An Application of Information Theory to Intrusion Detection

Royal Holloway, United Kingdom April 13-April 14

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/IWIA.2006.3

Fourth IEEE International Workshop on ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by E. Earl Eiland Articles by Lorie M. Liebrock

	ASCII Text	x
	E. Earl Eiland, Lorie M. Liebrock, "An Application of Information Theory to Intrusion Detection," Information Assurance, IEEE International Workshop on/Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on/Innovative Architecture, International Workshop on, pp. 119-134, Fourth IEEE International Workshop on Information Assurance (IWIA'06), 2006.

	BibTex	x
	@article{ 10.1109/IWIA.2006.3, author = {E. Earl Eiland and Lorie M. Liebrock}, title = {An Application of Information Theory to Intrusion Detection}, journal ={Information Assurance, IEEE International Workshop on/Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on/Innovative Architecture, International Workshop on}, volume = {0}, year = {2006}, isbn = {0-7695-2564-4}, pages = {119-134}, doi = {http://doi.ieeecomputersociety.org/10.1109/IWIA.2006.3}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Information Assurance, IEEE International Workshop on/Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on/Innovative Architecture, International Workshop on TI - An Application of Information Theory to Intrusion Detection SN - 0-7695-2564-4 SP119 EP134 A1 - E. Earl Eiland, A1 - Lorie M. Liebrock, PY - 2006 KW - null VL - 0 JA - Information Assurance, IEEE International Workshop on/Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on/Innovative Architecture, International Workshop on ER -

E. Earl Eiland, New Mexico Inst. of Mining and Technology, Socorro, New Mexico

Lorie M. Liebrock, New Mexico Inst. of Mining and Technology, Socorro, New Mexico USA

Zero-day attacks, new (anomalous) attacks exploiting previously unknown system vulnerabilities, are a serious threat. Defending against them is no easy task, however. Having identified "degree of system knowledge" as one difference between legitimate and illegitimate users, theorists have drawn on information theory as a basis for intrusion detection. In particular, Kolmogorov complexity (K) has been used successfully. In this work, we consider information distance (Observed_K - Expected_K) as a method of detecting system scans. Observed_K is computed directly, Expected K is taken from compression tests shared herein. Results are encouraging. Observed scan traffic has an information distance at least an order of magnitude greater than the threshold value we determined for normal Internet traffic. With 320 KB packet blocks, separation between distributions appears to exceed 4\sigma.

Citation:

E. Earl Eiland, Lorie M. Liebrock, "An Application of Information Theory to Intrusion Detection," iwia, pp.119-134, Fourth IEEE International Workshop on Information Assurance (IWIA'06), 2006

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.