Workshop on Statistical and Machine
Learning Techniques in Computer
Intrusion Detection
Packet Anomaly Intrusion Detection (PAID)
Constantine N. Manikopoulos and Zheng Zhang
Electrical and Computer Engineering Dept.
New Jersey Institute of Technology
Unversity Heights, Newark, NJ 07102
manikopoulos@njit.edu
Abstract:
The Packet Anomaly Intrusion Detection (PAID) is an anomaly Intrusion Detection System (IDS) that focuses on the detection of Denial of Service (DOS) attacks, originally developed for the US Army's Tactical Internet. It uses a hierarchical, multi-tier, multi-time window approach that operates automatically, adaptively and proactively. It can be applied to wired and wireless networks. The current version of PAID operates as a network-based IDS. Future versions could work as a host-based IDS as well. The system uses statistical models and multivariate classifiers to detect anomalous network conditions. The monitoring process utilizes multi-layered time windows, ranging from a few seconds to several hours or more, each layer aggregating the layer below. PAID monitors many network parameters simultaneously. It analyzes these parameters statistically, combines individual parametric decisions intelligently, and derives an integrated detection result.
There are several innovative features in PAID. The decision process is based on calculations using probability density functions (PDFs) rather than individual or averaged sampled values to detect intrusions. This provides low false alarm rates. In each real time observation window, the statistical component builds and analyzes PDFs of the monitored network parameters. It compares these PDFs to reference PDF models of normal activity using a similarity metric. This statistical analysis transforms the observed status data into a multidimensional vector, the anomaly status vector (ASV). This vector is fed to a multivariate classifier.
The time window-stamped ASV is the basic unit for further analysis in PAID. It is a compact but highly informative unit that represents the network anomaly status during the associated observation window. This reduces the representational complexity of temporal profiles for event-sequence analysis systems and the corresponding computational load. PAID combines the information of all the monitored performance parameters into one integrated and unified decision result. This combination achieves higher discrimination and a more robust decision process than other approaches.
PAID has been tested using the DARPA'98 corpus of data. Summary results over all 20 days that include DOS/DOS-like attacks are given in the table below.
Summary of all DOS detection results on
the DARPA'98 corpus of attacks.
Total number of samples 39015
Total number of attacks 1060
Total number of misclassifications 50
Total number of false positives 35
Total number of false negatives 15
Total misclassification rate 0.001281560
Total false positive rate 0.000898242
Total false negative rate 0.014150900
It is seen that the overall DOS detection
results over about 39000 samples give 0.128% misclassification, 0.0898%
false positive and 1.42% false negative rates. These are very impressive,
highly competitive and strongly encouraging results for the practical
application of the PAID DOS IDS system. Moreover, as shown in earlier
reports and publications the PAID system generates alarms very early at
the onset of the DOS attacks, at attack traffic levels as small as 3%
of the background traffic. This is highly desirable as an early warning
system.