Intrusion and anomaly detection in computer networks using signal processing approaches

Abstract

[Abstract]: Computer network problems can often be time consuming and frustrating to resolve. An inefficient yet heavily used method for resolving these problems is the manual inspection of performance data and using 'trial and error' methods, until the system is working again. Normally the actual cause of the problem, is only resolved post-mortem by inspecting the various network data available. The aim of this paper is to research and test signal processing techniques and how they can be applied to various data produced by computer network anomalies. More specifically, the properties of different network events will be characterised and the data that makes up those characteristics will be extracted and analysed using a modified cumulative sum algorithm. Network events that will be covered are Denial of Service SYN flood attack, Flash Crowd and DNS server failure. The characteristics will extracted by analysing traffic matching certain properties, such as its IP/TCP protocol, source and destination address or what TCP flags are set on each packet. To apply the signal processing techniques, data is required so that it can be processed by the signal processing system. To achieve this the network anomalies were simulated in a test network and the traffic was captured during the simulations. The traffic was then put through the analysis system. The signal processing technique used mainly was the Cumulative Sum algorithm. The algorithm was used inside of a change detection system. Results from the change detection system were promising, as changes in states and state properties were able to be detected.