Detecting denial of service attacks in network traffic with maximum entropy and hypothesis testing techniques

Abstract

With the growth of computer networking and increased dependency of our every day life on the computer based systems, assuring reliable operation of computer systems has become very important. In order to render computer networks more secure, intrusion detection systems aim to recognise attacks. The objective of this work is to improve maximum entropy based intrusion detection methods and bring a formularization to ad hoc rules by using information theory and statistical signal processing. In this work, it is intended to identify denial-of-service attacks by using maximum entropy and hypothesis testing methods. Proposed method consists of two phases: training and detection. In the training part, models are estimated for various attack types and no attack case based on the maximum entropy principle. In the detection part, hypothesis testing technique is employed to decide which of these models most probably satisfies the characteristics of the current network traffic. The method proposed in this thesis can be considered as a hybrid form of anomaly detection and misuse detection methods, since it focuses on not only the characteristics of normal network activity but also the characteristics of the known attacks. According to the experimental results, proposed method is very succesfull in identifying the denial-of-service attacks which have invariable characteristics and cause a dramatic change in network traffic. However, our method is inadequate for detecting denial-of-service attacks, which have variable characteristics and whose evidences are not noticeable from header information.