Now showing items 1-10 of 12
PHAD: packet header anomaly detection for identifying hostile network traffic
We describe an experimental packet header anomaly detector (PHAD) that learns the normal range of values for 33 fields of the Ethernet, IP, TCP, UDP, and ICMP protocols. On the 1999 DARPA off-line intrusion detection ...
Trajectory boundary modeling of time series for anomaly detection
We address the problem of online detection of unanticipated modes of mechanical failure given a small set of time series under normal conditions, with the requirement that the anomaly detection model be manually verifiable ...
Network traffic anomaly detection based on packet bytes
Hostile network traffic is often "different" from benign traffic in ways that can be distinguished without knowing the nature of the attack. We describe a two-stage anomaly detection system for identifying suspicious ...
A machine learning approach to anomaly detection
Adaptive weighing of context models for lossless data compression
Until recently the state of the art in lossless data compression was prediction by partial match (PPM). A PPM model estimates the next-symbol probability distribution by combining statistics from the longest matching ...
An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection
We investigate potential simulation artifacts and their effects on the evaluation of network anomaly detection systems in the 1999 DARPA/MIT Lincoln Laboratory off-line intrusion detection evaluation data set. A statistical ...
A machine learning approach to detecting attacks by identifying anomalies in network traffic
The current approach to detecting novel attacks in network traffic is to model the normal frequency of session IP addresses and server port usage and to signal unusual combinations of these attributes as suspicious. We ...
Detecting novel attacks by identifying anomalous network packet headers
We describe a simple and efficient network intrusion detection algorithm that detects novel attacks by flagging anomalous field values in packet headers at the data link, network, and transport layers. In the 1999 DARPA ...
Learning nonstationary models of normal network traffic for detecting novel attacks
Traditional intrusion detection systems (IDS) detect attacks by comparing current behavior to signatures of known attacks. One main drawback is the inability of detecting new attacks which do not have known signatures. In ...
Learning rules for anomaly detection of hostile network traffic
We introduce an algorithm called LERAD that learns rules for finding rare events in nominal time-series data with long range dependencies. We use LERAD to find anomalies in network packets and TCP sessions to detect novel ...