A signal analysis of network traffic anomalies

Barford, Paul; Kline, J.; Plonka, David; Ron, Amos

doi:10.1145/637201.637210

Cited by 623 publications

(322 citation statements)

References 16 publications

(5 reference statements)

Supporting

Mentioning

286

Contrasting

Unclassified

Order By: Relevance

“…The key issue for forensic investigators while during the forensic process is the validation of evidence (Barford et al, 2002). The integrity of the collected evidence has to be questioned at each stage of analysis.…”

Section: Resultsmentioning

confidence: 99%

“…Current forensics deals with two types of evidence analysis such as live analysis and dead analysis. Live analysis mainly monitors and gathers evidence from live networks and systems (Barford, Kline, Plonka, & Ron, 2002;Sy, 2009) and offline analysis deals with evidence processing after physical or logical imaging of the entire system.…”

Section: Background and Motivationmentioning

confidence: 99%

“…Necrofile (Barford et al, 2002) rewrites the selected partition or portion of the hard disk with mock data destroying the evidence completely. Active Eraser is another data destruction tool which is used for secure erase of data.…”

Section: Data Destructionmentioning

confidence: 99%

See 2 more Smart Citations

Attack Graph Analysis for Network Anti-Forensics

Chandran

Yan

2014

International Journal of Digital Crime and Forensics

View full text Add to dashboard Cite

The development of technology in computer networks has boosted the percentage of cyber-attacks today. Hackers are now able to penetrate even the strongest IDS and firewalls. With the help of anti-forensic techniques, attackers defend themselves, from being tracked by destroying and distorting evidences. To detect and prevent network attacks, the main modus of operandi in network forensics is the successful implementation and analysis of attack graph from gathered evidences. This paper conveys the main concepts of attack graphs, requirements for modeling and implementation of graphs. It also contributes the aspect of incorporation of anti-forensic techniques in attack graph which will help in analysis of the diverse possibilities of attack path deviations and thus aids in recommendation of various defense strategies for better security. To the best of our knowledge, this is the first time network anti-forensics has been fully discussed and the attack graphs are employed to analyze the network attacks. The experimental analysis of anti-forensic techniques using attack graphs were conducted in the proposed test-bed which helped to evaluate the model proposed and suggests preventive measures for the improvement of security of the networks.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Background and Motivationmentioning

confidence: 99%

See 1 more Smart Citation

Attack Graph Analysis for Network Anti-Forensics

Chandran

Yan

2014

International Journal of Digital Crime and Forensics

View full text Add to dashboard Cite

show abstract

“…wavelet analysis) to internet traffic helps us isolate the characteristics of the traffic by extracting hidden patterns of high and low frequency information [26]. Many researchers used wavelet analysis to identify network anomalies by reconstructing network traffic data [27,28], compressing the data by applying two different thresholds from wavelet coefficients [29], and designing better wavelet filters to identify better local frequency information [30]. In the work by Barford et al [30], wavelet transformations were used to extract flow-based traffic abnormality by splitting the input signals into different ranges of frequencies (low, mid, and high frequencies).…”

Section: Related Workmentioning

confidence: 99%

Designing an Internet Traffic Predictive Model by Applying a Signal Processing Method

Choi

Jeong

2014

J Netw Syst Manage

View full text Add to dashboard Cite

Detection of abnormal internet traffic has become a significant area of research in network security. Due to its importance, many predictive models are designed by utilizing machine learning algorithms. The models are well designed to show high performances in detecting abnormal internet traffic behaviors. However, they may not guarantee reliable detection performances for new incoming abnormal internet traffic because they are designed using raw features from imbalanced internet traffic data. Since internet traffic is non-stationary time-series data, it is difficult to identify abnormal internet traffic with the raw features. In this study, we propose a new approach to detecting abnormal internet traffic. Our approach begins with extracting hidden, but important, features by utilizing discrete wavelet transformation. Then, statistical analysis is performed to filter out irrelevant and less important features. Only statistically significant features are used to design a reliable predictive model with logistic regression. A comparative analysis is conducted to determine the importance of our approach by measuring accuracy, sensitivity, and the Area Under the receiver operating characteristic Curve. From the analysis, we found that our model detects abnormal internet traffic successfully with high accuracy.

show abstract

“…If the predicted value and observed value differ significantly, an anomaly is detected. While wavelet processing has been employed in intrusion detection (Barford et al, 2002;Kim et al, 2004;Zanero and Savaresi, 2004) and prediction (Brutlag, 2000) has also been used, a combination of these techniques for network intrusion detection is novel.…”

Section: Work Statementmentioning

confidence: 99%

Multi Scale Time Series Prediction for Intrusion Detection

Palanivel¹

2014

American Journal of Applied Sciences

View full text Add to dashboard Cite

We propose an anomaly-based network intrusion detection system, which analyzes traffic features to detect anomalies. The proposed system can be used both in online as well as off-line mode for detecting deviations from the expected behavior. Although our approach uses network packet or flow data, it is general enough to be adaptable for use with any other network variable, which may be used as a signal for anomaly detection. It differs from most existing approaches in its use of wavelet transform for generating different time scales for a signal and using these scales as an input to a two-stage neural network predictor. The predictor predicts the expected signal value and labels considerable deviations from this value as anomalies. The primary contribution of our work would be to empirically evaluate the effectiveness of multi resolution analysis as an input to neural network prediction engine specifically for the purpose of intrusion detection. The role of Intrusion Detection Systems (IDSs), as special-purpose devices to detect anomalies and attacks in a network, is becoming more important. First, anomaly-based methods cannot achieve an outstanding performance without a comprehensive labeled and up-to-date training set with all different attack types, which is very costly and time-consuming to create if not impossible. Second, efficient and effective fusion of several detection technologies becomes a big challenge for building an operational hybrid intrusion detection system.

show abstract

A signal analysis of network traffic anomalies

Cited by 623 publications

References 16 publications

Attack Graph Analysis for Network Anti-Forensics

Attack Graph Analysis for Network Anti-Forensics

Designing an Internet Traffic Predictive Model by Applying a Signal Processing Method

Multi Scale Time Series Prediction for Intrusion Detection

Contact Info

Product

Resources

About