A statistical covariance matrix based detection approach with application to network flooding attack detection

Network intrusion detection in a vibrant research area because of the constantly evolving computer networks and methods of intructions. Currently, flooding attacks have imposed prevalent and significant threat to the reliability of computer networks. How to effectively detect multiple and various flooding attacks has become a crucial problem to improve the network protection mechanisms. Traditional detection approaches neglect the correlation information contained in groups of network traffic samples and this leads to their failure to improve the detection effectiveness. In addition, they lack the capability of identifying different types of unknown flooding attacks. This thesis describes a novel covariance matrix based anomaly detection approach. This approach more effectively detects flooding attacks, by directly utilizing the covariance matrix of groups of samples. It can also identify unknown flooding attacks by automatically capturing the patterns of any flooding attacks that are detected. This novel detection approach works by first constructing a new covariance feature space based on groups of samples. This allows the correlation information from sequential network packets of fixed and equal lengths to be used to formulate the detection problem in the original feature space as a multi-classification problem in the covariance feature space. The approach then determines the thresholds in a supervised training stage and forms a constrained boundary for each known attack. We further developed a new multi-dimensional measure called 0-1 matrix in order to exhibit the quantities and directions of prominent difference between an observed sample and the norm profiles in terms of covariance changes. The effectiveness of the proposed detection approach is evaluated by extensive experiments. The work described in this thesis applies high-order statistics and a multi-dimensional measure to a detection problem. This multi-dimensional measure can evaluate the difference between two compared objects in terms of each dimension of the feature space and enable the detection result to reflect the patterns of the object that are detected. However, it is still worth further exploring how to integrate multi-dimensional measure to traditional classification approaches such as SVM, MLP in order to give their detection results specific physical meanings.