A statistical covariance matrix based detection approach with application to network flooding attack detection

Pao Yue-kong Library Electronic Theses Database

A statistical covariance matrix based detection approach with application to network flooding attack detection

 

Author: Jin, Shuyuan
Title: A statistical covariance matrix based detection approach with application to network flooding attack detection
Degree: Ph.D.
Year: 2006
Subject: Hong Kong Polytechnic University -- Dissertations
Internet -- Safety measures -- Statistical methods
Computer networks -- Security measures -- Statistical methods
Department: Dept. of Computing
Pages: xv, 162 p. : ill. ; 30 cm
Language: English
InnoPac Record: http://library.polyu.edu.hk/record=b2069669
URI: http://theses.lib.polyu.edu.hk/handle/200/691
Abstract: Network intrusion detection is a vibrant research area because of the constantly evolving computer networks and methods of intrusions. Currently, flooding attacks have imposed prevalent and significant threat to the reliability of computer networks. How to effectively detect multiple and various flooding attacks has become a crucial problem to improve the network protection mechanisms. Traditional detection approaches neglect the correlation information contained in groups of network traffic samples and this leads to their failure to improve the detection effectiveness. In addition, they lack the capability of identifying different types of unknown flooding attacks. This thesis describes a novel covariance matrix based anomaly detection approach. This approach more effectively detects flooding attacks, by directly utilizing the covariance matrix of groups of samples. It can also identify unknown flooding attacks by automatically capturing the patterns of any flooding attacks that are detected. This novel detection approach works by first constructing a new covariance feature space based on groups of samples. This allows the correlation information from sequential network packets of fixed and equal lengths to be used to formulate the detection problem in the original feature space as a multi-classification problem in the covariance feature space. The approach then determines the thresholds in a supervised training stage and forms a constrained boundary for each known attack. Since the boundary of each known attack is constrained, the proposed covariance matrix based detection approach has a great potential to identify the unknown attacks. We further developed a new multi-dimensional measure called 0-1 matrix in order to exhibit the quantities and directions of prominent difference between an observed sample and the norm profiles in terms of covariance changes. In the end, the detection result matrix obtained during detection, as a 0-1 matrix, serves as the second-order features to mark the detected flooding attack. The effectiveness of the proposed detection approach is evaluated by extensive experiments and simulations where the operational network data serves as the background traffic. Three different implementations are carried out: one is based on the Euclidean distance in which the threshold serves as a scalar measure; other implementations are based on the maximal matrix statistics and Chebyshev inequality theorem and these serve as matrix measures. The experimental results are also compared with some of the traditional detection approaches that used the same datasets and show that the proposed approach considerably improves detection effectiveness. The work described in this thesis applies high-order statistics and a multi-dimensional measure to a detection problem. This multi-dimensional measure can evaluate the difference between two compared objects in terms of each dimension of the feature space and enable the detection result to reflect the patterns of the object that are detected. However, it is still worth further exploring how to integrate multi-dimensional measure to traditional classification approaches such as SVM (Support Vector Machine), MLP (Multi-Layer Perceptron) in order to give their detection results specific physical meanings. Nor is it yet totally known how to handle the blended flooding attacks in one sampling window. Other implementation issues such as how to apply the detection approach to satisfy the technical requirements of on-line detection, and how to find some suitable feature sets also call for further investigation.

Files in this item

Files Size Format
b20696693.pdf 2.075Mb PDF
Copyright Undertaking
As a bona fide Library user, I declare that:
  1. I will abide by the rules and legal ordinances governing copyright regarding the use of the Database.
  2. I will use the Database for the purpose of my research or private study only and not for circulation or further reproduction or any other purpose.
  3. I agree to indemnify and hold the University harmless from and against any loss, damage, cost, liability or expenses arising from copyright infringement or unauthorized usage.
By downloading any item(s) listed above, you acknowledge that you have read and understood the copyright undertaking as stated above, and agree to be bound by all of its terms.

     

Quick Search

Browse

More Information