A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

Alexander G. Tartakovsky, Boris L. Rozovskii, Rudolf B. Blažek, Hongjoong Kim

Research output: Contribution to journalArticle

140 Citations (Scopus)

Abstract

Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, portscanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks.

Original languageEnglish
Pages (from-to)3372-3381
Number of pages10
JournalIEEE Transactions on Signal Processing
Volume54
Issue number9
DOIs
Publication statusPublished - 2006 Sep 1

Fingerprint

Computer networks
Intrusion detection
Testbeds
Telecommunication traffic
Statistical methods
Simulators
Statistics
Network protocols
Testing
Statistical Models
Denial-of-service attack

Keywords

  • Attack detection
  • Change point detection
  • Denial of service
  • Intrusion detection
  • Man-in-the-middle
  • Network security
  • Network traffic
  • Nonparametric detection
  • Port scanning
  • Sequential tests
  • Service survivability
  • Worm

ASJC Scopus subject areas

  • Signal Processing
  • Electrical and Electronic Engineering

Cite this

A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. / Tartakovsky, Alexander G.; Rozovskii, Boris L.; Blažek, Rudolf B.; Kim, Hongjoong.

In: IEEE Transactions on Signal Processing, Vol. 54, No. 9, 01.09.2006, p. 3372-3381.

Research output: Contribution to journalArticle

@article{f44fb536e3ce4563a62d48f9e22df76c,
title = "A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods",
abstract = "Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, portscanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks.",
keywords = "Attack detection, Change point detection, Denial of service, Intrusion detection, Man-in-the-middle, Network security, Network traffic, Nonparametric detection, Port scanning, Sequential tests, Service survivability, Worm",
author = "Tartakovsky, {Alexander G.} and Rozovskii, {Boris L.} and Blažek, {Rudolf B.} and Hongjoong Kim",
year = "2006",
month = "9",
day = "1",
doi = "10.1109/TSP.2006.879308",
language = "English",
volume = "54",
pages = "3372--3381",
journal = "IEEE Transactions on Signal Processing",
issn = "1053-587X",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "9",

}

TY - JOUR

T1 - A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

AU - Tartakovsky, Alexander G.

AU - Rozovskii, Boris L.

AU - Blažek, Rudolf B.

AU - Kim, Hongjoong

PY - 2006/9/1

Y1 - 2006/9/1

N2 - Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, portscanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks.

AB - Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, portscanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks.

KW - Attack detection

KW - Change point detection

KW - Denial of service

KW - Intrusion detection

KW - Man-in-the-middle

KW - Network security

KW - Network traffic

KW - Nonparametric detection

KW - Port scanning

KW - Sequential tests

KW - Service survivability

KW - Worm

UR - http://www.scopus.com/inward/record.url?scp=33947171900&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33947171900&partnerID=8YFLogxK

U2 - 10.1109/TSP.2006.879308

DO - 10.1109/TSP.2006.879308

M3 - Article

AN - SCOPUS:33947171900

VL - 54

SP - 3372

EP - 3381

JO - IEEE Transactions on Signal Processing

JF - IEEE Transactions on Signal Processing

SN - 1053-587X

IS - 9

ER -