New statistical approaches for anomaly detection

Computer security is a growing problem. Over the last years, the number and variety of security attacks in IP- based network infrastructures have increasingly grown, leading to the need of developing new security architectures. In this scenario, the use of intrusion detection systems (IDSs) has emerged as a key element, since it permits to tackle security threats by masquerader, misfeasor, and clandestine users. In this paper, we address the problem considering some new statistical techniques for detecting network anomalies. In more detail, the paper discusses the use of several statistical models to characterize the normal behavior of the network traffic running over TCP, so that anomalies can be revealed as significant deviations from such behavior. Namely, our proposal is based on the use of Markov chains, co- occurrence matrices, and compression algorithms, for modeling the TCP connections, in terms of statistical analysis of some of the packet header fields. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed methods. Copyright © 2009 John Wiley & Sons, Ltd.

[1]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[2]  Connie M. Borror,et al.  Robustness of the Markov-chain model for cyber-attack detection , 2004, IEEE Transactions on Reliability.

[3]  Hamza Dahmouni,et al.  A markovian signature-based approach to IP traffic classification , 2007, MineNet '07.

[4]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[5]  I. D. Longstaff,et al.  Recent developments in the use of the co-occurrence matrix for texture recognition , 1997, Proceedings of 13th International Conference on Digital Signal Processing.

[6]  Abraham Lempel,et al.  Compression of individual sequences via variable-rate coding , 1978, IEEE Trans. Inf. Theory.

[7]  M. Turk,et al.  Eigenfaces for Recognition , 1991, Journal of Cognitive Neuroscience.

[8]  Richard P. Lippmann,et al.  1999 DARPA Intrusion Detection Evaluation: Design and Procedures , 2001 .

[9]  Vittorio Loreto,et al.  Language trees and zipping. , 2002, Physical review letters.

[10]  Nong Ye,et al.  First‐order versus high‐order stochastic models for computer intrusion detection , 2002 .

[11]  Mizuki Oka,et al.  Eigen Co-occurrence Matrix Method for Masquerade Detection , 2004 .

[12]  Ian H. Witten,et al.  Arithmetic coding for data compression , 1987, CACM.

[13]  Robert M. Haralick,et al.  Textural Features for Image Classification , 1973, IEEE Trans. Syst. Man Cybern..

[14]  A. Raftery,et al.  Estimation and Modelling Repeated Patterns in High Order Markov Chains with the Mixture Transition Distribution Model , 1994 .

[15]  R. Nigel Horspool,et al.  Data Compression Using Dynamic Markov Modelling , 1987, Comput. J..

[16]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[17]  Kazuhiko Kato,et al.  Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix , 2004, RAID.

[18]  A. Raftery A model for high-order Markov chains , 1985 .

[19]  R. Gallager Information Theory and Reliable Communication , 1968 .

[20]  Franklin A. Graybill,et al.  Introduction to The theory , 1974 .

[21]  Alex Pentland,et al.  View-based and modular eigenspaces for face recognition , 1994, 1994 Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.

[22]  D. Huffman A Method for the Construction of Minimum-Redundancy Codes , 1952 .

[23]  V. Loreto,et al.  Data compression and learning in time sequences analysis , 2002, cond-mat/0207321.

[24]  Glen G. Langdon,et al.  Arithmetic Coding , 1979 .

[25]  Alfredo N. Iusem,et al.  A new smoothing-regularization approach for a maximum-likelihood estimation problem , 1994 .

[26]  Terry A. Welch,et al.  A Technique for High-Performance Data Compression , 1984, Computer.

[27]  S. Vaton,et al.  A new statistical approach to network anomaly detection , 2008, 2008 International Symposium on Performance Evaluation of Computer and Telecommunication Systems.

[28]  Y. Vardi,et al.  From image deblurring to optimal investments : maximum likelihood solutions for positive linear inverse problems , 1993 .

[29]  Yehuda Vardi,et al.  A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection , 2001 .

[30]  Alex Pentland,et al.  Face recognition using eigenfaces , 1991, Proceedings. 1991 IEEE Computer Society Conference on Computer Vision and Pattern Recognition.

[31]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[32]  Abraham Lempel,et al.  A universal algorithm for sequential data compression , 1977, IEEE Trans. Inf. Theory.

[33]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .