A Chi-square testing-based intrusion detection Model

Nasser Abouzakhar, Abu Bakar

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    869 Downloads (Pure)


    The rapid growth of Internet malicious activities has become a major concern to network forensics and security community. With the increasing use of IT technologies for managing information there is a need for stronger intrusion detection mechanisms. Critical - mission systems and applications require mechanisms able to detect any unauthorised activities. An Intrusion Detection System (IDS) acts as a necessary element for monitoring traffic packets on computer networks, performs analysis to suspicious traffic and makes vital decisions. IDSs allow cybercrime forensic specialists to gather useful evidence whenever needed. This paper presents the design and development process of a Network Intrusion Detection System (NIDS) solution, which aims at providing an effective anomaly based detection model using Chi-Square statistics. One of the design objectives in this paper is to minimise the limitations of current statistical network forensics and intrusion detection. Throughout the development process of this statistical detection model several aspects of the process of building an effective detection model are emphasized. These aspects include dataset pre - processing and feature selection, network traffic analysis, statistical testing and detection model development. The calculated / output statistical figures of this model are based on certain threshold values which could be used and / or adjusted by a forensic specialist for deciding whether or not a suspicious event took place.

    The modelling and development process of this proposed anomaly detection has been achieved using various software and development tools. In this paper we focus on modelling dynamic anomaly detection using the Chi-square technique. It investigates a network traffic dataset collected by CAIDA in 2008 that contains signs for denial of service (DoS) attacks called backscatter. The normal dataset patterns are analysed to build a profile for the legitimate network traffic. Any deviations from these normal profiles will be considered anomalous. The dataset was pre - processed using Wireshark and T-Shark, the detection model was developed using MATLAB for different variants of denial of services attacks and promising results were achieved.
    Original languageEnglish
    Title of host publicationProcs 4th International Conference on Cybercrime Forensics Education & Training
    Subtitle of host publicationCFET 2010
    ISBN (Electronic)978-1-899253- 73-9
    Publication statusPublished - 3 Sept 2010
    Event4th Int Conf on Cybercrime Forensics Education and Training (CFET 2010) - Canterbury, United Kingdom
    Duration: 2 Sept 20103 Sept 2010


    Conference4th Int Conf on Cybercrime Forensics Education and Training (CFET 2010)
    Country/TerritoryUnited Kingdom


    • Intrusion detection
    • Computer forensics


    Dive into the research topics of 'A Chi-square testing-based intrusion detection Model'. Together they form a unique fingerprint.

    Cite this