Image Processing & Communication, vol. 18,no. 1, pp.15-22. DOI: 10.2478/v10248-012-0071-6. 15. NETWORK ANOMALY DETECTION BASED ON SIGNAL ...
Image Processing & Communication, vol. 18,no. 1, pp.15-22 DOI: 10.2478/v10248-012-0071-6
15
NETWORK ANOMALY DETECTION BASED ON SIGNAL PROCESSING TECHNIQUES
T OMASZ A NDRYSIAK , Ł UKASZ S AGANOWSKI , M IROSŁAW M ASZEWSKI
Institute of Telecommunications, University of Technology & Life Sciences in Bydgoszcz, ul. Kaliskiego 7, 85-789 Bydgoszcz, Poland {tomasz.andrysiak,lukasz.saganowski}@utp.edu.pl
Abstract. The article depicts possibility of us-
fort to investigate the following: spectral analysis, max-
ing Matching Pursuit decomposition in order to
imum entropy estimation, principal component analysis
recognize unspecified hazards in network traf-
techniques and wavelet-based approaches [6][7]. An out-
fic. Furthermore, the work aims to present fea-
standingly potent tool for detection, synthesis and anal-
sible enhancements to the anomaly detection
ysis is wavelet-based approach. Scale and time localiza-
method, as well as their efficiency on the basis
tion features of the wavelet transform make the tool per-
of a wide collection of pattern test traces.
fect for detecting irregular traffic patterns in traffic traces. Thus, wavelet-founded methods for identification of attacks have been analyzed and put on record. Tests are
1
Introduction
performed by use of continuous wavelet transform analysis and, most of all, Discrete Wavelet transformation and
It has been proven that signal processing techniques can be applied in Network Intrusion Detection Systems due to their capability of detecting yet unspecified incursions and attacks that signature-based approaches fail to notice. Network traffic shows several relative statistical qualities when it is subjected to research on different levels, such as long range dependence, entropy variations, self similarity, etc. [1][2][3][4][5]. Utilization of such approaches
multiresolution analysis [8] . The drawback of the Discrete Wavelet Transform is, however, that a great number of coefficients which are found do not always show necessary qualities of the network signals. Thereupon, this article presents an original Anomaly Detection ADS algorithm founded on Matching Pursuit [9] as an alternative to other signal processing and decomposition methods for intrusion or anomaly identification in network systems.
as statistical analysis and signal processing is efficient due to ability to decompose the signals connected to network traffic, simultaneously allowing for recognition of different noises, trends and anomalous events. Thereupon, in recent years, academic researchers have put great efUnauthenticated Download Date | 11/20/15 10:28 PM
16
2
T. Andrysiak, Ł. Saganowski, M. Maszewski
Signal Decomposition Anomaly Detection
For
results of previous iterations:
rp s = rp−1 s − cp dϕp ,
Given an overcomplete set of functions called dictionary D = {d0 , d1 , ..., dn−1 } such than norm kdi k = 1 we
(3)
where
can define an optimal M - approximation as an expansion, minimizing the error δ of an approximation of signal S(t)
ϕp = arg max |hrp s, di i| , ϕp ∈ Φp
(4)
� cp = rp−1 s, dϕp .
(5)
i∈Φp
by M waveforms di called atoms and
M −1
X
δ = S(t) − ci di
(1)
i=0
where functions di ∈ L2 (R) and i ∈ {0, 1, ..., M − 1} represent the indices of the chosen functions di [10]. Finding such an optimal approximation is an NP-hard problem [10][11]. A suboptimal expansion can be found by means of an iterative procedure, such as the matching pursuit algorithm.
2.1
Matching Pursuit Algorithm
Matching pursuit is a recursive, adaptive algorithm for signal decomposition [9]. The matching pursuit decomposes any signal into linear expansion of waveforms which are taken from an overcomplete dictionary D. Sig-
Algorithm 1 (Cp , Dp , Rp S) = M P (S, D, th) r0 s = S initial residual c0 = 0 initial solution Φ0 = ∅ initial index set of dictionary elements D0 = ∅ initial set of dictionary p = 0 initial the iterative variable while krp sk
