Anomaly-based Intrusion Detection System

 

Existing detection systems either are not capable in detecting network intrusions or suffer from high false alarm rates. The developed Intrusion Detection System (IDS) is based on advanced statistical methods to rapidly detect network intrusions while maintaining a low false alarm rate. The IDS can rapidly detect a wide spectrum of internal and external intrusions such as denial-of-service (DoS) attacks, worm attacks, port scanning, etc. The system is anomaly-based. It analyses network traffic and rapidly detects even new unknown intrusions.

 

The objective is to rapidly detect internal and external network intrusions, while controlling the false alarm rate at a given low level. The system is capable of providing information for network analysts to focus on suspect anomalous data and connections. Rapid detection is essential in ultra high-speed networks to preserve detailed raw data required for forensic investigation.

 

Detection of intrusions at network packet level – Advanced nonparametric change-point detection (CPD) methods are used to detect a wide variety of internal and external intrusions with minimal detection delays, while maintaining the false alarm rate at a prescribed low level. The developed algorithms are computationally efficient and allow for real time detection even in ultra high-speed networks at gigabit rates.  The IDS is self-learning and adapts to changing baseline traffic and unknown attack patterns.

 

Simulation Experiments:

 

For simulations we have used a testbed network simulator NS with a network consisting of 100 nodes configured into a transit-stub topology which is depicted by Figure 1. The network contained one transit domain, four transit nodes, and 12 stub domains with 96 nodes. Under regular conditions, the traffic consisted of approximately 5% ICMP packets, 15–20% UDP packets, and 75–80% TCP packets. The attacker’s activity represented less than 1% of traffic. After a 120 second period (measured using the simulator time) of regular traffic we have initiated one of the following three kinds of DoS attacks targeted at the victim node: TCP SYN Flooding, UDP Packet Storm, and ICMP Ping Flooding DoS attacks. During a DoS attack the attacker’s traffic rapidly increased, reaching 20% of all traffic. We have considered two scenarios for the attacker’s traffic increase: linear and abrupt. In the former case, the level of 20% of all traffic was reached in a linear manner during a 60 second interval, while in the latter situation the traffic increased to the 20% level immediately after the beginning of the attack.

 

CAMS investigators include Boris Rozovsky, Alexander Tartakovsky and Rudolf Blazek.

 

                                                            Figure 1. Transit-stub network topology used in simulations

 

> Movie 1. Detection of the ICMP DoS attack

 

> Movie 2. Rapid detection of port scanning

 

Movie 1 shows the behavior of the detection statistic for the ICMP DoS attack and UDP normal traffic (green). After the attach starts, the statistic rapidly increases and crosses a threshold. At this moment the attack detection is declared.

 

Movie 2 illustrates the detection of port scanning. The statistic rapidly grows when port scanning starts.