Needles in Haystacks: Practical Intrusion Detection from Theoretical Results

Many researchers are working towards discovering techniques that can alert network administrators to the presence of previously unseen attacks in their networks. Here we focus on attacks, such as denial-of service attacks, that depend on multiple packets being sent over minutes or, at least, several seconds. No definitive technique has been demonstrated that can guarantee a substantial probability of detection while keeping probability of false alarm at an acceptable level. However, theoretical work by Li, Jia, and Zhao (referenced below) describes an interesting approach based on observing changes to autocorrelations obtained over time from measured traffic. Their work provides a theoretical way of estimating probability of detection vs. probability of false alarm. They make assumptions concerning availability of a background template and normality of residuals that bear examining with real traffic and attacks. This paper attempts a practical approach