Signal Processing Applications in Network Intrusion Detection Systems

Chin-Tser Huang, Rocky K.C. Chang, Polly Huang
2009 EURASIP Journal on Advances in Signal Processing  
In recent years, the problem of network intrusion detection has attracted a lot of attention in the field of network security. Network intrusions carried out in various forms, such as worms, virus, spamming, Trojan horse, and many others, pose two major threats and damage on the victims. First, the intruders probe, gather, and deduce sensitive information about target hosts in an effort to gain unauthorized access to them and their networks. Second, the intruders inject unwanted packets into
more » ... target networks, aiming to disrupt the normal communications and services provided by the target networks. It is therefore critically important to implement effective network intrusion detection systems (NIDSs) to monitor the network and detect the intrusions in a timely manner. Signal processing techniques have found applications in NIDS, because of their ability of detecting novel intrusions and attacks, which cannot be achieved by signature-based NIDS. Therefore, the primary objective of an NIDS based on signal processing techniques is to profile the normal network traffic pattern or application-level behavior and to classify intrusions or unwanted traffic as anomalies. Wavelets, entropy analysis, and data mining techniques are examples in this regard. However, the major challenges of the signal processing-based approaches lie in the adaptive modeling of normal network traffic and the high false alarm rate due to the inaccuracy of the modeled normal traffic pattern. The emergence of a variety of wireless networks and the mobility of nodes in such networks only add to the complexity of the problems. The goal of this special issue is to present some of the state-of-the-art techniques of applying signal processing techniques to the intrusion detection problems. This issue features seven papers which cover generic issues in designing NIDS, such as improving the false-positive performance, speed performance, and quality of the training data (the first two papers), applying wavelet analysis to detect attacks on wired networks and wireless networks (the third and fourth papers), detecting flooding-based and low-rate denial-ofservice attacks (the fifth and sixth papers), and detecting game bots in massively multiplayer online role playing games (the seventh paper). In the paper "Detecting network intrusions using signal processing with query-based sampling filter," coauthored by Liang-Bin Lai et al., the authors take a joint signal processing and neural network approach toward the intrusion detection problem. Learning-based solutions are known vulnerable to noise in the training data. The proposed quantization method overcomes this problem by screening the training data and comparing to the "known attacks" classified by the neural network. Such a treatment results in a more robust classification of intrusions, allowing potential discovery of rare (new) attacks. This interesting combination of signal processing and learning techniques is shown effective, and the choice of the query-based sampling filter is justified using the 1999 DARPA intrusion detection dataset. In the paper "An adaptive approach to granular real-time anomaly detection," coauthored by Chin-Tser Huang and Jeff Janies, the authors propose a framework allowing flexible granular examination of network traffic for individual hosts. Given the diversity of Internet use today, with heterogeneous applications and usage, an everyday norm of Internet access for one host might be anomaly for others. Such observation
doi:10.1155/2009/527689 fatcat:iaieqhrzbvgd5fwu2uqvftdsa4