Sciweavers

IWIA
2006
IEEE

An Application of Information Theory to Intrusion Detection

14 years 5 months ago
An Application of Information Theory to Intrusion Detection
Zero-day attacks, new (anomalous) attacks exploiting previously unknown system vulnerabilities, are a serious threat. Defending against them is no easy task, however. Having identified “degree of system knowledge” as one difference between legitimate and illegitimate users, theorists have drawn on information theory as a basis for intrusion detection. In particular, Kolmogorov complexity (K) has been used successfully. In this work, we consider information distance (Observed K − Expected K) as a method of detecting system scans. Observed K is computed directly, Expected K is taken from compression tests shared herein. Results are encouraging. Observed scan traffic has an information distance at least an order of magnitude greater than the threshold value we determined for normal Internet traffic. With 320 KB packet blocks, separation between distributions appears to exceed 4σ.
E. Earl Eiland, Lorie M. Liebrock
Added 12 Jun 2010
Updated 12 Jun 2010
Type Conference
Year 2006
Where IWIA
Authors E. Earl Eiland, Lorie M. Liebrock
Comments (0)