The application of a low pass filter in anomaly network intrusion detection

Document Type

Conference Proceeding

Publication Date

12-1-2004

Abstract

A common method of identifying attacks with anomaly network intrusion detection system (NIDS) is to detect significant deviations in network traffic compared to normal conditions. Such changes may include unexpected high traffic volume, caused by e.g., a Denial of Service (DoS) attack. However, recent research on traffic engineering has demonstrated that modern data network traffic exhibits high burstiness at a wide range of observation window sizes, i.e., self-similarity [1,2], The self-similar traffic may challenge the traditional anomaly NIDS by making it unable to distinguish attacks from traffic bursts. In this paper, we investigate the employment of low pass filters in the anomaly NIDS to smooth the burstiness in network traffic measurements and thus reduce the false alarms. We studied the use of the MWA filter and the Savitzky-Golay filter. By analyzing the resulting network traffic measurements, we found out that the MWA filter significantly changed, while the Savitzky-Golay filter only moderately altered, the statistical properties of the network traffic measurements. To investigate the effectiveness of a low pass filter on anomaly NIDS, we applied the low pass filter to our anomaly NIDS, namely, the MIB Anomaly Intrusion Detection (MAID) system. By employing these filters in MAID, we observed that the Savitzky-Golay filter outperforms the MWA filter. The results of the performance evaluation process also demonstrated that the low pass filter can significantly enhance the detection capacity of MAID, by reducing its false alarm rate. ©2004 IEEE.

Identifier

15944418888 (Scopus)

ISBN

[0780385721, 9780780385726]

Publication Title

Proceedings Fron the Fifth Annual IEEE System Man and Cybernetics Information Assurance Workshop Smc

First Page

265

Last Page

271

This document is currently not available here.

Share

COinS