University of Hertfordshire

A Chi-square testing-based intrusion detection Model

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Documents

  • Nasser Abouzakhar
  • Abu Bakar
View graph of relations
Original languageEnglish
Title of host publicationProcs 4th International Conference on Cybercrime Forensics Education & Training
Subtitle of host publicationCFET 2010
ISBN (Electronic)978-1-899253- 73-9
Publication statusPublished - 3 Sep 2010
Event4th Int Conf on Cybercrime Forensics Education and Training (CFET 2010) - Canterbury, United Kingdom
Duration: 2 Sep 20103 Sep 2010

Conference

Conference4th Int Conf on Cybercrime Forensics Education and Training (CFET 2010)
CountryUnited Kingdom
CityCanterbury
Period2/09/103/09/10

Abstract

The rapid growth of Internet malicious activities has become a major concern to network forensics and security community. With the increasing use of IT technologies for managing information there is a need for stronger intrusion detection mechanisms. Critical - mission systems and applications require mechanisms able to detect any unauthorised activities. An Intrusion Detection System (IDS) acts as a necessary element for monitoring traffic packets on computer networks, performs analysis to suspicious traffic and makes vital decisions. IDSs allow cybercrime forensic specialists to gather useful evidence whenever needed. This paper presents the design and development process of a Network Intrusion Detection System (NIDS) solution, which aims at providing an effective anomaly based detection model using Chi-Square statistics. One of the design objectives in this paper is to minimise the limitations of current statistical network forensics and intrusion detection. Throughout the development process of this statistical detection model several aspects of the process of building an effective detection model are emphasized. These aspects include dataset pre - processing and feature selection, network traffic analysis, statistical testing and detection model development. The calculated / output statistical figures of this model are based on certain threshold values which could be used and / or adjusted by a forensic specialist for deciding whether or not a suspicious event took place.

The modelling and development process of this proposed anomaly detection has been achieved using various software and development tools. In this paper we focus on modelling dynamic anomaly detection using the Chi-square technique. It investigates a network traffic dataset collected by CAIDA in 2008 that contains signs for denial of service (DoS) attacks called backscatter. The normal dataset patterns are analysed to build a profile for the legitimate network traffic. Any deviations from these normal profiles will be considered anomalous. The dataset was pre - processed using Wireshark and T-Shark, the detection model was developed using MATLAB for different variants of denial of services attacks and promising results were achieved.

ID: 841908