Early statistical anomaly intrusion detection of DOS attacks using MIB traffic parameters

Document Type

Conference Proceeding

Publication Date

1-1-2003

Abstract

We investigate the statistical anomaly detection of DOS computer network attacks using only MIB II supplied traffic parameters of the SNMP, as carried out by MAID. MAID is a hierarchical, multitier, multiobservation-window, anomaly based network intrusion detection system, prototyped in our laboratory for the US Army's tactical Internet. MAID monitors several MIB II supplied network traffic parameters simultaneously, constructs a probability density function (PDF) for each, statistically compares it to a reference PDF of normal behavior using a similarity metric, then combines the results into an anomaly status vector that is classified by a neural network classifier. The data used here derive from many experiments that have been carried out in our network testbed facility that monitor 27 MIB traffic parameters simultaneously, focusing on the Denial of Service (DOS) class of attacks, including UDP, ICMP and TCP type flooding attacks. We further focused on the anomaly detector and specifically two issues: (a) the effectiveness of some alternative similarity metrics and (b) early detection, i.e., detection at low values of the ratio of attack to background traffic. Thus, we studied the effectiveness of five prominent and/or promising similarity metrics: a χ2 test (CST), a Kolmogorov-Smyrnov (KS) test (KST), Kupier's KS type statistic (KKS), a combined area-KS type test (AKS), and a simpler fractional deviation from the mean statistic (FDM). We present the performance of these metrics using 9 traffic intensity scenarios, as the attack traffic decreased from 10% to 0.5% of the background. It was found that the KST metric performed slightly better overall while the FDM performed surprisingly well at low traffic intensities. It was also found that an attack/background ratio as small as 1% can be detected by MAID with corresponding misclassification rates in the range of 0.5-1.0 %. These results show promise for the use of MAID in early DOS detection using MIB traffic parameters.

Identifier

6344258028 (Scopus)

ISBN

[0780378083, 9780780378087]

Publication Title

IEEE Systems Man and Cybernetics Society Information Assurance Workshop

External Full Text Location

https://doi.org/10.1109/SMCSIA.2003.1232401

First Page

53

Last Page

59

This document is currently not available here.

Share

COinS