Heavy tails and temporal correlations of processing times in network intrusion detection: characterization and consequences

Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop Pub Date : 2005-06-15 DOI:10.1109/IAW.2005.1495941

Joiio B. D. Cabrera, Wenke Lee, ykumar Gasar, R. Mehra

{"title":"Heavy tails and temporal correlations of processing times in network intrusion detection: characterization and consequences","authors":"Joiio B. D. Cabrera, Wenke Lee, ykumar Gasar, R. Mehra","doi":"10.1109/IAW.2005.1495941","DOIUrl":null,"url":null,"abstract":"This paper examines two aspects of network intrusion detection which have critical relevance for the configuration (understood as allocation of memory and CPU) of intrusion detection systems (IDSs) hosts and for their operational performance: the presence of heavy tails in the service times for the preprocessing stage, and the presence of substantial temporal correlations in the service times for the content matching stage. Concerning heavy tails in preprocessing, our study reveals that snort preprocessing times give rise to a cumulative distribution function which is extremely heavy-tailed. Concerning temporal correlations, our analysis reveals that payload processing times evolve in two time scales: a fast time scale and a slow time scale. The fast, packet-to-packet time scale corresponds to 40-100 contiguous packets (a packet group), within which the content matching times are independent. In the slow, packet group-to-packet group time scale the mean values of the successive packet groups are heavily correlated and can be predicted. The consequences of the two phenomena are examined in the paper.","PeriodicalId":252208,"journal":{"name":"Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-06-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IAW.2005.1495941","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

This paper examines two aspects of network intrusion detection which have critical relevance for the configuration (understood as allocation of memory and CPU) of intrusion detection systems (IDSs) hosts and for their operational performance: the presence of heavy tails in the service times for the preprocessing stage, and the presence of substantial temporal correlations in the service times for the content matching stage. Concerning heavy tails in preprocessing, our study reveals that snort preprocessing times give rise to a cumulative distribution function which is extremely heavy-tailed. Concerning temporal correlations, our analysis reveals that payload processing times evolve in two time scales: a fast time scale and a slow time scale. The fast, packet-to-packet time scale corresponds to 40-100 contiguous packets (a packet group), within which the content matching times are independent. In the slow, packet group-to-packet group time scale the mean values of the successive packet groups are heavily correlated and can be predicted. The consequences of the two phenomena are examined in the paper.

查看原文本刊更多论文

网络入侵检测中处理时间的重尾和时间相关性:表征和后果

本文研究了网络入侵检测的两个方面，这两个方面对入侵检测系统(ids)主机的配置(理解为内存和CPU的分配)及其操作性能具有关键的相关性:预处理阶段服务时间中的重尾的存在，以及内容匹配阶段服务时间中的实质性时间相关性的存在。对于预处理中的重尾，我们的研究表明，snort预处理时间会产生一个累积分布函数，该函数具有极高的重尾。关于时间相关性，我们的分析表明，有效载荷处理时间在两个时间尺度上演变:快速时间尺度和慢时间尺度。快速的包到包时间尺度对应于40-100个连续的报文(一个报文组)，在这个时间段内，内容匹配次数是独立的。在缓慢的分组到分组的时间尺度中，连续分组的平均值是高度相关的，并且可以预测。本文探讨了这两种现象的后果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop

自引率

0.00%

发文量