Detecting denial-of-service attacks through feature cross-correlation

Document Type

Conference Proceeding

Publication Date

8-30-2004

Abstract

This paper describes CIDS (Correlation Intrusion Detection System), a novel approach in the detection of DoS attacks that utilizes the change in cross-correlation between selected features. As the DOS attack evolves the cross-correlations rise thus revealing the attack. CIDS relies on changes in correlation magnitude upon shifting from normal to attack conditions, thus it is an anomaly type intrusion detection system (IDS). However it is characterized by several advantages over anomaly IDSs, primarily due to the fact that it greatly reduces and/or eliminates the need to maintain normal reference profiles. Thus CIDS: 1. is algorithmically simple; 2. consumes less computational and storage resources; 3. is faster in execution; 4. promises to be more robust; and, 5. is conceptually simple, thus promises to be easier to maintain. By detecting abnormal conditions, CIDS also promises to detect novel as well as known attacks, an important advantage over signature based systems. Moreover, it achieves satisfactory misclassification rates, as demonstrated by the application of the scheme to the DARPA'98 corpus of intrusion attacks, namely False Positive (FP) and False Negative (FN) rates of 0 and 0.0605, respectively, and overall missclassification rate of 0.0011.

Identifier

4143098106 (Scopus)

ISBN

[0780382196, 9780780382190]

Publication Title

2004 IEEE Sarnoff Symposium on Advances in Wired and Wireless Communication

First Page

67

Last Page

70

This document is currently not available here.

Share

COinS