Dynamic Modeling of Internet Traffic for Intrusion Detection

Computer network traffic is analyzed via mutual information techniques, implemented using linear and nonlinear canonical correlation analyses, with the specific objective of detecting UDP flooding attacks. NS simulation of HTTP, FTP, and CBR traffic shows that flooding attacks are accompanied by a change of mutual information, either at the link being flooded or at another upstream or downstream link. This observation appears to be topology independent, as the technique is demonstrated on the so-called parking-lot topology, random 50-node topology, and 100-node transit-stub topology. This technique is also employed to detect UDP flooding with low false alarm rate on a backbone link. These results indicate that a change in mutual information provides a useful detection criterion when no other signature of the attack is available.

• Publication year

  2002

• Venue

  Proceedings of the 2002 American Control Conference (IEEE Cat. No.CH37301)

• Publication date

  2002-05-08

• Fields of study

  Computer Science, Engineering

• Identifiers
  DOI 10.1109/ACC.2002.1024008
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• A study of mass-mailing worms

  2004cited by this paper
• Change-point monitoring for the detection of DoS attacks

  2004cited by this paper
• Application of anomaly detection algorithms for detecting SYN flooding attacks

  2004cited by this paper
• A framework for classifying denial of service attacks

  2003cited by this paper
• Small-time scaling behaviors of Internet backbone traffic: an empirical study

  2003cited by this paper
• On the predictability of data network traffic

  2003cited by this paper
• Anomaly detection in IP networks

  2003cited by this paper
• Detecting SYN flooding attacks

  2002cited by this paper
• Use of spectral analysis in defense against DoS attacks

  2002cited by this paper
• Attacking DDoS at the source

  2002cited by this paper
• Using signal processing to analyze wireless data traffic

  2002cited by this paper
• Practical automated detection of stealthy portscans

  2002cited by this paper
• A signal analysis of network traffic anomalies

  2002cited by this paper
• Information assurance through Kolmogorov complexity

  2001cited by this paper
• A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods

  2001cited by this paper
• Anomaly detection in communication networks using wavelets

  2001cited by this paper
• On the nonstationarity of Internet traffic

  2001cited by this paper
• On the trail of intrusions into information systems

  2000cited by this paper
• A framework for constructing features and models for intrusion detection systems

  2000cited by this paper
• Snort - Lightweight Intrusion Detection for Networks

  1999cited by this paper
• Minimum Message Length and Kolmogorov Complexity

  1999cited by this paper
• Temporal sequence learning and data reduction for anomaly detection

  1999cited by this paper
• High-Speed Networks: TCP/IP and ATM Design Principles

  1998cited by this paper
• Data networks as cascades: investigating the multifractal nature of Internet WAN traffic

  1998cited by this paper
• Bro: a system for detecting network intruders in real-time

  1998cited by this paper
• Self-similarity in World Wide Web traffic: evidence and possible causes

  1997cited by this paper
• Execution monitoring of security-critical programs in distributed systems: a specification-based approach

  1997cited by this paper
• Decay of correlations for the automorphism of the torus

  1997cited by this paper
• Complexity distortion theory

  1997cited by this paper
• The Use of Information Retrieval Techniques for Intrusion Detection

  1997cited by this paper
• Decay of correlations for the automorphism of the torus

  1997cited by this paper
• STABLE NON‐GAUSSIAN RANDOM PROCESSES: STOCHASTIC MODELS WITH INFINITE VARIANCE

  1996cited by this paper
• Introduction to the Theory of Computation

  1996influential reference
• Self-similarity in World Wide Web traffic: evidence and possible causes

  1996cited by this paper
• A sense of self for Unix processes

  1996cited by this paper
• Heavy-tailed on/off source behavior and self-similar traffic

  1995cited by this paper
• On the Self-Similar Nature of Ethernet Traffic ( extended version )

  1995cited by this paper
• Stable non-Gaussian random processes

  1995cited by this paper
• On the self-similar nature of Ethernet traffic (extended version)

  1994cited by this paper
• Detection of abrupt changes: theory and application

  1993cited by this paper
• Identification and filtering of nonlinear systems using canonical variate analysis

  1993cited by this paper
• A Real-Time Intrusion Detection Expert System (IDES)-Final Report

  1992cited by this paper
• Mutual Kolmogorov-Sinai entropy approach to nonlinear estimation

  1992influential reference
• The SRI IDES statistical anomaly detector

  1991cited by this paper
• Adaptive real-time anomaly detection using inductively generated sequential patterns

  1990cited by this paper
• Identification and filtering of nonlinear systems using canonical variate analysis

  1990influential reference
• Introduction to the theory of computation

  1989cited by this paper
• An Intrusion-Detection Model

  1987cited by this paper
• State Space Modeling of Time Series

  1987cited by this paper
• An Intrusion-Detection Model

  1986cited by this paper
• Estimating Optimal Transformations for Multiple Regression and Correlation.

  1985cited by this paper
• Power spectrum reduction by optimal Hankel norm approximation of the phase of the outer spectral factor

  1985cited by this paper
• RFC 959: File transfer protocol

  1985cited by this paper
• Course in mathematical logic

  1977cited by this paper
• Markovian Representation of Stochastic Processes by Canonical Variables

  1975cited by this paper
• THE COMPLEXITY OF FINITE OBJECTS AND THE DEVELOPMENT OF THE CONCEPTS OF INFORMATION AND RANDOMNESS BY MEANS OF THE THEORY OF ALGORITHMS

  1970cited by this paper
• Information Theory and Statistics

  1970cited by this paper
• Qualitative theory of differential equations

  1960cited by this paper

• Phasor Measurement Unit Change-Point Detection of Frequency Hurst Exponent Anomaly With Time-to-Event

  2024cites this paper
• Retracted: Anomaly detection with ensemble empirical mode decomposition and approximate entropy for quick user datagram protocol internet connection-based distributed Blockchain systems

  2023cites this paper
• Stochastic Calculus of Change-Point Detection with Time-to-Event

  2022cites this paper
• PMU Change Point Detection of Imminent Voltage Collapse and Stealthy Attacks

  2018cites this paper
• Context-aware security framework based on Traffic Anomaly Detection Indicator

  2016cites this paper
• Energy-efficient, Delay-aware packet scheduling in high-speed networks

  2015cites this paper
• Energy-Efficient, QoS-Aware Packet Scheduling in High-Speed Networks

  2015cites this paper
• Proposal of a new information theory-based technique based on traffic anomaly detection analysis

  2015cites this paper
• On the Conditional Mutual Information in the Gaussian–Markov Structured Grids

  2014cites this paper
• Application of Kolmogorov complexity in anomaly detection

  2010cites this paper
• Detecting Network Intrusions Using Signal Processing with Query-Based Sampling Filter

  2009cites this paper
• Composite Intrusion Detection in Process Control Networks

  2008cites this paper
• Kolmogorov-sinai causality in chaotically intertwined dynamics: A heart rate variability case study

  2008influential citation
• Use of a cepstral information norm for anomaly detection in a BGP-inferred interent

  2007cites this paper
• An application of information theory to intrusion detection

  2006cites this paper
• ANOMALY DETECTION IN DISTRIBUTED COMPUTER COMMUNICATION SYSTEMS

  2006cites this paper
• A Novel Architecture for Detecting and Defending Against Flooding-Based DDoS Attacks

  2005cites this paper
• Flash crowd mitigation via adaptive admission control based on application-level observations

  2005cites this paper
• Sampling Distance Analysis of Gigantic Data Mining for Intrusion Detection Systems

  2005cites this paper
• A diffusion model of roundtrip time

  2004cites this paper