Anomaly detection through packet header data

Intrusion Detection System (IDS) is a crucial part of network security area and is widely employed. Signature-based matching mechanisms require a completed analysis of attack patterns and the availability of knowledge detection beforehand. To cope with new attacks, IDS tools require to be continuously updated with the signature rules. In this paper, we present anomaly detection technique by using Complex Gaussian Coefficient to calculate the threshold for detecting unknown flooding attacks. The Network traffics are generated for three types of situations in the normal light traffic period, during the attacking period and in the heavy traffic period. The numbers of packets in time domain are transformed to complex Gaussian coefficient. The variances of the complex wavelet magnitude in each derivative level significantly describe network situation. This technique can be applied to detect unknown DDoS flooding patterns.

[1]  Walter Willinger,et al.  Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level , 1997, TNET.

[2]  Bo Ryu,et al.  Fractal traffic models for Internet simulation , 2000, Proceedings ISCC 2000. Fifth IEEE Symposium on Computers and Communications.

[3]  Nick G. Kingsbury,et al.  Shift invariant properties of the dual-tree complex wavelet transform , 1999, 1999 IEEE International Conference on Acoustics, Speech, and Signal Processing. Proceedings. ICASSP99 (Cat. No.99CH36258).

[4]  Richard G. Baraniuk,et al.  Multiscale nature of network traffic , 2002, IEEE Signal Process. Mag..

[5]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6]  A. L. Narasimha Reddy,et al.  Statistical techniques for detecting traffic anomalies through packet header data , 2008, TNET.