Title :
HIDDEN: Hausdorff Distance Based Intrusion Detection Approach DEdicated to Networks
Author :
Labit, Yann ; Mazel, Johan
Author_Institution :
LAAS-CNRS, Univ. de Toulouse, Toulouse
fDate :
June 29 2008-July 5 2008
Abstract :
DoS attacks represent a big threat for the Internet. While most of attack detection techniques are based on passive monitoring of traffic, we propose a detection method, HIDDEN, based on active measurements, the objective being to make possible the real-time detection and classification of DoS attacks, without intrusive probing. The originality of our contribution relies on the use of the entropy function computed from probabilities of time series of measured ICMP request/echo delays. However, the evaluation of the method exhibits a dramatic number of false positives. It has then been enriched by the use of the Hausdorff distance on probabilities of time series, which significantly decreases the number of false positives. In addition, a method for discriminating ICMP attacks from others (TCP/UDP attacks) using icmp_seq has been added. Experiments for evaluating the effectiveness of the approach have been run on the French operational RENATER network, on which artificial attacks have been generated using TFN2K [14]. Results exhibit that TCP, UDP and ICMP DoS attacks have been accurately detected in less than 1 second.
Keywords :
Internet; security of data; time series; DoS attacks; Hausdorff distance based intrusion detection; Internet; RENATER network; artificial attacks; attack detection techniques; time series; Computer crime; Delay effects; Entropy; Floods; IP networks; Internet; Intrusion detection; Loss measurement; Monitoring; Time measurement; AQM; NS simulations; cross traffic; fluid flow model of TCP; time delay system;
Conference_Titel :
Internet Monitoring and Protection, 2008. ICIMP '08. The Third International Conference on
Conference_Location :
Bucharest
Print_ISBN :
978-0-7695-3189-2
Electronic_ISBN :
978-0-7695-3189-2
DOI :
10.1109/ICIMP.2008.17
