A Nonparametric Multichart CUSUM Test for Rapid Intrusion Detection

An efficient sequential nonparametric multichart (multichannel) CUSUM-type detection test for detecting changes in multichannel sensor systems is proposed. While there is a wide spectrum of applications where it is necessary to consider multichannel generalizations and general statistical models in change-point detection problems, the study in this paper is motivated by network security. Many kinds of intrusions in computer networks lead to abrupt changes in network traffic. These changes have to be detected as rapidly as possible while maintaining a false alarm rate at a low level. Computer intrusion detection encourages the development of a nonparametric multichannel change-point detection test that does not use exact legitimate (pre-change) and attack (post-change) traffic models. The proposed nonparametric detection procedure can be effectively applied to detect a wide variety of attacks such as external denial of service attacks, worm based attacks, port scanning, and insider man-in-the-middle attacks. Operating characteristics of the proposed multichannel CUSUM test are evaluated for real denial of service attacks using traces recently collected by CAIDA. The results of a comparison with a conventional singlechannel CUSUM algorithm show that the multichannel test has much better performance.

[1]  E. S. Page CONTINUOUS INSPECTION SCHEMES , 1954 .

[2]  A. Shiryaev On Optimum Methods in Quickest Detection Problems , 1963 .

[3]  G. Lorden PROCEDURES FOR REACTING TO A CHANGE IN DISTRIBUTION , 1971 .

[4]  M. Pollak Optimal Detection of a Change in Distribution , 1985 .

[5]  D. Siegmund Sequential Analysis: Tests and Confidence Intervals , 1985 .

[6]  B. Brodsky,et al.  Nonparametric Methods in Change Point Problems , 1993 .

[7]  L. Gordon,et al.  An Efficient Sequential Nonparametric Scheme for Detecting a Change of Distribution , 1994 .

[8]  A. Tartakovsky ASYMPTOTIC PROPERTIES OF CUSUM AND SHIRYAEV'S PROCEDURES FOR DETECTING A CHANGE IN A NONHOMOGENEOUS GAUSSIAN PROCESS , 1995 .

[9]  Michèle Basseville,et al.  Detection of Abrupt Changes: Theory and Applications. , 1995 .

[10]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[11]  Tze Leung Lai,et al.  Information Bounds and Quick Detection of Parameter Changes in Stochastic Systems , 1998, IEEE Trans. Inf. Theory.

[12]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[13]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[14]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[15]  S. Kent,et al.  On the trail of intrusions into information systems , 2000 .

[16]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[17]  B. Ravichandran,et al.  Statistical traffic modeling for network intrusion detection , 2000, Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No.PR00728).

[18]  Alexander G. Tartakovsky,et al.  A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[19]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[20]  Symeon Papavassiliou,et al.  Network intrusion and fault detection: a statistical anomaly approach , 2002, IEEE Commun. Mag..

[21]  Edmond A. Jonckheere,et al.  On the predictability of data network traffic , 2003, Proceedings of the 2003 American Control Conference, 2003..

[22]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[23]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[24]  Masayuki Murata,et al.  Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[25]  Hongjoong Kim,et al.  A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods , 2006, IEEE Transactions on Signal Processing.

[26]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[27]  Rudolf B. Blazek,et al.  Detection of intrusions in information systems by sequential change-point methods , 2005 .