network traffic signals. The new strategy is aimed for, but not limited to, detecting DOS and Probe attacks. The detection method is based on the observation that such kind of attacks are most likely manipulated by scripted code, which often result in periodicity patterns in either packet streams or the connection arrivals. Thus, by applying Fourier analysis to the time series created by network traffic signals, we could identify whether periodicity patterns exist in the traffic. We demonstrate the effectiveness of this frequency-mining strategy based on the synthetic network intrusion data from the DARPA datasets. The experimental results indicated that the proposed intrusion detection strategy is effective in detecting anomalous traffic data from large-scale time series data that exhibit patterns over time. Our strategy does not depend on prior knowledge of attack signatures, thus it has the potential to supplement any signature-based intrusion detection systems (IDS) and firewalls.

[1]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Eamonn J. Keogh,et al.  Dimensionality Reduction for Fast Similarity Search in Large Time Series Databases , 2001, Knowledge and Information Systems.

[3]  Dong Lin,et al.  IP packet generation: statistical models for TCP start times based on connection-rate superposition , 2000, SIGMETRICS '00.

[4]  J. Cooley,et al.  The Fast Fourier Transform , 1975 .

[5]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[6]  Stephanie Forrest,et al.  An immunological model of distributed detection and its application to computer security , 1999 .

[7]  Christos Faloutsos,et al.  Efficient Similarity Search In Sequence Databases , 1993, FODO.

[8]  I. G. BONNER CLAPPISON Editor , 1960, The Electric Power Engineering Handbook - Five Volume Set.

[9]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[10]  Anja Feldmann,et al.  Characteristics of TCP Connection Arrivals , 2002 .

[11]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..