Approximate autoregressive modeling for network attack detection

  • Authors:
  • Harshit Nayyar;Ali A Ghorbani

  • Affiliations:
  • University of New Brunswick, Fredericton, NB, Canada;University of New Brunswick, Fredericton, NB, Canada

  • Venue:
  • Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper presents a technique for creating an ARX model of network signals and using it for detecting network anomalies caused by intrusions. Network signals are non-stationary, highly volatile and hard to model using traditional methods. We present our own modeling technique using a combination of system identification theory and wavelet approximation. We also present the results of a prototype implementation applied to 1999 DARPA intrusion detection evaluation data set. We verify that the technique is viable for anomaly based intrusion detection and can contribute to defense in depth in a network. The technique proposed is online, generic and can be used with many other network signals like bandwidth consumption, rate of flow arrival or SNMP variables. Moreover, it requires minimal expertise for use on the part of the network administrator and automatically adapts to the underlying network behavior.