Detecting denial-of-service attacks through feature cross-correlation

This paper describes CIDS (Correlation Intrusion Detection System), a novel approach in the detection of DoS attacks that utilizes the change in cross-correlation between selected features. As the DOS attack evolves the cross-correlations rise thus revealing the attack. CIDS relies on changes in correlation magnitude upon shifting from normal to attack conditions, thus it is an anomaly type intrusion detection system (IDS). However it is characterized by several advantages over anomaly IDS, primarily due to the fact that it greatly reduces and/or eliminates the need to maintain normal reference profiles. Thus CIDS (1) is algorithmically simple; (2) consumes less computational and storage resources; (3) is faster in execution; (4) promises to be more robust; and, (5) is conceptually simple, thus promises to be easier to maintain. By detecting abnormal conditions, CIDS also promises to detect novel as well as known attacks, an important advantage over signature based systems. Moreover, it achieves satisfactory misclassification rates, as demonstrated by the application of the scheme to the DARPA´98 corpus of intrusion attacks, namely false positive (FP) and false negative (FN) rates of 0 and 0.0605, respectively, and overall missclassification rate of 0.0011.