System identification: theory for the user
System identification: theory for the user
On the self-similar nature of Ethernet traffic
SIGCOMM '93 Conference proceedings on Communications architectures, protocols and applications
Why we don't know how to simulate the Internet
Proceedings of the 29th conference on Winter simulation
ACM Transactions on Information and System Security (TISSEC)
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Controlling Intrusion Detection Systems by Generating False Positives: Squealing Proof-of-Concept
LCN '02 Proceedings of the 27th Annual IEEE Conference on Local Computer Networks
Statistical Traffic Modeling for Network Intrusion Detection
MASCOTS '00 Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems
Learning Rules for Anomaly Detection of Hostile Network Traffic
ICDM '03 Proceedings of the Third IEEE International Conference on Data Mining
Unsupervised learning techniques for an intrusion detection system
Proceedings of the 2004 ACM symposium on Applied computing
Decision Support Systems - Special issue: Data mining for financial decision making
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Anomaly detection in IP networks
IEEE Transactions on Signal Processing
Hi-index | 0.00 |
This paper presents a technique for creating an ARX model of network signals and using it for detecting network anomalies caused by intrusions. Network signals are non-stationary, highly volatile and hard to model using traditional methods. We present our own modeling technique using a combination of system identification theory and wavelet approximation. We also present the results of a prototype implementation applied to 1999 DARPA intrusion detection evaluation data set. We verify that the technique is viable for anomaly based intrusion detection and can contribute to defense in depth in a network. The technique proposed is online, generic and can be used with many other network signals like bandwidth consumption, rate of flow arrival or SNMP variables. Moreover, it requires minimal expertise for use on the part of the network administrator and automatically adapts to the underlying network behavior.