Detecção de Intrusão Utilizando Análise de Séries Temporais com Modelos ARMAX/GARCH
Abstract
In this paper is proposed a method of intrusion detection based on network anomaly identification using Autoregressive Moving Average Exogenous (ARMAX) and Generalized Autoregressive Conditional Heteroskedasticity (GARCH) statistical models. Experiments with DARPA (1999) intrusion dataset showed during SYN flood denial of service and TCP SYN scanning attacks that the proposed method achieved a detection rate of 100% and false positive rate below 5%.
References
Anstee, D., Bussiere, D. and Sockride, G. (2012) “Worldwide Infrastructure Security Report”, Volume VII, Arbor Networks, 2012.
Axelsson, S. (2000) “Intrusion Detection Systems: A Survey and Taxonomy”. In: DEPT. OF COMPUTER ENGINEERING, CHALMERS UNIVERSITY OF TECHNOLOGY, 2000, Sweden, 27p.
DARPA (1999) “1999 darpa intrusion detection evaluation data set”. In: MIT LINCOLN LABORATORIES, 1999.
Divakaran, D., Murthy, H. and Gonsalves, T. (2006) “Detection of SYN flooding attacks using linear prediction analysis”. In: IEEE INTERNATIONAL CONFERENCE ON NETWORKS, 14., 2006, TBD, Singapore, p. 1-6.
Enders, W. (2009) “Applied Econometric Time Series”. 3. ed. [S.I.]: Wiley, 2009. 544p.
Erickson, T. J. (2008) “Digital Signal Processing Leveraged for Intrusion Detection”.
Ohio, USA, 2008. 91p. Dissertação (Mestrado) Air Force Institute of Technology, Air University, Ohio, USA, 2008.
He D., Sun Z. and Zhou B. (2005) “An ARMAX/GARCH time series model for IP Traffic Trace”, in ITC19, Beijing, China, Aug 2005.
James, C. and Murthy, H. (2011) “Time Series Models and its Relevance to Modeling TCP SYN Based DoS Attacks”. In: CONFERENCE ON NEXT GENERATION INTERNET, 7., 2011, Kaiserslautern, Germany, p. 1-8.
Kabiri, P. and Ghorbani, A. A. (2005) “Research on Intrusion Detection and Response: A Survey”. International Journal of Network Security, [S.I.], [S.I.], V.1, N.2, p. 84102, 2005.
Kai, H., Zhengwei, Q. and BO, L. (2009) “Network Anomaly Detection Based on Statistical Approach and Time Series Analysis”. In: IEEE International Conference on Advanced Information Networking and Applications Workshops, 23., 2009, Bradford, United Kingdom, p. 205-211.
Kirchgässner, G. and Wolters, J. (2008) “Introduction to Modern Time Series Analysis”. [S.I.]: Springer, 2008. 284p.
Lu, W. and Ghorbani, A. A. (2009) “Network Anomaly Detection Based on Wavelet Analysis”. EURASIP Journal on Advances in Signal Processing, NY, USA, v.1, n.4, p. 1-16, 2009.
Mchugh, J. (2000) “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory”. ACM Transactions on Information and System Security, v. 3, n. 4, p. 262–294, November 2000.
Moore, D., Shannon, C., Brown, D. J., Voelker, G. M. and Savage, S. (2006) “Inferring Internet Denial-of-Service Activity”. ACM Transaction on Computer Systems, [S.I.], [S.I.], V.24, N.2, p. 115-139, 2006.
Morettin, P. A. and Toloi, C. M. C. (2006) Análise de Séries Temporais. 2. ed. [S.I.]: Blucher, 2006. 544p.
Nazario, J. (2009). “Politically motivated denial of service attacks”. The Virtual Battlefield: Perspectives on Cyber Warfare, p. 163-181.
Ranjan, N., Murthy, H. A. and Gonsalves, T. A. (2010) “Detection of syn flooding attacks using generalized autoregressive conditional heteroskedasticity (GARCH) modeling technique”. IN: NATIONAL CONFERENCE ON COMMUNICATIONS, 16., 2010, I.I.T Madras, India, p. 1-5.
Saleem, M. and Hassan, J. (2009) “Cyber warfare, the truth in a real case”. In: Project Report for Information Security Course, Linköping Universitetet, 2009, Sweden, 7p.
Shiravi A., Shiravi H., Tavallaee M. and Ghorbani A. A. (2012) “Toward developing a systematic approach to generate benchmark datasets for intrusion detection”, Computers & Security, Volume 31, Issue 3, May 2012, Pages 357 374, ISSN 01674048, 10.1016/j.cose.2011.12.012.
Siris, V. and Papagalou, F. (2006) “Application of anomaly detection algorithms for detecting SYN flooding attacks”. Computer Communications, Amsterdan, v.29, n.6, p.1433-1442, may. 2006.
Sperotto, A., Sadre, R., Boer, P-T. and Pras, A. (2009) “Hidden Markov Model Modeling of SSH Brute-force Attacks”. In: International Workshop on Distributed Systems: Operation and Management, 9., Venice, Italy, volume 5841, p. 164-176.
Sperotto, A., Sadre, R. and Pras, A. (2008) “Anomaly Characterization in Flow-Based Traffic Time Series”. In: IEEE International Workshop on IP Operations and Management, 8., 2008, Samos, Greece, p. 15-27.
Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A. and Stiller, B. (2010) “An Overview of IP Flow-based Intrusion Detection”. IEEE Communications Surveys & Tutorials, [S.I.], v. 12, n. 3, p. 343-356, 2010.
Thomas, C., Sharma, V. and Balakrishnan, N. (2008) “Usefulness of DARPA dataset for intrusion detection system evaluation”. In SPIE Defense and Security Symposium (pp. 69730G-69730G). International Society for Optics and Photonics.
Thottan, M., Liu, G. and Ji, C. (2010) “Anomaly Detection Approaches for Communication Networks”. Algorithms for Next Generation Networks. [S.I.]: Springer, 2010. p. 239-261.
Zhou, B., He, D. and Sun, Z. (2006) “Traffic modeling and prediction using ARIMA/GARCH model”. Modeling and Simulation Tools for Emerging Telecommunication Networks, [S.I.]: Springer, 2006. p. 101-121.
Zhou, M. and Lang, S-D. (2003) “A Frequency-Based Approach to Intrusion Detection”. Systemics, Cybernetics and Informatics, [S.I.], v. 2, n. 3, p. 52-56, 2003.
Axelsson, S. (2000) “Intrusion Detection Systems: A Survey and Taxonomy”. In: DEPT. OF COMPUTER ENGINEERING, CHALMERS UNIVERSITY OF TECHNOLOGY, 2000, Sweden, 27p.
DARPA (1999) “1999 darpa intrusion detection evaluation data set”. In: MIT LINCOLN LABORATORIES, 1999.
Divakaran, D., Murthy, H. and Gonsalves, T. (2006) “Detection of SYN flooding attacks using linear prediction analysis”. In: IEEE INTERNATIONAL CONFERENCE ON NETWORKS, 14., 2006, TBD, Singapore, p. 1-6.
Enders, W. (2009) “Applied Econometric Time Series”. 3. ed. [S.I.]: Wiley, 2009. 544p.
Erickson, T. J. (2008) “Digital Signal Processing Leveraged for Intrusion Detection”.
Ohio, USA, 2008. 91p. Dissertação (Mestrado) Air Force Institute of Technology, Air University, Ohio, USA, 2008.
He D., Sun Z. and Zhou B. (2005) “An ARMAX/GARCH time series model for IP Traffic Trace”, in ITC19, Beijing, China, Aug 2005.
James, C. and Murthy, H. (2011) “Time Series Models and its Relevance to Modeling TCP SYN Based DoS Attacks”. In: CONFERENCE ON NEXT GENERATION INTERNET, 7., 2011, Kaiserslautern, Germany, p. 1-8.
Kabiri, P. and Ghorbani, A. A. (2005) “Research on Intrusion Detection and Response: A Survey”. International Journal of Network Security, [S.I.], [S.I.], V.1, N.2, p. 84102, 2005.
Kai, H., Zhengwei, Q. and BO, L. (2009) “Network Anomaly Detection Based on Statistical Approach and Time Series Analysis”. In: IEEE International Conference on Advanced Information Networking and Applications Workshops, 23., 2009, Bradford, United Kingdom, p. 205-211.
Kirchgässner, G. and Wolters, J. (2008) “Introduction to Modern Time Series Analysis”. [S.I.]: Springer, 2008. 284p.
Lu, W. and Ghorbani, A. A. (2009) “Network Anomaly Detection Based on Wavelet Analysis”. EURASIP Journal on Advances in Signal Processing, NY, USA, v.1, n.4, p. 1-16, 2009.
Mchugh, J. (2000) “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory”. ACM Transactions on Information and System Security, v. 3, n. 4, p. 262–294, November 2000.
Moore, D., Shannon, C., Brown, D. J., Voelker, G. M. and Savage, S. (2006) “Inferring Internet Denial-of-Service Activity”. ACM Transaction on Computer Systems, [S.I.], [S.I.], V.24, N.2, p. 115-139, 2006.
Morettin, P. A. and Toloi, C. M. C. (2006) Análise de Séries Temporais. 2. ed. [S.I.]: Blucher, 2006. 544p.
Nazario, J. (2009). “Politically motivated denial of service attacks”. The Virtual Battlefield: Perspectives on Cyber Warfare, p. 163-181.
Ranjan, N., Murthy, H. A. and Gonsalves, T. A. (2010) “Detection of syn flooding attacks using generalized autoregressive conditional heteroskedasticity (GARCH) modeling technique”. IN: NATIONAL CONFERENCE ON COMMUNICATIONS, 16., 2010, I.I.T Madras, India, p. 1-5.
Saleem, M. and Hassan, J. (2009) “Cyber warfare, the truth in a real case”. In: Project Report for Information Security Course, Linköping Universitetet, 2009, Sweden, 7p.
Shiravi A., Shiravi H., Tavallaee M. and Ghorbani A. A. (2012) “Toward developing a systematic approach to generate benchmark datasets for intrusion detection”, Computers & Security, Volume 31, Issue 3, May 2012, Pages 357 374, ISSN 01674048, 10.1016/j.cose.2011.12.012.
Siris, V. and Papagalou, F. (2006) “Application of anomaly detection algorithms for detecting SYN flooding attacks”. Computer Communications, Amsterdan, v.29, n.6, p.1433-1442, may. 2006.
Sperotto, A., Sadre, R., Boer, P-T. and Pras, A. (2009) “Hidden Markov Model Modeling of SSH Brute-force Attacks”. In: International Workshop on Distributed Systems: Operation and Management, 9., Venice, Italy, volume 5841, p. 164-176.
Sperotto, A., Sadre, R. and Pras, A. (2008) “Anomaly Characterization in Flow-Based Traffic Time Series”. In: IEEE International Workshop on IP Operations and Management, 8., 2008, Samos, Greece, p. 15-27.
Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A. and Stiller, B. (2010) “An Overview of IP Flow-based Intrusion Detection”. IEEE Communications Surveys & Tutorials, [S.I.], v. 12, n. 3, p. 343-356, 2010.
Thomas, C., Sharma, V. and Balakrishnan, N. (2008) “Usefulness of DARPA dataset for intrusion detection system evaluation”. In SPIE Defense and Security Symposium (pp. 69730G-69730G). International Society for Optics and Photonics.
Thottan, M., Liu, G. and Ji, C. (2010) “Anomaly Detection Approaches for Communication Networks”. Algorithms for Next Generation Networks. [S.I.]: Springer, 2010. p. 239-261.
Zhou, B., He, D. and Sun, Z. (2006) “Traffic modeling and prediction using ARIMA/GARCH model”. Modeling and Simulation Tools for Emerging Telecommunication Networks, [S.I.]: Springer, 2006. p. 101-121.
Zhou, M. and Lang, S-D. (2003) “A Frequency-Based Approach to Intrusion Detection”. Systemics, Cybernetics and Informatics, [S.I.], v. 2, n. 3, p. 52-56, 2003.
Published
2013-11-11
How to Cite
FORAIN, Igor; GUELFI, Adilson E.; PONTES, Elvis; SILVA, Anderson.
Detecção de Intrusão Utilizando Análise de Séries Temporais com Modelos ARMAX/GARCH. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 100-113.
DOI: https://doi.org/10.5753/sbseg.2013.19539.
