Anomaly Detection Framework Based on Matching Pursuit for Network Security Enhancement

• Autorzy: Renk R. , Hołubowicz W.
• Języki publikacji: EN

Abstrakty

EN

In this paper, a framework for recognizing network traffic in order to detect anomalies is proposed. We propose to combine and correlate parameters from different layers in order to detect 0-day attacks and reduce false positives. Moreover, we propose to combine statistical and signal-based features. The major contribution of this paper are: novel framework for network security based on the correlation approach as well as new signal based algorithm for intrusion detection using matching pursuit.

Słowa kluczowe

EN

anomaly detection; intrusion detection; matching pursuit; network security; signal processing

• Wydawca: Instytut Łączności - Państwowy Instytut Badawczy
• Czasopismo: Journal of Telecommunications and Information Technology
• Rocznik: 2011
• Tom: nr 1
• Strony: 32--36
• Opis fizyczny: Bibliogr. 14 poz., rys., tab.

Twórcy

autor

Renk R.

autor

Hołubowicz W.

• ITTI Ltd., Rubież st 46, 61-612 Poznań, Poland,

Bibliografia

• [1] M. Esposito, C. Mazzariello, F. Oliviero, S. Romano, and C. Sansone, “Real time detection of novel attacks by means of data mining techniques”, Enterprise Information Systems, VII 2006, Part 3, pp. 197–204.
• [2] M. Esposito, C. Mazzariello, F. Oliviero, S. Romano, and C. Sansone, “Evaluating pattern recognition techniques in intrusion detec- tion systems”, in Proc. 5th Int. Worksh. Pattern Recogn. Inf. Sys. PRIS 2005, Miami, USA, 2005, pp. 144–153.
• [3] C.-M. Cheng, H. T. Kung, , K.-S. Tan, “Use of spectral analysis in defense against DoS attacks”, in Proc. IEEE Glob. Telecommun. Conf. GLOBECOM’02, Taipei, Taiwan, 2002, vol. 3, pp. 2143–2148.
• [4] P. Barford, J. Kline, D. Plonka, and A. Ron, “A signal analysis of network track anomalies”, in Proc. Internet Measur. Worksh. ACM SIGCOMM 2002, Pittsburg, USA, 2002.
• [5] P. Huang, A. Feldmann, and W.Willinger, “A non-intrusive, wavelet-based approach to detecting network performance problems”, in Proc. Internet Measur. Worksh. ACM SIGCOMM 2001, San Diego, USA, 2001.
• [6] L. Li and G. Lee, “DDoS attack detection and wavelets” in Proc. 12th Int. Conf. Comp. Commun. Netw. ICCCN’03, Dallas, USA, 2003, pp. 421–427.
• [7] A. Dainotti, A. Pescape, and G. Ventre, “NIS04-1: wavelet-based detection of DoS attacks”, in Proc. IEEE Glob. Telecommun. Conf. GLOBECOM’06, San Francisco, USA, 2006, pp. 1–6.
• [8] S. G. Mallat and Z. Zhang, “Matching pursuits with time-frequency dictionaries”, IEEE Trans. Sig. Process., vol. 41, no. 12, pp. 3397–3415, 1993.
• [9] P. Jost, P. Vandergheynst, and P. Frossard, “ Tree-based pursuit: algorithm and properties”, IEEE Trans. Sig. Process., vol. 54, no. 12, pp. 4685–4697, 2006.
• [10] J. A. Tropp, “Greed is good: algorithmic results for sparse approximation”, IEEE Trans. Inf. Theory, vol. 50, no. 10, pp. 2231–2242, 2004.
• [11] R. Gribonval, “Fast matching pursuit with a multiscale dictionary of Gaussian chirps”, IEEE Trans. Sig. Process., vol. 49, no. 5, pp. 994–1001, 2001.
• [12] “WIDE Project: MAWI Working Group Traffic Archive” [Online]. Available: http://tracer.csl.sony.co.jp/mawi/
• [13] “Network Tools and Traffic Traces”, Universita’ degli Studi di Napoli “Federico II” [Online]. Available: http://www.grid.unina.it/Traffic/Traces/ttraces.php
• [14] C. Shanon and D. Moore, “The CAIDA Dataset on theWitty Worm”, March 19–24, 2004 [Online]. Available: http://www.caida.org/passive/witty