Measuring normality in HTTP traffic for anomaly-based intrusion detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
A markovian signature-based approach to IP traffic classification
Proceedings of the 3rd annual ACM workshop on Mining network data
Improvement of protocol anomaly detection based on markov chain and its application
ISPA'05 Proceedings of the 2005 international conference on Parallel and Distributed Processing and Applications
TCP traffic classification using markov models
TMA'10 Proceedings of the Second international conference on Traffic Monitoring and Analysis
Enforcing security with behavioral fingerprinting
Proceedings of the 7th International Conference on Network and Services Management
Modeling of network intrusions based on the multiple transition probability
IWSEC'06 Proceedings of the 1st international conference on Security
Review Article: RePIDS: A multi tier Real-time Payload-based Intrusion Detection System
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
A new method for detecting anoma ies in the usage of protocols in computer networks is presented in this work. The proposed methodology is applied to TCP and disposed in two steps. First, a quantization of the TCP header space is accomplished, so that a unique symbol is associated with each TCP segment. TCP-based network traffic is thus captured, quantized and represented by a sequence of symbols. The second step in our approach is the modeling of these sequences by means of a Markov chain. The analysis of the model obtained for diverse TCP sources reveals that it captures adequately the essence of the protocol dynamics. Once the model is built it is possible to use it as a representation of the normal usage of the protocol, so that deviations from the behavior provided by the model can be considered as a sign of protocol misusage.