Behavior of Packet Counts for Network Intrusion Detection

Behavior of Packet Counts for Network Intrusion sleuthingstatistical Behavior of Packet Counts for Network Intrusion DetectionAbstract Intrusions and attacks have become a precise serious problem in network world. This paper presents a statistical characterization of packet believes that screw be utilize for network encroachment maculation. The main idea is based on detecting whatever suspicious behavior in computer networks depending on the comparison between the correlativity results of control and information planes in the presence and absence of attacks using histogram summary. Signal touch on tools such as average filtering, locomote average filtering, and topical anaesthetic sectionalization estimators are exploited to help in developing network anomalousness detection approaches. Therefore, detecting dissimilarity can indicate an ab conventionality behavior.Keywords Anomaly detection, statistics, Network Intrusion Detection Systems (NIDS).I. INTRODUCTIONNOWADA YS, the use of the Internet has become important and it increased considerably. Internet use has spread to casual work, business, education, entertainment and etc. Computer networks bring us a lot of benefits, such as calculation and better performance, but they also bring risks. So, security systems have to be built to face those risks. whizz of those systems is the network intrusion detection system (NIDS), which is designed to alert the network administrators to the presence of an attack. Recently, intrusions are sort as serious Internet security threats due to the mass service disruption they result in, the unsecured use of the Internet, and the difficulty to defend against them 1. Some attacks subscribe to consume large amount of resources to prevent received users from receiving satisfactory performance.Network Intrusion Detection System is a tool to detect the attacks that attempt to via media the availability, integrity or confidentiality of the network. It has been s tarted to be used frequently as one component of an effective shape security model for an organization. This system monitors network traffic continuously for malicious activity, and raise alerts when they detect attacks. real intrusion detection systems can be classified into signature detection systems/ misuse and anomalousness detection systems 2-3.Signature detection systems rely on a database of a predefined set of attack signatures. They detect attacks by comparing the observed patterns of the network traffic with the database. If the attack is listed in the database, then it can be successfully detected and identified 4. On the other hand, anomaly detection systems are designed to compare the parameters of the ruler network traffic to the observed unusual traffic 5. In such cases, the detected deviation from the general traffic is declared as an attack. Such methods can detect new kinds of network attacks.In this paper, we aim to studding the intrusion and attacks behavio r by monitoring the changes in the traffic of the network. Detecting dissimilarity between the correlation results of control and data planes can indicate an abnormal behavior 6. This paper is organized as follows. share II includes the anomaly detection techniques. Section III, includes the suggested statistical analysis. Section IV, includes the simulation results. Section V includes the cerebrate remarks.II. Anomaly detection techniquesA number of studies have focused on developing network anomaly detection methods. For example, Haystack 7 is one of the statistical anomaly-based intrusion detection systems. In this system, a range of set is set to indicate the normal status of each pre-defined feature. If the value measured during a session repose outside the normal range, then the score of a subject is raised. Haystack was designed to work offline and that was considered as one of its drawbacks 8.Statistical Packet Anomaly Detection Engine (SPADE) 9 is also one of the statis tical anomaly-based intrusion detection systems. It uses the concept of an anomaly score to detect sport scans. A simple frequency kingdom based approach is used to calculate the anomaly score of a packet. The fewer the packets, the higher the anomaly score. One drawback of the SPADE is its high false alarm rate.In this paper, we concentrate on the statistical analysis of the correlation sequence between packet and control counts in computer networks 10. The suggested approach is based on distinguishing histograms of the correlation sequences of normal and abnormal traffics. The correlation sequences are processed either directly or aft(prenominal) pre-processing with differentiator, median filtering, or local variance estimation.III. StatisticsHistogram AnalysisHistogram is defined as a graphical standard of the scattering of data, a histogram is a function that counts the number of observations that fall into each of the disjoint categories, Thus, if we let k be the total numb er of bins and n be the total number of observations, the histogram mi meets the followers conditions 7 (1) median(prenominal) FilteringThe median filtering is based on sorting the data and selecting is the middle number. It is used to exclude impulsive values in the correlation sequences.MeanThe mean is the average of a set of numbers(2)VarianceThe variance is a measure of how items are dispersed about their mean. The variance of a whole population is condition by the equation 11(3)where M is the local mean.IV. Proposed ApproachThe proposed approach can be summarized in the following stepsNetwork traffic packet traces are typically provided in raw tcpdump format 12. Therefore, it is inevitable to preprocess packets to extract the features in the format needed to carry out further analysis 6.Extracting a count features, from the packet header information .Computing the similarity between the two traffic chemical groups control and data by using cross-correlation function.Applying some sort of pre-processing on the correlation sequence with median filtering, moving average, differentiator, and local variance estimation.Histogram estimation of the original correlation sequences and the pre-processed sequences.Creating databases for the histograms with attacks and without attacks.Setting thresholds based on these histograms for discrimination.V. experimental resultsWe have used the cross-correlation results between the control and data packets when on that point is no attacks and when at that place is an attack for one day of KSU traffic. Fig. 1 shows the correlation coefficients between the control and data packets when there is no an attack. Fig 2 shows the correlation coefficients when there is an attack applied. Fig. 3 shows the correlation coefficients histogram distribution for normal and abnormal traffic. Fig. 4 shows the histogram distribution of the correlation coefficient median for normal and abnormal traffic. Fig. 5 shows the histogram distributi on of correlation coefficients mean for normal and abnormal traffic. Fig. 6 shows the histogram distribution of the correlation coefficients local variance for normal and abnormal traffic. The experimental results reveal that when there is an attack, a noted difference in histogram distribution is found.Fig. 1 Correlation coefficients for normal traffic.Fig. 2 Correlation coefficients for abnormal traffic.Fig. 3 Correlation coefficients histogram distribution for normal and abnormal traffic.Fig. 4 Histogram of the correlation coefficients median for normal and abnormal traffic.Fig. 5 Histogram of the correlation coefficients local mean for normal and abnormal traffic.Fig. 6 Histogram of the correlation coefficients local variance for normal and abnormal traffic.From these figures, we can set a probability threshold for each case, based on which, a decision of normal or abnormal traffic can be taken.VI. ConclusionThe paper presented a statistical study for the correlation coef ficients between packet and control planes of network traffic. Simulation experiments have shown that there is a difference in histogram distribution between normal and abnormal traffics. With the aid of signal processing tools like median filtering, local mean filtering and local variance filtering, we can set a group of thresholds to distinguish between normal and abnormal traffics.