By Topic

Early statistical anomaly intrusion detection of DOS attacks using MIB traffic parameters

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Jun Li ; Dept. of Electr. & Comput. Eng., New Jersey Inst. of Technol., Newark, NJ, USA ; Manikopoulos, C.

We investigate the statistical anomaly detection of DOS computer network attacks using only MIB II supplied traffic parameters of the SNMP, as carried out by MAID. MAID is a hierarchical, multitier, multiobservation-window, anomaly based network intrusion detection system, prototyped in our laboratory for the US Army's tactical Internet. MAID monitors several MIB II supplied network traffic parameters simultaneously, constructs a probability density function (PDF) for each, statistically compares it to a reference PDF of normal behavior using a similarity metric, then combines the results into an anomaly status vector that is classified by a neural network classifier. The data used here derive from many experiments that have been carried out in our network testbed facility that monitor 27 MIB traffic parameters simultaneously, focusing on the Denial of Service (DOS) class of attacks, including UDP, ICMP and TCP type flooding attacks. We further focused on the anomaly detector and specifically two issues: (a) the effectiveness of some alternative similarity metrics and (b) early detection, i.e., detection at low values of the ratio of attack to background traffic. Thus, we studied the effectiveness of five prominent and/or promising similarity metrics: a χ2 test (CST), a Kolmogorov-Smyrnov (KS) test (KST), Kupier's KS type statistic (KKS), a combined area-KS type test (AKS), and a simpler fractional deviation from the mean statistic (FDM). We present the performance of these metrics using 9 traffic intensity scenarios, as the attack traffic decreased from 10% to 0.5% of the background. It was found that the KST metric performed slightly better overall while the FDM performed surprisingly well at low traffic intensities. It was also found that an attack/background ratio as small as 1% can be detected by MAID with corresponding misclassification rates in the range of 0.5-1.0 %. These results show promise for the use of MAID in early DOS detection using MIB traffic parameters.

Published in:

Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society

Date of Conference:

18-20 June 2003