Statistical traffic modeling for network intrusion detection

Examines the application of statistical traffic modeling for detecting novel attacks against computer networks. We discuss the application of network activity models and application models using the 1998 DARPA Intrusion Detection Evaluation data set. Network activity models monitor the volume of traffic in the network, while application models describe the operation of application protocols. By plotting the ROC (receiver operating characteristic) curves induced by the traffic activity, we quantify the effectiveness of network activity models in discriminating normal connections from attack connections generated by denial-of-service and probing attacks. It is verified that denial-of-service and probing attacks leave traces on simple network activity models, with rates of false alarm which are comparable to the false alarm rates obtained by the participants of the 1998 DARPA evaluation, in which much more complex detection schemes were utilized. For application models, we use the Kolmogorov-Smirnov test to show that attacks using telnet connections in the DARPA data set form a population which is statistically different from the normal telnet connections. The statistics used in our study are the number of bytes from the responder and the responder-originator byte ratio. Again, our results are comparable to those obtained in the DARPA evaluation