Title :
Early statistical anomaly intrusion detection of DOS attacks using MIB traffic parameters
Author :
Li, Jun ; Manikopoulos, Constantine
Author_Institution :
Dept. of Electr. & Comput. Eng., New Jersey Inst. of Technol., Newark, NJ, USA
Abstract :
We investigate the statistical anomaly detection of DOS computer network attacks using only MIB II supplied traffic parameters of the SNMP, as carried out by MAID. MAID is a hierarchical, multitier, multiobservation-window, anomaly based network intrusion detection system, prototyped in our laboratory for the US Army´s tactical Internet. MAID monitors several MIB II supplied network traffic parameters simultaneously, constructs a probability density function (PDF) for each, statistically compares it to a reference PDF of normal behavior using a similarity metric, then combines the results into an anomaly status vector that is classified by a neural network classifier. The data used here derive from many experiments that have been carried out in our network testbed facility that monitor 27 MIB traffic parameters simultaneously, focusing on the Denial of Service (DOS) class of attacks, including UDP, ICMP and TCP type flooding attacks. We further focused on the anomaly detector and specifically two issues: (a) the effectiveness of some alternative similarity metrics and (b) early detection, i.e., detection at low values of the ratio of attack to background traffic. Thus, we studied the effectiveness of five prominent and/or promising similarity metrics: a χ2 test (CST), a Kolmogorov-Smyrnov (KS) test (KST), Kupier´s KS type statistic (KKS), a combined area-KS type test (AKS), and a simpler fractional deviation from the mean statistic (FDM). We present the performance of these metrics using 9 traffic intensity scenarios, as the attack traffic decreased from 10% to 0.5% of the background. It was found that the KST metric performed slightly better overall while the FDM performed surprisingly well at low traffic intensities. It was also found that an attack/background ratio as small as 1% can be detected by MAID with corresponding misclassification rates in the range of 0.5-1.0 %. These results show promise for the use of MAID in early DOS detection using MIB traffic parameters.
Keywords :
computer crime; computer networks; neural nets; probability; protocols; statistical analysis; telecommunication network management; telecommunication security; telecommunication traffic; χ2 test; AKS; CST; DOS computer network attacks; DOS intrusion detection; Denial of Service; FDM; KKS; KS type statistic; KST; Kolmogorov-Smyrnov test; MAID; MIB traffic parameters; PDF; SNMP; anomaly status vector; combined area-KS type test; early detection; fractional deviation from mean statistic; misclassification rates; multiobservation-window; network testbed facility; neural network classifier; probability density function; similarity metrics; statistical anomaly intrusion detection; traffic intensity scenarios; Computer crime; Computer displays; Computer networks; IP networks; Intrusion detection; Laboratories; Prototypes; Statistical analysis; Telecommunication traffic; Testing;
Conference_Titel :
Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society
Print_ISBN :
0-7803-7808-3
DOI :
10.1109/SMCSIA.2003.1232401
