Skip to Main Content
We investigate the statistical anomaly detection of DOS computer network attacks using only MIB II supplied traffic parameters of the SNMP, as carried out by MAID. MAID is a hierarchical, multitier, multiobservation-window, anomaly based network intrusion detection system, prototyped in our laboratory for the US Army's tactical Internet. MAID monitors several MIB II supplied network traffic parameters simultaneously, constructs a probability density function (PDF) for each, statistically compares it to a reference PDF of normal behavior using a similarity metric, then combines the results into an anomaly status vector that is classified by a neural network classifier. The data used here derive from many experiments that have been carried out in our network testbed facility that monitor 27 MIB traffic parameters simultaneously, focusing on the Denial of Service (DOS) class of attacks, including UDP, ICMP and TCP type flooding attacks. We further focused on the anomaly detector and specifically two issues: (a) the effectiveness of some alternative similarity metrics and (b) early detection, i.e., detection at low values of the ratio of attack to background traffic. Thus, we studied the effectiveness of five prominent and/or promising similarity metrics: a χ2 test (CST), a Kolmogorov-Smyrnov (KS) test (KST), Kupier's KS type statistic (KKS), a combined area-KS type test (AKS), and a simpler fractional deviation from the mean statistic (FDM). We present the performance of these metrics using 9 traffic intensity scenarios, as the attack traffic decreased from 10% to 0.5% of the background. It was found that the KST metric performed slightly better overall while the FDM performed surprisingly well at low traffic intensities. It was also found that an attack/background ratio as small as 1% can be detected by MAID with corresponding misclassification rates in the range of 0.5-1.0 %. These results show promise for the use of MAID in early DOS detection using MIB traffic parameters.