You are here
CREATING MODELS OF INTERNET BACKGROUND TRAFFIC SUITABLE FOR USE IN EVALUATING NETWORK INTRUSION DETECTION SYSTEMS
- Date Issued:
- 2005
- Abstract/Description:
- This dissertation addresses Internet background traffic generation and network intrusion detection. It is organized in two parts. Part one introduces a method to model realistic Internet background traffic and demonstrates how the models are used both in a simulation environment and in a lab environment. Part two introduces two different NID (Network Intrusion Detection) techniques and evaluates them using the modeled background traffic. To demonstrate the approach we modeled five major application layer protocols: HTTP, FTP, SSH, SMTP and POP3. The model of each protocol includes an empirical probability distribution plus estimates of application-specific parameters. Due to the complexity of the traffic, hybrid distributions (called mixture distributions) were sometimes required. The traffic models are demonstrated in two environments: NS-2 (a simulator) and HONEST (a lab environment). The simulation results are compared against the original captured data sets. Users of HONEST have the option of adding network attacks to the background. The dissertation also introduces two new template-based techniques for network intrusion detection. One is based on a template of autocorrelations of the investigated traffic, while the other uses a template of correlation integrals. Detection experiments have been performed on real traffic and attacks; the results show that the two techniques can achieve high detection probability and low false alarm in certain instances.
Title: | CREATING MODELS OF INTERNET BACKGROUND TRAFFIC SUITABLE FOR USE IN EVALUATING NETWORK INTRUSION DETECTION SYSTEMS. |
27 views
14 downloads |
---|---|---|
Name(s): |
LUO, SONG, Author Marin, Gerald, Committee Chair University of Central Florida, Degree Grantor |
|
Type of Resource: | text | |
Date Issued: | 2005 | |
Publisher: | University of Central Florida | |
Language(s): | English | |
Abstract/Description: | This dissertation addresses Internet background traffic generation and network intrusion detection. It is organized in two parts. Part one introduces a method to model realistic Internet background traffic and demonstrates how the models are used both in a simulation environment and in a lab environment. Part two introduces two different NID (Network Intrusion Detection) techniques and evaluates them using the modeled background traffic. To demonstrate the approach we modeled five major application layer protocols: HTTP, FTP, SSH, SMTP and POP3. The model of each protocol includes an empirical probability distribution plus estimates of application-specific parameters. Due to the complexity of the traffic, hybrid distributions (called mixture distributions) were sometimes required. The traffic models are demonstrated in two environments: NS-2 (a simulator) and HONEST (a lab environment). The simulation results are compared against the original captured data sets. Users of HONEST have the option of adding network attacks to the background. The dissertation also introduces two new template-based techniques for network intrusion detection. One is based on a template of autocorrelations of the investigated traffic, while the other uses a template of correlation integrals. Detection experiments have been performed on real traffic and attacks; the results show that the two techniques can achieve high detection probability and low false alarm in certain instances. | |
Identifier: | CFE0000852 (IID), ucf:46667 (fedora) | |
Note(s): |
2005-12-01 Ph.D. Engineering and Computer Science, Doctorate This record was generated from author submitted information. |
|
Subject(s): |
Network Traffic Modeling Network Traffic Simulation Network Intrusion Detection |
|
Persistent Link to This Record: | http://purl.flvc.org/ucf/fd/CFE0000852 | |
Restrictions on Access: | public | |
Host Institution: | UCF |