U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Bootstrap-Based Simple Probability Model for Classifying Network Traffic and Detecting Network Intrusion

NCJ Number
224757
Journal
Security Journal Volume: 21 Issue: 4 Dated: October 2008 Pages: 278-290
Author(s)
Yun Wang; Inyoung Kim
Date Published
October 2008
Length
13 pages
Annotation
This study addresses an essential challenge in modern network security, training and intrusion detection system with anomaly-free data.
Abstract
This study provides a potential approach to detect network intrusion based on anomaly-free network traffic at the system level. Since the variables used in the model are retrievable from network audit data and the bootstrap simulation can be accomplished via common computer languages, this proposed model could be adopted by a variety of intrusion detection systems. In particular, it could be used as a threshold to filter network traffic in the mobile computing environment where training data are limited and may not include any abnormal events or such events are insufficient for other methods. The presented simple probability-based model illustrates equivalent performance in sensitivity, specificity, ROC (receiver operating characteristic) area, and classification agreements as compared with the logistic regression approach. Network traffic audit data proved unique and valuable information for network security. Although a comprehensive intrusion detection scheme contains multiple data sources and multiple measurements, the system-level traffic data provide important baseline information on anomalous traffic that could harm the network system, and such information can be learned from training data. This study focused on two goals: (1) to develop a probability model that describes the baseline normal behavior pattern for each site represented by the Internet Protocol (IP) address with anomaly-free data and (2) to validate the model and estimate the probability of being normal for each network connection. Tables, figures, and references

Downloads

No download available

Availability