Please use this identifier to cite or link to this item:
Title: A statistical covariance matrix based detection approach with application to network flooding attack detection
Authors: Jin, Shuyuan
Degree: Ph.D.
Issue Date: 2006
Abstract: Network intrusion detection is a vibrant research area because of the constantly evolving computer networks and methods of intrusions. Currently, flooding attacks have imposed prevalent and significant threat to the reliability of computer networks. How to effectively detect multiple and various flooding attacks has become a crucial problem to improve the network protection mechanisms. Traditional detection approaches neglect the correlation information contained in groups of network traffic samples and this leads to their failure to improve the detection effectiveness. In addition, they lack the capability of identifying different types of unknown flooding attacks. This thesis describes a novel covariance matrix based anomaly detection approach. This approach more effectively detects flooding attacks, by directly utilizing the covariance matrix of groups of samples. It can also identify unknown flooding attacks by automatically capturing the patterns of any flooding attacks that are detected. This novel detection approach works by first constructing a new covariance feature space based on groups of samples. This allows the correlation information from sequential network packets of fixed and equal lengths to be used to formulate the detection problem in the original feature space as a multi-classification problem in the covariance feature space. The approach then determines the thresholds in a supervised training stage and forms a constrained boundary for each known attack. Since the boundary of each known attack is constrained, the proposed covariance matrix based detection approach has a great potential to identify the unknown attacks. We further developed a new multi-dimensional measure called 0-1 matrix in order to exhibit the quantities and directions of prominent difference between an observed sample and the norm profiles in terms of covariance changes. In the end, the detection result matrix obtained during detection, as a 0-1 matrix, serves as the second-order features to mark the detected flooding attack. The effectiveness of the proposed detection approach is evaluated by extensive experiments and simulations where the operational network data serves as the background traffic. Three different implementations are carried out: one is based on the Euclidean distance in which the threshold serves as a scalar measure; other implementations are based on the maximal matrix statistics and Chebyshev inequality theorem and these serve as matrix measures. The experimental results are also compared with some of the traditional detection approaches that used the same datasets and show that the proposed approach considerably improves detection effectiveness. The work described in this thesis applies high-order statistics and a multi-dimensional measure to a detection problem. This multi-dimensional measure can evaluate the difference between two compared objects in terms of each dimension of the feature space and enable the detection result to reflect the patterns of the object that are detected. However, it is still worth further exploring how to integrate multi-dimensional measure to traditional classification approaches such as SVM (Support Vector Machine), MLP (Multi-Layer Perceptron) in order to give their detection results specific physical meanings. Nor is it yet totally known how to handle the blended flooding attacks in one sampling window. Other implementation issues such as how to apply the detection approach to satisfy the technical requirements of on-line detection, and how to find some suitable feature sets also call for further investigation.
Subjects: Hong Kong Polytechnic University -- Dissertations
Internet -- Safety measures -- Statistical methods
Computer networks -- Security measures -- Statistical methods
Pages: xv, 162 p. : ill. ; 30 cm
Appears in Collections:Thesis

Show full item record

Page views

Last Week
Last month
Citations as of May 28, 2023

Google ScholarTM


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.