基于异常的网络入侵检测随机协议建模

First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings. Pub Date : 2003-03-24 DOI:10.1109/IWIAS.2003.1192454

J. Tapiador, P. García-Teodoro, J. D. Verdejo

{"title":"基于异常的网络入侵检测随机协议建模","authors":"J. Tapiador, P. García-Teodoro, J. D. Verdejo","doi":"10.1109/IWIAS.2003.1192454","DOIUrl":null,"url":null,"abstract":"A new method for detecting anomalies in the usage of protocols in computer networks is presented. The proposed methodology is applied to TCP and disposed in two steps. First, a quantization of the TCP header space is accomplished, so that a unique symbol is associated with each TCP segment. TCP-based network traffic is thus captured, quantized and represented by a sequence of symbols. The second step in our approach is the modeling of these sequences by means of a Markov chain. The analysis of the model obtained for diverse TCP sources reveals that it captures adequately the essence of the protocol dynamics. Once the model is built it is possible to use it as a representation of the normal usage of the protocol, so that deviations from the behavior provided by the model can be considered as a sign of protocol misusage.","PeriodicalId":186507,"journal":{"name":"First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings.","volume":"180 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2003-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"63","resultStr":"{\"title\":\"Stochastic protocol modeling for anomaly based network intrusion detection\",\"authors\":\"J. Tapiador, P. García-Teodoro, J. D. Verdejo\",\"doi\":\"10.1109/IWIAS.2003.1192454\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"A new method for detecting anomalies in the usage of protocols in computer networks is presented. The proposed methodology is applied to TCP and disposed in two steps. First, a quantization of the TCP header space is accomplished, so that a unique symbol is associated with each TCP segment. TCP-based network traffic is thus captured, quantized and represented by a sequence of symbols. The second step in our approach is the modeling of these sequences by means of a Markov chain. The analysis of the model obtained for diverse TCP sources reveals that it captures adequately the essence of the protocol dynamics. Once the model is built it is possible to use it as a representation of the normal usage of the protocol, so that deviations from the behavior provided by the model can be considered as a sign of protocol misusage.\",\"PeriodicalId\":186507,\"journal\":{\"name\":\"First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings.\",\"volume\":\"180 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2003-03-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"63\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IWIAS.2003.1192454\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IWIAS.2003.1192454","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 63

摘要

提出了一种检测计算机网络协议使用异常的新方法。将该方法应用于TCP，并分两步进行处理。首先，完成TCP报头空间的量化，以便与每个TCP段相关联的唯一符号。因此，基于tcp的网络流量被捕获、量化并由一系列符号表示。我们方法的第二步是通过马尔可夫链对这些序列进行建模。对不同TCP源模型的分析表明，该模型充分反映了协议动态的本质。一旦建立了模型，就可以将其用作协议正常使用的表示，因此，与模型提供的行为的偏差可以被视为协议误用的标志。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Stochastic protocol modeling for anomaly based network intrusion detection

A new method for detecting anomalies in the usage of protocols in computer networks is presented. The proposed methodology is applied to TCP and disposed in two steps. First, a quantization of the TCP header space is accomplished, so that a unique symbol is associated with each TCP segment. TCP-based network traffic is thus captured, quantized and represented by a sequence of symbols. The second step in our approach is the modeling of these sequences by means of a Markov chain. The analysis of the model obtained for diverse TCP sources reveals that it captures adequately the essence of the protocol dynamics. Once the model is built it is possible to use it as a representation of the normal usage of the protocol, so that deviations from the behavior provided by the model can be considered as a sign of protocol misusage.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings.

自引率

0.00%

发文量