Dynamic Modeling of Internet Traffic for Intrusion Detection

• Published in: EURASIP journal on advances in signal processing Vol. 2007; no. 1; p. 090312
• Main Authors: Jonckheere Edmond, Bohacek Stephan, Shah Khushboo
• Format: Journal Article
• Language: English
• Published: SpringerOpen 01.01.2007
• ISSN: 1687-6172; 1687-6180

Computer network traffic is analyzed via mutual information techniques, implemented using linear and nonlinear canonical correlation analyses, with the specific objective of detecting UDP flooding attacks. NS simulation of HTTP, FTP, and CBR traffic shows that flooding attacks are accompanied by a change of mutual information, either at the link being flooded or at another upstream or downstream link. This observation appears to be topology independent, as the technique is demonstrated on the so-called parking-lot topology, random 50-node topology, and 100-node transit-stub topology. This technique is also employed to detect UDP flooding with low false alarm rate on a backbone link. These results indicate that a change in mutual information provides a useful detection criterion when no other signature of the attack is available.