Open Access  Subscription or Fee Access

This Paper proposes a network based intrusion detection approach using anomaly detection in the presence of Denial of Service attacks (DoS). Flood based attacks are a common class of DoS attacks. DoS detection mechanisms that aim at detecting floods mainly look for sudden changes in the traffic and mark them anomalous. In this approach, network traffic is decomposed into control and data planes to study the relationship between them. As the data traffic generation is based on control traffic, the behavior of the two planes is expected to be similar during normal behavior. Therefore, detecting dissimilarity between the traffic of the two planes can indicate an abnormal behavior. Toward that objective, an Auto Regressive (AR) model has been used. Simulation results show that both the accuracy of the detection and less false positives.

Auto Regressive (AR), Denial-of-Service (DoS), Network Intrusion Detection Systems (NIDS).

S. Kent, “On the trial of intrusions into information systems,”IEEE Spectrum, Vol.37, Issue: 12, pp. 52–56, December 2000.

B. AsSadhan, H. Kim, J. Moura, and X. Wang, “Network Traffic Behavior Analysis by Decomposition into Control and Data Planes,.

http://en.wikipedia.org/wiki/Autoregressive_model.

G. Box, G. Jenkins, and G. Reinsel, Time Series Analysis, 3rd ed., Prentice Hall, 1994.

http://en.wikipedia.org/wiki/Cross-correlation.

Proc. International Workshop on Security in Systems and Networks (SSN) in conjunction with IEEE IPDPS, pp. 1 – 5, April 2008.

N. Ranjan, H. Murthy, T.Gonsalves, “Detection of Syn Flooding Attacks Using Generalized Autoregressive Conditional Heteroskedasticity(GARCH) Modeling Technique, ” in Proc. National Conference on Communication (NCC), pp. 1–5, Jan. 2010.

TCPDUMP/LIBPCAP public repository. [Online]. Available: http://www.tcpdump.org. Accessed June 2013.

B. AsSadhan, H. Kim, and J. M. F. Moura, “Long-range dependence analysis of controland data planes network traffic,” in Saudi International Innovation Conference (SIIC),Leeds, UK, Jun. 9-10, 2008

P. Brockwell and R. Davis, Time Series: Theory and Methods, 2nd ed. New York:Springer-Verlag, 1991.

E. Cole, R. L. Krutz, and J. Conley. Network Security Bible. John Wiley & Sons,Inc., New York, NY, USA, 2005.

D. Denning, “An Intrusion Detection Model,” IEEE Transactions on Software Engineering, 13, 2, 222-232, 1967.

Androulidakis, G., and Papavassiliou, S. Improving networkanomaly detection via selective flow-based sampling. Communications,IET 2, 3 (march 2008), 399 –409.

A. G. Lawrence, M. P. Loeb, W. Lucyshyn and R. Richardson, "2006 CSI/FBIcomputer crime and security survey," Computer Security Institute, San Francisco, CA,Tech. Rep. 11, 2006.