By Topic

Heavy tails and temporal correlations of processing times in network intrusion detection: characterization and consequences

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
J. B. D. Cabrera ; Sci. Syst. Co., Inc., Woburn, MA, USA ; W. Lee ; J. B. D. Gosar ; R. K. Mehra

This paper examines two aspects of network intrusion detection which have critical relevance for the configuration (understood as allocation of memory and CPU) of intrusion detection systems (IDSs) hosts and for their operational performance: the presence of heavy tails in the service times for the preprocessing stage, and the presence of substantial temporal correlations in the service times for the content matching stage. Concerning heavy tails in preprocessing, our study reveals that snort preprocessing times give rise to a cumulative distribution function which is extremely heavy-tailed. Concerning temporal correlations, our analysis reveals that payload processing times evolve in two time scales: a fast time scale and a slow time scale. The fast, packet-to-packet time scale corresponds to 40-100 contiguous packets (a packet group), within which the content matching times are independent. In the slow, packet group-to-packet group time scale the mean values of the successive packet groups are heavily correlated and can be predicted. The consequences of the two phenomena are examined in the paper.

Published in:

Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop

Date of Conference:

15-17 June 2005