IJIES-2008 VOLUME 1 ISSUE 4 - Index of

ange dependence, entropy variations, etc.) [3]. Approachesbased on signal processing and on statisticalanalysis can be powerful in decomposing the signalsrelated to network traffic, giving the ability to distinguishbetween trends, noise, and actual anomalousevents. Wavelet-based approaches, maximum entropyestimation, principal component analysis techniques,and spectral analysis, are examples in this regardwhich have been investigated in the recent years bythe research community [4]-[8].A powerful analysis, synthesis, and detection tool inthis field is represented by the wavelets. Indeed, timeandscale-localization abilities of the wavelet transform,make it ideally suited to detect irregular trafficpatterns in traffic traces. Recently many waveletbasedmethods for detection of attacks have beentested and documented. Some are based on the continuouswavelet transform analysis, most of them howeverrefer to the discrete wavelet transformation andthe multiresolution analysis [3].However, Discrete Wavelet Transform provides alarge amount of coefficients which not necessarily reflectrequired features of the network signals.Therefore, in this paper we propose anothersignal processing and decomposition method foranomaly/intrusion detection in networked systems.We developed original Anomaly Detection Type IDSalgorithm based on Matching Pursuit.4. Intrusion Detection System based on MatchingPursuit4.1. Introduction to Matching PursuitMatching Pursuit signal decomposition was proposedby Mallat and Zhang [9].Matching Pursuit is a greedy algorithm that decomposesany signal into a linear expansion of waveformswhich are taken from an overcomplete dictionary D.The dictionary D is an overcomplete set of base functionscalled also atoms.D = {α γ : γ ∈ Γ} (1)where every atom α γ from dictionary has normequal to 1:‖α γ ‖ = 1 (2)Γ represents set of indexes for atom transformationparameters such as translation, rotation and scaling.Signal s has various representations for dictionaryD. Signal can be approximated by set of atoms α kfrom dictionary and projection coefficients c k :s =|D|−1∑n=0c k α k (3)To achieve best sparse decomposition of signal s(min) we have to find vector c k with minimal normbut sufficient for proper signal reconstruction. MatchingPursuit is a greedy algorithm that iteratively approximatessignal to achieve good sparse signal decomposition.Matching Pursuit finds set of atoms α γksuch that projection of coefficients is maximal. At firststep, residual R is equal to the entire signal R 0 = s.R 0 = 〈α γ0 ,R 0 〉α γ0 + R 1 (4)If we want to minimize energy of residual R 1 wehave to maximize the projection |〈α γ0 ,R 0 〉|. At nextstep we must apply the same procedure to R 1 .R 1 = 〈α γ1 ,R 1 〉α γ1 + R 2 (5)Residual of signal at step n can be written as follows:R n s = R n−1 s − 〈 R n−1 s|α γk〉αγk (6)s =Signal s is decomposed by set of atoms:N−1∑n=0〈α γk |R n s〉α γk + R n s (7)Algorithm stops when residual R n s of signal islower then acceptable limit.4.2. Our Approach to Intrusion DetectionAlgorithmIn basic Matching Pursuit algorithm atoms are selectedin every step from entire dictionary which hasflat structure. In this case algorithm causes significantprocessor burden. In our coder dictionary with internalstructure was used.Dictionary is built from:— Atoms,— Centered atoms,Centered atoms groups such atoms from D that areas more correlated as possible to each other. To calculatemeasure of correlation between atoms functiono(a,b) can be used [2] .o(a,b) =√1 −( |〈a,b〉|‖a‖ 2‖b‖ 2) 2(8)The quality of centered atom can be estimated accordingto (9):International Journal of Intelligent Engineering and Systems 4 (2008) 18–24 20