A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

IEEE Transactions on Signal Processing

Volumn 54, Issue 9, 2006, Pages 3372-3381

  Tartakovsky, Alexander G ^a,b   Rozovskii, Boris L ^b   Blažek, Rudolf B ^b,c   Kim, Hongjoong ^d  

^a IEEE   (United States)

^b UNIVERSITY OF SOUTHERN CALIFORNIA   (United States)

^c Advanced Science and Novel Technology   (United States)

^d Korea University   (South Korea)

Author keywords

Attack detection; Change point detection; Denial of service; Intrusion detection; Man in the middle; Network security; Network traffic; Nonparametric detection; Port scanning; Sequential tests; Service survivability; Worm

Indexed keywords

ATTACK DETECTION; CHANGE POINT DETECTION; DENIAL OF SERVICE; NETWORK TRAFFIC; NONPARAMETRIC DETECTION; PORT SCANNING; SEQUENTIAL TESTS; SERVICE SURVIVABILITY;

COMPUTER SIMULATION; MATHEMATICAL MODELS; NETWORK PROTOCOLS; NETWORK SECURITY; SIGNAL DETECTION; STATISTICAL METHODS; TELECOMMUNICATION TRAFFIC;

COMPUTER NETWORKS;

EID: 33947171900     PISSN: 1053587X     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSP.2006.879308     Document Type: Article

References (38)

1. M. Basseville and I. V. Nikiforov, Detection of Abrupt Changes: Theory and Applications. Englewood Cliffs, NJ: Prentice-Hall, 1993.
2. P. K. Bhattacharya and D. Frierson, "A nonparametric control chart for detecting small disorders," Ann. Statist., vol. 9, pp. 544-554, 1981.
3. R. Blažek, H. Kim, B. Rozovskii, and A. Tartakovsky, "A novel approach to detection of 'denial-of-service' attacks via adaptive sequential and batch-sequential change-point detection methods," in Proc. 2nd Annu. IEEE Syst., Man, Cybern. Inf. Assurance Workshop, West Point, NY, 2001.
4. _, "The quickest sequential detection of intrusions in computer networks," in Interface 2003, Salt Lake City, UT, Mar. 12-15, 2003.
5. B. E. Brodsky and B. S. Darkhovsky, Nonparametric Methods in Change-Point Problems. Dordrecht, The Netherlands: Kluwer, 1993.
6. H. Cramér, Mathematical Methods of Statistics. Princeton, NJ: Princeton Univ. Press, 1946.
7. Daemon9, Route, and Infinity, "Project Neptune," Phrack Mag., vol. 7, no. 48, 1996 [Online]. Available: http://www.phrack.org/show. php?p=48&a=13, File 13 of 18
8. V. P. Dragalin, "Adaptive procedures for detecting a change in distribution," in Proc. 4th Wuenburg-Umea Conf. Statist., 1996, pp. 87-103.
9. F. Feather and R. Maxon, "Fault detection in an ethernet network using anomaly signature matching," in ACM Sigcomm, 1993, vol. 23.
10. S. Gibson, Distributed reflection denial of service: Description and analysis of a potent, increasingly prevalent, and worrisome Internet attack Gibson Research Corp., 2002 [Online]. Available: http://www.grc. com/dos/drdos.htm
11. T. M. Gil and M. Poletter, "MULTOPS: A data-structure for bandwidth attack detection," in Proc. USENIX Security Symp. '01, Washington, DC, Aug. 2001, pp. 23-38.
12. L. Gordon and M. Pollak, "An efficient sequential nonparametric scheme for detecting a change in distribution," Ann. Statist., vol. 22, pp. 763-804, 1994.
13. A. Hussain, J. Heidemann, and C. Papadopoulos, "A framework for classifying denial of service attacks," in Proc. Sigcomm 2003, Karlsruhe, Germany, 2003.
14. S. Kent, "On the trial of intrusions into information systems," IEEE Spectrum, vol. 37, no. 12, pp. 52-56, December 2000.
15. T. L. Lai, "Sequential changepoint detection in quality control and dynamical systems," J. Roy. Statist. Soc. B, vol. 57, no. 4, pp. 613-658, 1995.
16. G. Lorden, "Procedures for reacting to a change in distribution," Ann. Math. Statist., vol. 42, pp. 1908-1987, 1971.
17. R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, "Controlling high bandwidth aggregates in the network," ACM Comptit. Commun. Rev., Jul. 2001.
18. D. McDonald, "A Cusum procedure based on sequential ranks," Naval Res. Logist., vol. 37, pp. 627-646, 1990.
19. J. Mirkovic, G. Prier, and P. Reiher, "Attacking DDoS at the source," in Proc. 10th IEEE Int. Conf. Newark Protocols (ICNP), Paris, France, Nov. 10-12, 2002, pp. 312-321.
20. D. Moore, G. Voelker, and S. Savage, "Inferring Internet denial of service activity," in Proc. USENIX Security Symp., Washington, DC, 2001, pp. 9-22.
21. E. S. Page, "Continuous inspection schemes," Biometrika, vol. 41, pp. 100-115, 1954.
22. C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan, "COSSACK: Coordinated suppression of simultaneous attacks," in Proc. 3rd DARPA Information Survivability Conf. Exposition (Discex III), Washington, DC, 2003, vol. 1, pp. 2-13.
23. V. Paxson, "Bro: A system for detecting network intruders in realtime," Comput. Netw., vol. 31, no. 23-24, pp. 2435-2463, 1999.
24. M. Pollak, "Optimal detection of a change in distribution," Ann. Statist., vol. 13, pp. 206-227, 1985.
25. H. Robbins and D. Siegmund, "The expected sample size of some tests of power one," Ann. Statist., vol. 2, pp. 415-436, 1974.
26. M. Roesch, "Snort: Lightweight intrusion detection for networks," in Proc. 13th Syst. Admin. Conf. (LISA), 1999, pp. 229-238.
27. A. N. Shiryaev, "On optimum methods in quickest detection problems," Theory Prob. Appl., vol. 8, pp. 22-16, 1963.
28. A. G. Tartakovsky, Sequential Methods in the Theory of Information Systems (in Russian). Moscow, Russia: Radio i Svyaz', 1991.
29. _, "Efficiency of the generalized Neyman-Pearson test for detecting changes in a multichannel system," Prob. Inf. Transmission, vol. 28, pp. 341-350, 1992.
30. A. G. Tartakovsky and I. A. Ivanova, "Comparison of some sequential rules for detecting changes in distributions," Prob. Inf. Transmission, vol. 28, pp. 117-124, 1992.
31. A. G. Tartakovsky, "Asymptotic properties of CUSUM and Shiryaev's procedures for detecting a change in a nonhomogeneous Gaussian process," Math. Meth. Statist., vol. 4, no. 4, pp. 389-404, 1995.
32. A. G. Tartakovsky, B. L. Rozovskii, R. Blazek, and H. Kim, "Detection of intrusions in information systems by sequential change-point methods," Statist. Methodol., vol. 3, no. 3, pp. 252-340, 2006.
33. A. G. Tartakovsky and V. Veeravalli, "Change-point detection in multichannel and distributed systems with applications," in Applications of Sequential Methodologies, N. Mukhopadhyay, S. Datta, and S. Chattopadhyay, Eds. New York: Marcel Dekker, 2004, pp. 339-370.
34. _, "General asymptotic Bayesian theory of quickest change detection," Theory Prob. Appl., vol. 49, no. 3, pp. 458-497, 2005.
35. R. R. Talpade, G. Kim, and S. Khurana, "NOMAD: Traffic-based network monitoring framework for anomaly detection," in Proc. 4th IEEE Symp. Comput. Commun., 1999, pp. 442-451.
36. V. A. Sins and F. Papagalou, "Application of anomaly detection algorithms for detecting SYN flooding attacks," in Proc. IEEE Global Telecommun. Conf. (IEEE GLOBECOM 2004), Dallas, TX, 2004, vol. 4, pp. 2050-2054.
37. H. Wang, D. Zhang, and K. Shin, "Detecting SYN flooding attacks," in Proc. IEEE Infocom, New York, 2002, pp. 1530-1539.
38. N. Ye, S. Vilbert, and Q. Chen, "Computer intrusion detection through EWMA for autocorrelated and uncorrelated data," IEEE Trans. Reliab., vol. 52, no. 1, pp. 75-82, Mar. 2003.