Dynamic Modeling of Internet Traffic for Intrusion Detection

Computer network traffic is analyzed via state space models and statistical techniques such as linear and nonlinear canonical correlation analyses and mutual information. As an application, the models and the statistical techniques are utilized to detect UDP flooding attacks. This work indicates that mutual information is a powerful tool for the detection of such attacks. Our approach is topology independent and our findings are tested on the so-called dumbbell and parking-lot topologies.

[1]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[2]  Solomon Kullback,et al.  Information Theory and Statistics , 1970, The Mathematical Gazette.

[3]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[4]  H. Akaike Markovian Representation of Stochastic Processes by Canonical Variables , 1975 .

[5]  M. Taqqu,et al.  Stable Non-Gaussian Random Processes : Stochastic Models with Infinite Variance , 1995 .

[6]  Rajesh Krishnan,et al.  Using signal processing to analyze wireless data traffic , 2002, WiSE '02.

[7]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1997, TNET.

[8]  Alexander G. Tartakovsky,et al.  A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[9]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[10]  Jin Cao,et al.  On the nonstationarity of Internet traffic , 2001, SIGMETRICS '01.

[11]  S. Vaienti,et al.  Decay of correlations for the automorphism of the torus , 1997 .

[12]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  Zhi-Li Zhang,et al.  Small-time scaling behaviors of Internet backbone traffic: an empirical study , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[14]  Solomon Kullback,et al.  Information Theory and Statistics , 1960 .

[15]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[16]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[17]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[18]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[19]  Masanao Aoki,et al.  State Space Modeling of Time Series , 1987 .

[20]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[21]  Bing-Fei Wu,et al.  Mutual Kolmogorov-Sinai entropy approach to nonlinear estimation , 1992, [1992] Proceedings of the 31st IEEE Conference on Decision and Control.

[22]  H. S. Teng,et al.  Adaptive real-time anomaly detection using inductively generated sequential patterns , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  David L. Dowe,et al.  Minimum Message Length and Kolmogorov Complexity , 1999, Comput. J..

[24]  P. Pruthi,et al.  Heavy-tailed on/off source behavior and self-similar traffic , 1995, Proceedings IEEE International Conference on Communications ICC '95.

[25]  J. Friedman,et al.  Estimating Optimal Transformations for Multiple Regression and Correlation. , 1985 .

[26]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[27]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[28]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[29]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[30]  D. Applebaum Stable non-Gaussian random processes , 1995, The Mathematical Gazette.

[31]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[32]  Yu. I. Manin,et al.  Course in mathematical logic , 1977, Graduate texts in mathematics.

[33]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[34]  S. Kent,et al.  On the trail of intrusions into information systems , 2000 .

[35]  Edmond A. Jonckheere,et al.  On the predictability of data network traffic , 2003, Proceedings of the 2003 American Control Conference, 2003..

[36]  TERRAN LANE,et al.  Temporal sequence learning and data reduction for anomaly detection , 1999, TSEC.

[37]  Anja Feldmann,et al.  Data networks as cascades: investigating the multifractal nature of Internet WAN traffic , 1998, SIGCOMM '98.

[38]  J. Helton,et al.  Power spectrum reduction by optimal Hankel norm approximation of the phase of the outer spectral factor , 1985 .

[39]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[40]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[41]  Alexandros Eleftheriadis,et al.  Complexity distortion theory , 2003, IEEE Trans. Inf. Theory.

[42]  William Stallings,et al.  High-Speed Networks: TCP/IP and ATM Design Principles , 1998 .

[43]  L. Levin,et al.  THE COMPLEXITY OF FINITE OBJECTS AND THE DEVELOPMENT OF THE CONCEPTS OF INFORMATION AND RANDOMNESS BY MEANS OF THE THEORY OF ALGORITHMS , 1970 .

[44]  Viktor Vladimirovich Nemytskii Qualitative theory of differential equations , 1960 .

[45]  Stephen F. Bush,et al.  Information assurance through Kolmogorov complexity , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[46]  J. Baillieul,et al.  Identification and filtering of nonlinear systems using canonical variate analysis , 1990, 29th IEEE Conference on Decision and Control.

[47]  V. Alarcón-Aquino,et al.  Anomaly detection in communication networks using wavelets , 2001 .

[48]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .