next up previous contents index
Next: References Up: 5. Network Intrusion Detection Previous: 5.6 Profiling and Anomaly

5.7 Discussion

There are many areas in which computational statistics can play a part in network intrusion detection and other security arenas. We have seen a few in this chapter, including modeling denial of service attacks, visualization, the analysis of streaming data applied to network data and profiling and anomaly detection.

The biggest problems for intrusion detection systems are the false alarm rates and the detection of novel attacks. The enormous amount of data that must be processed requires that false alarm rates must be extremely low. Typical network data consists of millions of packets an hour, and system administrators generally do not have time to track down more than a few false alarms a day. Signature based systems have the advantage that they rarely false alarm (assuming the signature is properly defined), but they tend to have poor performance on novel attacks. Thus it is essential that techniques be found that detect novelty that is ''bad'' without alarming on novelty that is benign.

One area we have not discussed is modeling attack propagation. Early work on this can be found in ([14], [15]). See also ([37]) for a related model. For a discussion of the slammer worm, see http://www.cs.berkeley.edu/ nweaver/sapphire/. The slammer worm was interesting because the spread was self-limiting: the worm spread so fast that the available bandwidth was reduced to the point that the worm as unable to continue to spread at its initial rate. Models for these types of worms is an interesting area of study.


next up previous contents index
Next: References Up: 5. Network Intrusion Detection Previous: 5.6 Profiling and Anomaly