Publication Abstract

Streilein, W., Cunningham, R. K. and Webster, S. E., "Improved Detection of Low-Profile Probe and Novel Denial-of-Service Attacks." Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Baltimore, Maryland, June 11-13, 2002.

Abstract

As more people make use of the Internet, their computers and the valuable data they contain become exposed to attackers lying in wait in cyberspace. Attackers are constantly scanning the Internet for victim machines that can be broken into and commandeered in order to suit their malicious purposes, such as, the enlistment of new zombies for distributed denial-of-service attacks, the unauthorized use of network storage resources or the defacement of corporate or government web-pages. In order to protect computer systems, network-based intrusion detection systems (IDSs) have been developed to analyze Internet traffic and recognize when attackers are at work probing a network or attacking a machine.

State-of-the-art network-based intrusion detection systems detect attackers by comparing network traffic with signatures of known attacks. Knowledgeable attackers can alter the details of many attacks to avoid using the short signatures detected by these systems. In this paper, we present enhancements to our network-based intrusion detection system, which makes use of multiple neural network classifiers to accurately detect several classes of attacks including stealthy probes and novel denial-of-service attacks. An intrinsic representation of the local network and detection features derived from network traffic enable the system to detect entire attack classes. Improvements to our system include enhanced robust TCP session reconstruction, handling simplex and duplex traffic modes, an expanded feature vector that includes measures of inter-packet delays and counts of anomalous TCP sessions, and binary tree-based internal data structures which are faster and less vulnerable to attack. Our system achieves a detection rate of 100% with a false alarm rate of .1% when tested against stealthy attacks in the DARPA 1999 IDS Evaluation. It also performs well on a moderately loaded research network.