Now showing items 1-10 of 12
A machine learning approach to detecting attacks by identifying anomalies in network traffic
The current approach to detecting novel attacks in network traffic is to model the normal frequency of session IP addresses and server port usage and to signal unusual combinations of these attributes as suspicious. We ...
Learning rules for time series anomaly detection
We describe a multi-dimensional time series anomaly detection method in which each point in a test series is required to match the value, slope, and curvature of a point seen in training (with an optional sequential ...
A machine learning approach to anomaly detection
Trajectory boundary modeling of time series for anomaly detection
We address the problem of online detection of unanticipated modes of mechanical failure given a small set of time series under normal conditions, with the requirement that the anomaly detection model be manually verifiable ...
Adaptive weighing of context models for lossless data compression
Until recently the state of the art in lossless data compression was prediction by partial match (PPM). A PPM model estimates the next-symbol probability distribution by combining statistics from the longest matching ...
Detecting novel attacks by identifying anomalous network packet headers
We describe a simple and efficient network intrusion detection algorithm that detects novel attacks by flagging anomalous field values in packet headers at the data link, network, and transport layers. In the 1999 DARPA ...
Learning models of network traffic for detecting novel attacks
Network intrusion detection systems often rely on matching patterns that are gleaned from known attacks. While this method is reliable and rarely produces false alarms, it has the obvious disadvantage that it cannot detect ...
Learning nonstationary models of normal network traffic for detecting novel attacks
Traditional intrusion detection systems (IDS) detect attacks by comparing current behavior to signatures of known attacks. One main drawback is the inability of detecting new attacks which do not have known signatures. In ...
Learning rules for anomaly detection of hostile network traffic
We introduce an algorithm called LERAD that learns rules for finding rare events in nominal time-series data with long range dependencies. We use LERAD to find anomalies in network packets and TCP sessions to detect novel ...
PHAD: packet header anomaly detection for identifying hostile network traffic
We describe an experimental packet header anomaly detector (PHAD) that learns the normal range of values for 33 fields of the Ethernet, IP, TCP, UDP, and ICMP protocols. On the 1999 DARPA off-line intrusion detection ...