Approximate autoregressive modeling for network attack detection

This paper presents a technique for creating an ARX model of network signals and using it for detecting network anomalies caused by intrusions. Network signals are non-stationary, highly volatile and hard to model using traditional methods. We present our own modeling technique using a combination of system identification theory and wavelet approximation. We also present the results of a prototype implementation applied to 1999 DARPA intrusion detection evaluation data set. We verify that the technique is viable for anomaly based intrusion detection and can contribute to defense in depth in a network. The technique proposed is online, generic and can be used with many other network signals like bandwidth consumption, rate of flow arrival or SNMP variables. Moreover, it requires minimal expertise for use on the part of the network administrator and automatically adapts to the underlying network behavior.

[1]  Sally Floyd,et al.  Why we don't know how to simulate the Internet , 1997, WSC '97.

[2]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[3]  Ali A. Ghorbani,et al.  An Unsupervised Clustering Algorithm for Intrusion Detection , 2003, Canadian Conference on AI.

[4]  James Cannady,et al.  Artificial Neural Networks for Misuse Detection , 1998 .

[5]  B. Ravichandran,et al.  Statistical traffic modeling for network intrusion detection , 2000, Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No.PR00728).

[6]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[7]  James A. Mahaffey,et al.  Multiple Self-Organizing Maps for Intrusion Detection , 2000 .

[8]  In Seon Yoo,et al.  Protocol anomaly detection and verification , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[9]  Sergio M. Savaresi,et al.  Unsupervised learning techniques for an intrusion detection system , 2004, SAC '04.

[10]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[11]  Fionn Murtagh,et al.  On neuro-wavelet modeling , 2004, Decis. Support Syst..

[12]  William Yurcik,et al.  Controlling intrusion detection systems by generating false positives: squealing proof-of-concept , 2002, 27th Annual IEEE Conference on Local Computer Networks, 2002. Proceedings. LCN 2002..

[13]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[14]  Marina Vannucci,et al.  Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data , 2004, NETWORKING.

[15]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[16]  Lennart Ljung,et al.  System Identification: Theory for the User , 1987 .

[17]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[18]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[19]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[20]  Philip K. Chan,et al.  Learning rules for anomaly detection of hostile network traffic , 2003, Third IEEE International Conference on Data Mining.

[21]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[22]  Boleslaw K. Szymanski,et al.  NETWORK-BASED INTRUSION DETECTION USING NEURAL NETWORKS , 2002 .

[23]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[24]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[25]  Murad S. Taqqu,et al.  On the Self-Similar Nature of Ethernet Traffic , 1993, SIGCOMM.