Type of Document Dissertation Author Patcha, Animesh URN etd-07192006-152001 Title Network Anomaly Detection with Incomplete Audit Data Degree PhD Department Electrical and Computer Engineering Advisory Committee
Advisor Name Title Park, Jung-Min Jerry Committee Chair DaSilva, Luiz A. Committee Member Hou, Yiwei Thomas Committee Member North, Christopher L. Committee Member Shukla, Sandeep K. Committee Member Keywords
- high speed networks
- Anomaly detection
- weighted sampling
Date of Defense 2006-07-06 Availability unrestricted AbstractWith the ever increasing deployment and usage of gigabit networks, traditional network anomaly detection based intrusion detection systems have not scaled accordingly. Most, if not all, systems deployed assume the availability of complete and clean data for the purpose of intrusion detection. We contend that this assumption is not valid. Factors like noise in the audit data, mobility of the nodes, and the large amount of data generated by the network make it difficult to build a normal traffic profile of the network for the purpose of anomaly detection.
From this perspective, the leitmotif of the research effort described in this dissertation is the design of a novel intrusion detection system that has the capability to detect intrusions with high accuracy even when complete audit data is not available. In this dissertation, we take a holistic approach to anomaly detection to address the threats posed by network based denial-of-service attacks by proposing improvements in every step of the intrusion detection process. At the data collection phase, we have implemented an adaptive sampling scheme that intelligently samples incoming network data to reduce the volume of traffic sampled, while maintaining the intrinsic characteristics of the network traffic. A Bloom filters based fast flow aggregation scheme is employed at the data pre-processing stage to further reduce the response time of the anomaly detection scheme. Lastly, this dissertation also proposes an expectation-maximization algorithm based anomaly detection scheme that uses the sampled audit data to detect intrusions in the incoming network traffic.
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access animesh_final_dissertation.pdf 642.69 Kb 00:02:58 00:01:31 00:01:20 00:00:40 00:00:03
If you have questions or technical problems, please Contact DLA.