Skip to Main Content
Normal profiles have specific properties which would be changed when an attack occurs. The main property we have considered for each behavior is the correlation between the parameters of it. We compute a correlation matrix for normal sessions in the training phase. Then we select effective security parameters for our detection engine using an equivalent class with a graphical illustration namely correlation relation graph (CRG). These extracted parameters among all parameters of each normal behavior have a relation with each other which could be computed by regression relations. Each behavior has some pairs of selected parameters including the independent parameter and the dependent one. As an inline detection process, we look at the value of selected parameters of each current session and put them into their computed regression relation. If the computed value of the dependent parameter of each pair has a value greater then what we compute by their regression relation, it will be considered as a deviation. Number of deviations per session and the combination of them is used to label a session as normal or attack. The results show that our proposed method has suitable detection rate and false alarm.