An application of information theory to intrusion detection

Author

Eiland, E. Earl ; Liebrock, Lorie M.

Author_Institution

Dept. of Comput. Sci., New Mexico Inst. of Min. & Technol., Socorro, NM

fYear

2006

fDate

13-14 April 2006

Lastpage

134

Abstract

Zero-day attacks, new (anomalous) attacks exploiting previously unknown system vulnerabilities, are a serious threat. Defending against them is no easy task, however. Having identified "degree of system knowledge" as one difference between legitimate and illegitimate users, theorists have drawn on information theory as a basis for intrusion detection. In particular, Kolmogorov complexity (K) has been used successfully. In this work, we consider information distance (Observed_K - Expected_K) as a method of detecting system scans. Observed_K is computed directly, Expected_K is taken from compression tests shared herein. Results are encouraging. Observed scan traffic has an information distance at least an order of magnitude greater than the threshold value we determined for normal Internet traffic. With 320 KB packet blocks, separation between distributions appears to exceed 4sigma

Keywords

computational complexity; information theory; security of data; Expected_K; Internet traffic; Kolmogorov complexity; Observed_K; anomalous attack; information distance; information theory; intrusion detection; observed scan traffic; packet block; system knowledge; system scan detection; system vulnerability; zero-day attack; Application software; Availability; Computer science; Costs; Databases; Information systems; Information theory; Internet; Intrusion detection; Protection;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Assurance, 2006. IWIA 2006. Fourth IEEE International Workshop on

Conference_Location

London

Print_ISBN

0-7695-2564-4

Type

conf

DOI

10.1109/IWIA.2006.3

Filename

1610005