Abstract
In the TCP network environment, all unit transmissions are constructed using sessions. In the session, packets are transmitted sequentially. In this case, the previous and next packets contain causality mutually. Thus, we propose a method that models network transmission information based on transitions of packet states. In addition to the transition model, a probability matrix for the multiple state-transition models of all sessions is represented. The matching of the models is achieved using the maximum log-likelihood ratio. Evaluation of the proposed method for intrusion modeling is conducted by using 1999 DARPA data sets. The method is also compared with Snort-2 which is misuse-based intrusion detection system. In addition, the techniques for advancing proposed method are discussed.
This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Assessment).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ross, S.M.: Introduction to Probability Models, 8th edn. Academic Press, London (2002)
Helstrom, C.W.: Statistical Theory of Signal Detection, 2nd edn. Pergamon Press, London (1968)
Shchervinin, A.F.: Conditional normalized likelihood estimators of parameters of the normal distribution. In: Measurement Techniques. Springer, New York (1992)
Otsuka, T., Ohya, J.: Recognizing multiple persons’ facial expressions using HMM based on automatic extraction of significant frames from image sequences. In: Proc. Int. Conf. on Image Processing (ICIP 1997), Santa Barbara, CA, USA, pp. 546–549 (October 1997)
Cho, S.-B., Han, S.-J.: Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 207–219. Springer, Heidelberg (2003)
Cheong, I.-A., Kim, Y.-M., Kim, M.-S., Noh, B.-N.: The Causality Analysis of Protocol Measures for Detection of Attacks based on Network. In: The Intl. Conf. on Information Networking, Proc., vol. III (February 2004)
Lincoln Laboratory. MIT, DARPA Intrusion Detection Evaluation Data Sets, http://www.ll.mit.edu/IST/ideval/data/data_index.html
Estevez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection. In: The First IEEE International Workshop on Information Assurance (IWIA 2003), Darmstadt, Germany (March 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Noh, SK., Kim, D., Kim, YM., Noh, BN. (2006). Modeling of Network Intrusions Based on the Multiple Transition Probability. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds) Advances in Information and Computer Security. IWSEC 2006. Lecture Notes in Computer Science, vol 4266. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11908739_20
Download citation
DOI: https://doi.org/10.1007/11908739_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-47699-3
Online ISBN: 978-3-540-47700-6
eBook Packages: Computer ScienceComputer Science (R0)