A dynamic data mining technique for intrusion detection systems
Proceedings of the 43rd annual Southeast regional conference - Volume 2
| Hi-index | 0.00 |
This dissertation begins with the description and analysis of a certain class of denial of service attacks along with an overview of techniques and tools used to discover and analyze them. Two new solutions to the problem of detecting this type of attack are introduced, developed, and evaluated. We demonstrate that one of these techniques can detect an average of 84% of the attacks and the other detects an average of 96%, all with no occurrence of a false alarm. (In this arena the latter may be more important than the former.) Having experienced first-hand the difficulty of creating a controlled environment for testing new attack detection techniques, we then describe the problems in this area and develop a new tool to be used in modeling and generating attacks. The first detection technique is based on an in-depth analysis of an invariant traffic characteristic that appears to be affected by certain types of network attack. The main benefits of detecting attacks by monitoring traffic invariants are that (1) no prior knowledge of the attack's behavior is needed and (2) no template of ‘normal’ traffic activity is needed. The second technique is based on detecting abnormalities in a measurable traffic characteristic and although a traffic template is required, it does not require prior knowledge of the behavior of attacks, an advantage over some types of anomaly-based detectors.