Case there is no recursive structure and there are

Info icon This preview shows pages 47–49. Sign up to view the full content.

case there is no recursive structure, and there are computational difficulties. Luckily, in most computer intrusion applications the minimal intensity of attacks is rather high. For example, DoS attacks attempt to overflow servers, so a quite intense data flow is transmitted. Then one may tune the IDS to an expected minimal intensity, and the real intensity will be typically much higher, in which case further optimization is unnecessary. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 47

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

48 A. G. Tartakovsky 2.3. Anomaly-based IDS 2.3.1. CUSUM and SR score-based algorithms Changepoint detection theory is straightforward to implement in the con- text of intrusion detection in computer networks. As discussed above, net- work anomalies take place at unknown points in time and produce abrupt changes in statistical properties of traffic data. In network monitoring, one can observe various informative features from packet headers, e.g., packet size, source IP address, destination IP address, source port, destination port, types of protocols (e.g., ICMP, UDP, TCP), etc. In the case of user diagram protocol (UDP) flooding attacks, potentially useful observables include packet sizes, source ports, destination ports, and destination pre- fix. In the case of transmission control protocol (TCP) flooding attacks, conceivably we could have multiple channels that record counts of different flags (SYN, ACK, PUSH, RST, FIN, URG) from TCP header. Another plausible observable is a number of half-open connections for the detection of SYN flooding attacks. We could also have channels that keep track of the discrepancies in TCP SYN-FIN or TCP SYN-RST pairs. Furthermore, in order to detect file-sharing, we could monitor arrival (e.g., packet, byte or flow) counts, port numbers, and source-destination prefixes. Hence, we consider the problem of anomaly detection in computer net- works a quickest changepoint detection problem: to detect changes in net- work traffic as rapidly as possible while maintaining a tolerable level of false alarms. In network security, however, the behavior of both pre- and post-attack traffic is poorly understood; as a result, typically neither the pre- nor post- change distributions are known. Consequently, one can no longer rely on the LR (2.1), demanding an alternative approach based on replacing the LR with appropriate statistics that we refer to as scores. To understand the idea behind constructing score-based statistics, consider the typical behavior of the LR-based CUSUM and SR procedures. It suffices to consider CUSUM W n since log R n evolves similarly. As long as the observed process { X n } n 1 is “in-control”, W n fluctuates not far from the zero reflection barrier as if it
Image of page 48
Image of page 49
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern