• DocumentCode
    3364618
  • Title

    Stochastic protocol modeling for anomaly based network intrusion detection

  • Author

    Estevez-Tapiador, Juan M. ; Garcia-Teodoro, Pedro ; Diaz-Verdejo, Jesus E.

  • Author_Institution
    Dept. de Electron. y Tecnologia de Computadores, Granada Univ., Spain
  • fYear
    2003
  • fDate
    24-24 March 2003
  • Firstpage
    3
  • Lastpage
    12
  • Abstract
    A new method for detecting anomalies in the usage of protocols in computer networks is presented. The proposed methodology is applied to TCP and disposed in two steps. First, a quantization of the TCP header space is accomplished, so that a unique symbol is associated with each TCP segment. TCP-based network traffic is thus captured, quantized and represented by a sequence of symbols. The second step in our approach is the modeling of these sequences by means of a Markov chain. The analysis of the model obtained for diverse TCP sources reveals that it captures adequately the essence of the protocol dynamics. Once the model is built it is possible to use it as a representation of the normal usage of the protocol, so that deviations from the behavior provided by the model can be considered as a sign of protocol misusage.
  • Keywords
    Markov processes; computer crime; quantisation (signal); telecommunication security; transport protocols; Markov chain; TCP header space; TCP segment; TCP-based network traffic; anomaly based network intrusion detection; computer networks; protocol dynamics; protocol misusage; stochastic protocol modeling; unique symbol; Computer networks; Electronic mail; Intrusion detection; Monitoring; Protocols; Quantization; Space technology; Stochastic processes; Telecommunication traffic; Traffic control;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Information Assurance, 2003. IWIAS 2003. Proceedings. First IEEE International Workshop on
  • Conference_Location
    Darmstadt, Germany
  • Print_ISBN
    0-7695-1886-9
  • Type

    conf

  • DOI
    10.1109/IWIAS.2003.1192454
  • Filename
    1192454