Attack there are two false detections produced by

Info icon This preview shows pages 62–64. Sign up to view the full content.

attack – there are two false detections produced by CUSUM, while none by SR. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 62

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Rapid Detection of Attacks by Quickest Changepoint Detection Methods 63 2.4. Hybrid Anomaly–Signature IDS 2.4.1. IDS structure Since in real life legitimate traffic dominates, comparing various AbIDSs using the multi-cyclic approach and the stationary average detection delay (2.9) is the most appropriate method for cyber-security applications. How- ever, even an optimal changepoint detection method is subject to large detection delays if the FAR is maintained at a low level. Hence, as we have already mentioned, employing one such scheme alone will lead to multiple false detections, or if detection thresholds are increased to lower the FAR, the delays will be too large, and attacks may proceed undetected. Could one combine changepoint detection techniques with other meth- ods that offer very low FAR but are too time-consuming to use at line speeds? Do such synergistic anomaly detection systems exist, and if so, how can they be fused? In this section, we answer these questions by devising a novel approach to intrusion detection based on a two-stage hybrid anomaly–signature IDS (HASIDS) with profiling, false alarm filtering, and true attack confirmation capabilities. Specifically, consider complementing a changepoint detection- based AbIDS with a flow-based signature IDS that examines the traffic’s spectral profile and reacts to changes in spectral characteristics of the data. The main idea is to integrate anomaly- and spectral-signature-based detec- tion methods so that the resulting HASIDS overcomes the shortcomings of current IDSs. We propose using “flow-based” signatures in conjunc- tion with anomaly-based detection algorithms. In particular, Fourier and wavelet spectral signatures and related spectral analysis techniques can be exploited, as shown in Hussain et al. (2003, 2006) and He et al. (2009). This approach is drastically different from traditional signature-based systems because it depends not on packet content but on communication patterns alone. At the first stage, we use either CUSUM or SR multi-cyclic (repeated) changepoint detection algorithm to detect traffic anomalies. Recall that in network security applications it is of utmost importance to detect attacks that may occur in a distant future very rapidly (using a repeated application of the same anomaly-based detection algorithm), in which case the true detection of a real change is preceded by a long interval with frequent false alarms that should be filtered (rejected) by a separate algorithm. This latter algorithm is based on spectral signatures, so at the second stage we exploit a spectral-based IDS that filters false detections and confirms true attacks.
Image of page 63
Image of page 64
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern