Detecting intrusions in network traffic using maximum entropy technique

Abstract

As interconnections among computer systems grow rapidly, network security is becoming a major challenge. Computer networks have to be protected against denial-ofservice (DoS) attacks, unauthorized disclosure of information and the modification or destruction of data. Besides, the availability, confidentiality and integrity of critical information systems need to be provided. This situation brings the need for Intrusion Detection Systems (IDS) which detects hostile activities or abuse of a network. The objective in this work is to obtain reliable IDS with low false positive rate and high true positive rate. In this thesis, a refined IDS method is proposed. This method detects intrusions in a network by comparing the current network traffic against a baseline distribution of the benign network traffic. Baseline distribution is obtained from the empirical distribution of benign network traffic by using the Maximum Entropy technique. The distributions here are built on classes which are based on packet and destination port number information. This structure of distributions gives us a multi-dimensional view of the network traffic. Intrusions that change the network traffic slowly or abruptly can then be distinguished by computing a measure related to the relative entropy of the distribution of the network traffic under observation with respect to the baseline distribution. The innovation in this thesis is to reduce the number of classes in a distribution by clustering the classes judiciously in order to reduce the possible negative effects of slow network traffic.