Network Anomaly Detection Based on Wavelet Analysis

Signal processing techniques have been applied recently for analyzing and detecting network anomalies due to their potential to find novel or unknown intrusions. In this paper, we propose a new network signal modelling technique for detecting network anomalies, combining the wavelet approximation and system identification theory. In order to characterize network traffic behaviors, we present fifteen features and use them as the input signals in our system. We then evaluate our approach with the 1999 DARPA intrusion detection dataset and conduct a comprehensive analysis of the intrusions in the dataset. Evaluation results show that the approach achieves high-detection rates in terms of both attack instances and attack types. Furthermore, we conduct a full day's evaluation in a real large-scale WiFi ISP network where five attack types are successfully detected from over 30 millions flows.

[1]  Blaine Nelson,et al.  Can machine learning be secure? , 2006, ASIACCS '06.

[2]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[3]  Yoshua Bengio,et al.  Pattern Recognition and Neural Networks , 1995 .

[4]  Alberto Dainotti,et al.  Wavelet-based Detection of DoS Attacks. , 2006 .

[5]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[6]  John E. Gaffney,et al.  Evaluation of intrusion detectors: a decision theory approach , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[7]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[8]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[9]  A. L. Narasimha Reddy,et al.  Image-Based Anomaly Detection Technique: Algorithm, Implementation and Effectiveness , 2006, IEEE Journal on Selected Areas in Communications.

[10]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[11]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .

[12]  Bin-Sheng Liu,et al.  The identification and correction of outlier based on wavelet transform of traffic flow , 2007, 2007 International Conference on Wavelet Analysis and Pattern Recognition.

[13]  Ph. Tchamitchian,et al.  Wavelets: Time-Frequency Methods and Phase Space , 1992 .

[14]  A. F. Smith,et al.  Statistical analysis of finite mixture distributions , 1986 .

[15]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[16]  Fionn Murtagh,et al.  On neuro-wavelet modeling , 2004, Decis. Support Syst..

[17]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[18]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[19]  Guangmin Hu,et al.  Anomaly Detection of Network Traffic Based on Wavelet Packet , 2006, 2006 Asia-Pacific Conference on Communications.

[20]  Gyungho Lee,et al.  DDoS Attack Detection and Wavelets , 2003, Proceedings. 12th International Conference on Computer Communications and Networks (IEEE Cat. No.03EX712).

[21]  Wei Lu,et al.  A New Unsupervised Anomaly Detection Framework for Detecting Network Attacks in Real-Time , 2005, CANS.

[22]  Chin-Tser Huang,et al.  Wavelet-based Real Time Detection of Network Traffic Anomalies , 2006, 2006 Securecomm and Workshops.

[23]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[24]  Anja Feldmann,et al.  A non-instrusive, wavelet-based approach to detecting network performance problems , 2001, IMW '01.

[25]  Yong-June Shin,et al.  A Wavelet-Based Approach to Detect Shared Congestion , 2008, IEEE/ACM Transactions on Networking.

[26]  Anu Ramanathan,et al.  WADeS: a tool for Distributed Denial of Service Attack detection , 2002 .

[27]  Salvatore J. Stolfo,et al.  Cost-based modeling for fraud and intrusion detection: results from the JAM project , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[28]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[29]  Gürsel Serpen,et al.  Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set , 2004, Intell. Data Anal..

[30]  Harold Joseph Highland,et al.  The 17th NSCS abstructArtificial Intelligence and Intrusion Detection: Current and Future Directions : Jeremy Frank, University of California, Davis, CA , 1995 .

[31]  Sanjay Rawat,et al.  Network Intrusion Detection Using Wavelet Analysis , 2004, CIT.

[32]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[33]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[34]  Prashant Parikh A Theory of Communication , 2010 .

[35]  Marina Vannucci,et al.  Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data , 2004, NETWORKING.

[36]  S. Mallat A wavelet tour of signal processing , 1998 .

[37]  Wei Lu An unsupervised anomaly detection framework for multiple-connection based network intrusions , 2006 .

[38]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[39]  Lennart Ljung,et al.  System Identification: Theory for the User , 1987 .