Copyright 2014 imperial college press all rights

Info icon This preview shows pages 63–66. Sign up to view the full content.

a spectral-based IDS that filters false detections and confirms true attacks. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 63

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

64 A. G. Tartakovsky In other words, the methodology is based on using the changepoint detection method for preliminary detection of attacks with low threshold values and a discrete Fourier (or wavelet) transform to reveal periodic pat- terns in network traffic to confirm the presence of attacks and reject false detections produced by the anomaly IDS. When detection thresholds are low, the AbIDS produces an intense flow of false alarms. However, these false alarms can be tolerated at the level of minutes or even seconds, since they do not lead to real false alarms in the whole system. An alarm in the AbIDS triggers a spectral analyzer. This alarm will either be rejected or confirmed, in which case a final alarm will be raised. Schematically, the system is shown in Figure 2.13. To summarize, the HASIDS is based on the following principles: Anomaly IDS – Quick Detection with High FAR: In order to detect attacks quickly, the detection threshold in the changepoint detec- tion module is lowered leading to frequent false alarms that are filtered by a separate algorithm. Signature IDS False Alarm Filtering: A spectral-based approach, e.g., Fourier or wavelet spectral analysis module, is used to reject false detections. Changepoint Detection Module: For quick detection with rela- tively high FAR and triggering spectral analysis algorithms. Spectral Analysis Module: For false alarm filtering/rejection and true attack confirmation. Quickest Changepoint Detection-Based AbIDS with Autoselection and Adaptive Reconfigurable Architecture Signature-Spectral IDS Raw Data Raw Data Fig. 2.13. Block diagram of the hybrid anomaly–signature intrusion detection system. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 64
Rapid Detection of Attacks by Quickest Changepoint Detection Methods 65 This approach allows us not only to detect attacks with small delays and a low FAR but also to isolate/localize anomalies precisely, e.g., low-rate pulsing attacks. See Figure 2.15 in Subsection 2.4.2 for further details. The results of experiments presented below show that such combining of the changepoint anomaly- and spectral-signature-based detectors significantly improves the system’s overall performance, reducing the FAR to the mini- mum and simultaneously guaranteeing very small detection delays.
Image of page 65

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Image of page 66
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern