Research And Applications On Network Protocol Anomaly Detection Models

With the development of network techniques, network security becomes a critical issue. Traditional network security measures depend on installing firewalls and antivirus software. However these methods are not enough to defend networks. Therefore there is an urgent need for a solution to actively defend networks against the growing security threats. Intrusion Detection Systems (IDSs) can automatically scan network activities and computer systems to protect computers against unauthorized uses which make them secure and resistant to intruders. According to detection principle, intrusion detection can be divided into misuse detection and anomaly detection. For the last decade, most IDSs developed were based on misuse detection methods. Although easy to implement, misuse detection requires continuous updates of their signature database as well as continuous research work to analyze new attacks to find their signatures. Anomaly detection has the advantage of detecting novel intrusions. But it's not popular because of high false positive rate.At present, most of successful Internet attacks are carried out through protocols. Therefore anomalies caused by intrusions are shown as protocol anomalies. As a new variant of anomaly detection, protocol anomaly detection builds models of TCP/IP protocols using their specifications to detect activities violating protocol standards. The dissertation focuses on the design of models, applications of detection techniques and improvements of protocol anomaly detection algorithms. Some innovative solutions are proposed as the following.1. A protocol anomaly detection model based on Hidden Markov Model is proposed. This model filters incoming network traffic by destination ports and quantizes flags into decimal numbers. Then these numbers are classified into sequences which are used as inputs of HMM by connections. It greatly reduces the influence of large network traffic to model performance. And the model well describes the relationship between states and presents the corresponding protocol. We test the model on DARPA 1999 intrusion detection datasets to demonstrate the models'correctness and effectiveness. Experimental results also show that the model based on HMM has higher detection rates on attacks than the method based on Markov chain.2. A protocol anomaly detection model based on both transition property and frequency property of network traffic is proposed. We go into the transition property and frequency property of network traffic and build the model combined these two properties. Viterbi algorithm is used here to deduce optimal states sequences and the state pattern database is built. Therefore it describes protocol's normal state transition pattern through a small portion of short sequence and takes the advantage of processing large amount of datasets. The frequency distribution of short sequences is used as inputs to train the model, and the deviation of observed data from the model is measured during the detection. So that it is significantly reduced the false positive rate while keeping a high detection rate in detecting attacks. Compared with HMM detection model based on transition property, this model shows a better performance.3. A protocol anomaly detection model based on string kernels is proposed. As a classification algorithm, SVM was used widely in the host-based intrusion detection. String kernels are developed on substrings. We study how to use string kernels to describe protocols'state information and apply them in protocol anomaly detection. Moreover, we reduce or eliminate the impact of normal data in an attack to improve the detection rate. A protocol anomaly detection model is constructed by embedding string kernels. Experimental results on the DARPA 1999 intrusion detection datasets show that the algorithm based on the Markov kernel achieves a detection rate of 98% with a false positive rate of 0%, better than other string kernels. The algorithm based on the all-length-weighted kernel considers the longer subsequence's contribution to the kernel value. furthermore, the all-length-weighted once kernel, in which all subsequences will be considered only once regardless of whether they occur only once or many times in a string, reduces the influence of repeated data to detection performance.4. A protocol anomaly detection model based on conditional field random (CRF) is proposed. CRF models consider network connections as observation sequences. Each packet in a connection has two features:Flag and Frequence. CRF models quantize flags into decimal numbers and compute frequencies of flags. Then these decimal numbers are used as inputs for training CRF models by connections. It takes an advantage of replying multi-features in intrusion detection. We test the model on DARPA 1999 intrusion detection datasets to demonstrate the models'correctness and effectiveness. Experimental results also show that the model based on CRF has higher detection rates on attacks than the method based on HMM.We also propose a framework of the intrusion detection and management system, which is used to detect network traffic of monitoring real-time information system in nuclear power plant. We implement protocol anomaly detection system of rhe framework. The experimental results prove that this system can verify anomaly but not malicious activities from authentic attacks and that our protocol anomaly detection model is practical and efficient.