Not only for detecting attacks quickly but also for

Info icon This preview shows pages 66–69. Sign up to view the full content.

View Full Document Right Arrow Icon
not only for detecting attacks quickly but also for isolating closely located anomalies. Figure 2.15 illustrates the detection by the change detection- based AbIDS (Figure 2.15(b)) and by the HASIDS (Figure 2.15(c)). Figure 2.15(b) shows that the anomaly IDS detects the first pulse but misses the second one because the threshold in the anomaly detector is high to guarantee the given low FAR. With the selected threshold, this trace shows no false alarms. If the threshold is lowered, as it is in Figure 2.15(c), Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 66

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Rapid Detection of Attacks by Quickest Changepoint Detection Methods 67 0 20 40 60 80 100 120 2 2.5 3 3.5 4 4.5 5 5.5 6 6.5 7 x 10 4 t, sec Packets per second First Attack Starts Second Attack Starts (a) Raw data – packet rate. 0 20 40 60 80 100 120 0 1 2 3 4 5 6 7 8 9 10 n, sec (sample) W n First Attack Detected Instanteneously Second Attack Missed No False Alarms (b) Detection by AbIDS. 0 20 40 60 80 100 120 0 1 2 3 4 5 6 7 8 9 10 n, sec (sample) W n First Attack Detected Second Attack Detected More False Alarms (c) Detection by HASIDS. Fig. 2.15. Detection of a short UDP DoS attack with AbIDS and HASIDS. The second “pulse” is missed by the AbIDS but not by the HASIDS. both segments of the attack are perfectly detected and localized. However, this brings many false alarms at the output of the changepoint detection based AbIDS. What can be done? The hybrid IDS offers an answer. The FFT (fast Fourier transform) spectral module is triggered by the AbIDS when detections (false or true) occur. In this particular experiment, all false alarms were filtered by the FFT spectral analyzer. This allowed us to lower the detection threshold in the AbIDS and, as a result, detect both pulses with a very small detection delay and with no increase of FAR, since in the hybrid system false alarms were filtered by the spectral module (see Figure 2.15(c)). Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 67
68 A. G. Tartakovsky 2.5. Conclusion The experimental study shows that the proposed AbIDS, which exploits score-based CUSUM and SR changepoint detection methods, is robust and efficient for detecting a multitude of computer intrusions, e.g., UDP, ICMP, and TCP SYN DDoS attacks as well as spammers. More importantly, devis- ing the hybrid anomaly–signature IDS that fuses quickest change detection techniques with spectral signal processing methods solves both aspects of the intrusion detection problem. It achieves unprecedented speeds of detec-
Image of page 68

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 69
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern