Abstract
As we know, a lot of network attacks come from abusing different network protocols and several new attacks violate the protocol standard. Kumar Das first presented the concept of the protocol anomaly detection. The idea of protocol anomaly detection is not new but interesting. It aims to set up models for proper use of protocols and any behavior that departs from the models will be regarded as an intrusive or suspicious one. In this paper, we made some improvements that aim at the lack of stochastic protocol models based on Markov Chain and made some evaluations for that presented by Juan M. Some necessary states are added to the protocol model. Furthermore, the initial and transition probabilities are more precise. Also, we propose to combine Chi-Square Distance into Markov Chain method to detect protocol anomaly. The experimental results show that SYN Flooding attack can be detected efficiently by the new approach.
This paper is supported by the National Natural Science Foundation of China under Grant No.60273070, the Sci & Tech. Project of Hunan under Grant No. 04GK3022.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Levitt, K.: Intrusion Detection: Current Capabilities and Future Directions. In: Proc. of 18th Annual Computer Security Applications Conference, pp. 365–370 (2002)
Das, K.: Protocol Anomaly Detection for Network-based Intrusion Detection (1-16-2004), http://www.sans.org/rr/whitepapers/detection/349.php
Postel, J.: Transmission Control Protocol. RFC 793 (September 1981), http://www.faqs.org/rfcs/rfc793.html
Estevez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection. In: Proc. of the First IEEE International Workshop on Information Assurance (IWIA 2003), pp. 3–12 (2003)
Lemonnier, E.: Protocol Anomaly Detection in Network-based IDSs (June 2001), http://erwan.lemonnier.free.fr/exjobb/report/protocol_anomaly_detection.pdf
Joglekar, S.P., Tate, S.R.: ProtoMon: Embedded Monitors for Cryptographic Protocol Intrusion Detection and Prevention. In: Proc. of the International Conference on Information Technology: Coding and Computing (ITCC 2004), pp. 81–86 (2004)
MIT Lincoln Laboratory. Intrusion detection evaluation (04-01-2003), http://www.ll.mit.edu/IST/ideval
Li, N., Qin, Z., Zhang, D.-F., et al.: Protocol Anomaly Detection Model Based on Markov Chain. Computer Science 31(10), 66–68 (2004)
Zhao, S., Deng, W.: The analysis of stochastic signal, 1st edn., pp. 153–159 (1999)
Gao, B., Ma, H.Y., Yang, Y.H.: HMMS (HIdden Markov Chain Models) Based on Anomaly Intrusion Detection Method. In: Proc. of the First Conference on Machine Learning and Cybernetics, Beijing, pp. 381–385 (2002)
Gao, F., Sun, J., Wei, Z.: The Prediction Role of Hidden Markov Model in Intrusion Detection. In: Proc. of the First International Conference on Machine Learning and Cybernetics, Beijing, pp. 381–385 (2002)
Jha, S., Tan, K., Maxion, R.A.: Markov Chains, Classifiers, and Intrusion Detection. In: Proc. of the 14th IEEE Workshop on Computer Security Foundations, pp. 206–219 (2001)
Tan, X., Wang, W., Xi, H., et al.: The system call sequence models based on Markov Chain and the application in anomaly detection. Engineering of Computer 28(12), 189–191 (2002)
Ye, N., Zhang, Y., Borror, C.M.: Robustness of the Markov chain model for cyber attack detection. IEEE Transactions on Reliability 52(3), 116–123 (2003)
TCPDUMP public repository. TCPDUMP (6-12-2004), http://www.tcpdump.org/
Ye, N., Chen, Q., Borror, C.M.: EWMA Forecast of Normal System Activity for Computer Intrusion Detection. IEEE Transactions on Reliability 53(4), 557–566 (2004)
Wang, H., Zhang, D., Shin, K.G.: Detecting SYN Flooding Attacks. In: Proc. of IEEE INFOCOM, pp. 1530–1539 (2002)
Siris, V., Papagalou, F.: Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks. In: Proc. of IEEE Global Telecommunications Conference, pp. 14–20 (2004)
Li, N.: The research of Protocol Anomaly Detection Based-on Markov Chain. Master thesis. Hunan University (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Qin, Z., Li, N., Zhang, Df., Bian, NZ. (2005). Improvement of Protocol Anomaly Detection Based on Markov Chain and Its Application. In: Chen, G., Pan, Y., Guo, M., Lu, J. (eds) Parallel and Distributed Processing and Applications - ISPA 2005 Workshops. ISPA 2005. Lecture Notes in Computer Science, vol 3759. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11576259_43
Download citation
DOI: https://doi.org/10.1007/11576259_43
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29770-3
Online ISBN: 978-3-540-32115-6
eBook Packages: Computer ScienceComputer Science (R0)