Approximate autoregressive modeling for network attack detection

This paper presents a technique for creating an ARX model of network signals and using it for detecting network anomalies caused by intrusions. Network signals are non-stationary, highly volatile and hard to model using traditional methods. We present our own modeling technique using a combination of system identification theory and wavelet approximation. We also present the results of a prototype implementation applied to 1999 DARPA intrusion detection evaluation data set. We verify that the technique is viable for anomaly based intrusion detection and can contribute to defense in depth in a network. The technique proposed is online, generic and can be used with many other network signals like bandwidth consumption, rate of flow arrival or SNMP variables. Moreover, it requires minimal expertise for use on the part of the network administrator and automatically adapts to the underlying network behavior.