Approximate autoregressive modeling for network attack detection

Authors:
Harshit Nayyar;Ali A. Ghorbani
Affiliations:
-;Information Security Center for Excellence, Faculty of Computer Science, University of New Brunswick, P.O. Box 4400, 550 Windsor str., Fredericton, NB, Canada. E-mail: {nayyar.h,ghorbani}@unb.ca
Venue:
Journal of Computer Security - Privacy, Security and Trust (PST) Technologies: Evolution and Challenges
Year:
2008

Citing 15
Cited 0

System identification: theory for the user

System identification: theory for the user
On the self-similar nature of Ethernet traffic

SIGCOMM '93 Conference proceedings on Communications architectures, protocols and applications
Why we don't know how to simulate the Internet

Proceedings of the 29th conference on Winter simulation
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Specification-based anomaly detection: a new approach for detecting network intrusions

Proceedings of the 9th ACM conference on Computer and communications security
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Controlling Intrusion Detection Systems by Generating False Positives: Squealing Proof-of-Concept

LCN '02 Proceedings of the 27th Annual IEEE Conference on Local Computer Networks
Statistical Traffic Modeling for Network Intrusion Detection

MASCOTS '00 Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems
Learning Rules for Anomaly Detection of Hostile Network Traffic

ICDM '03 Proceedings of the Third IEEE International Conference on Data Mining
Unsupervised learning techniques for an intrusion detection system

Proceedings of the 2004 ACM symposium on Applied computing
On neuro-wavelet modeling

Decision Support Systems - Special issue: Data mining for financial decision making
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
An unsupervised clustering algorithm for intrusion detection

AI'03 Proceedings of the 16th Canadian society for computational studies of intelligence conference on Advances in artificial intelligence
Anomaly detection in IP networks

IEEE Transactions on Signal Processing

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents a technique for creating an ARX model of network signals and using it for detecting network anomalies caused by intrusions. Network signals are non-stationary, highly volatile and hard to model using traditional methods. We present our own modeling technique using a combination of system identification theory and wavelet approximation. We also present the results of a prototype implementation applied to 1999 DARPA intrusion detection evaluation data set. We verify that the technique is viable for anomaly based intrusion detection and can contribute to defense in depth in a network. The technique proposed is online, generic and can be used with many other network signals like bandwidth consumption, rate of flow arrival or SNMP variables. Moreover, it requires minimal expertise for use on the part of the network administrator and automatically adapts to the underlying network behavior.