Journal of Systemics, Cybernetics and Informatics (Aug 2013)
Network Intrusion Detection System – A Novel Approach
Abstract
Network intrusion starts off with a series of unsuccessful breakin attempts and results eventually with the permanent or transient failure of an authentication or authorization system. Due to the current complexity of authentication systems, clandestine attempts at intrusion generally take considerable time before the system gets compromised or damaging change is affected to the system giving administrators a window of opportunity to proactively detect and prevent intrusion. Therefore maintaining a high level of sensitivity to abnormal access patterns is a very effective way of preventing possible break-ins. Under normal circumstances, gross errors on the part of the user can cause authentication and authorization failures on all systems. A normal distribution of failed attempts should be tolerated while abnormal attempts should be recognized as such and flagged. But one cannot manage what one cannot measure. This paper proposes a method that can efficiently quantify the behaviour of users on a network so that transient changes in usage can be detected, categorized based on severity, and closely investigated for possible intrusion. The author proposes the identification of patterns in protocol usage within a network to categorize it for surveillance. Statistical anomaly detection, under which category this approach falls, generally uses simple statistical tests such as mean and standard deviation to detect behavioural changes. The author proposes a novel approach using spectral density as opposed to using time domain data, allowing a clear separation or access patterns based on periodicity. Once a spectral profile has been identified for network, deviations from this profile can be used as an indication of a destabilized or compromised network. Spectral analysis of access patterns is done using the Fast Fourier Transform (FFT), which can be computed in Θ(N log N) operations. The paper justifies the use of this approach and presents preliminary results of studies the author has conducted on a restricted campus network. The paper also discusses how profile deviations of the network can be used to trigger a more exhaustive diagnostic setup that can be a very effective first-line of defense for any network.
