Moving Dispersion Method for Statistical Anomaly Detection in Intrusion Detection Systems

A unied method for statistical anomaly detection in intrusion detectionsystems is theoretically introduced. It is based on estimating a dispersion measure of numerical or symbolic data on successive moving windows in time and nding the times when a relative change of the dispersion measureis signicant. Appropriate dispersion measures, relative differences, moving windows, as well as techniques for their effcient estimation are proposed. Inparticular, the method can be used for detecting network traffic anomalies dueto network failures and network attacks such as (distributed) denial of service attacks, scanning attacks, SPAM and SPIT attacks, and massive malicious software attacks.