Title :
An application of information theory to intrusion detection
Author :
Eiland, E. Earl ; Liebrock, Lorie M.
Author_Institution :
Dept. of Comput. Sci., New Mexico Inst. of Min. & Technol., Socorro, NM
Abstract :
Zero-day attacks, new (anomalous) attacks exploiting previously unknown system vulnerabilities, are a serious threat. Defending against them is no easy task, however. Having identified "degree of system knowledge" as one difference between legitimate and illegitimate users, theorists have drawn on information theory as a basis for intrusion detection. In particular, Kolmogorov complexity (K) has been used successfully. In this work, we consider information distance (Observed_K - Expected_K) as a method of detecting system scans. Observed_K is computed directly, Expected_K is taken from compression tests shared herein. Results are encouraging. Observed scan traffic has an information distance at least an order of magnitude greater than the threshold value we determined for normal Internet traffic. With 320 KB packet blocks, separation between distributions appears to exceed 4sigma
Keywords :
computational complexity; information theory; security of data; Expected_K; Internet traffic; Kolmogorov complexity; Observed_K; anomalous attack; information distance; information theory; intrusion detection; observed scan traffic; packet block; system knowledge; system scan detection; system vulnerability; zero-day attack; Application software; Availability; Computer science; Costs; Databases; Information systems; Information theory; Internet; Intrusion detection; Protection;
Conference_Titel :
Information Assurance, 2006. IWIA 2006. Fourth IEEE International Workshop on
Conference_Location :
London
Print_ISBN :
0-7695-2564-4
DOI :
10.1109/IWIA.2006.3
