IJIES-2008 VOLUME 1 ISSUE 4 - Index of

Table 2. Mean Projection values calculated for test UDPtracesUDP TraceMP25.03.2004 (Slammer) 8220.03.2004 (Witty) 1276.03.2004 3213.03.2004 40In the article our developments in feature extractionfor Intrusion Detection systems are presented. Weshowed that Matching Pursuit may be considered asvery promising methodology which can be used innetworks security framework. Upon previous experimentswe concluded that Matching Pursuit Mean Projectiondiffers significantly for normal and attackedtraces [17]. Hereby we verified that Matching PursuitMean Projection ADS approach successfully detectsSlammer and Witty worms.The major contributions of this paper is a novel algorithmfor detecting anomalies based on signal decomposition.In the classification/decision module weproposed to use developed matching pursuit featuressuch as mean projection. We tested and evaluated thepresented features and showed that experimental resultsproved the effectiveness of our method.The proposed Matching Pursuit signal based algorithmapplied for anomaly detection IDS will be usedas detection/decision module in the INTERSECTIONProject security-resiliency framework for heterogeneousnetworks.AcknowledgementThe research leading to these results has receivedfunding from the European Community’s SeventhFramework Programme (FP7/2007-2013) under grantagreement no. 216585 (INTERSECTION Project).ReferencesFigure 8. IDS decision block diagram6. Practical Usability of the Proposed MethodSignal-based anomaly detection type IDS will beused as the secondary detection/decision module tosupport real-time IDS. Such approach is proposedfor off-network layer of the INTERSECTION framework.The operator will have a chance to observe the resultsof signal-based IDS in a near real-time in orderto trigger or stop the reaction of real-time IDS.Such approach will both increase the security (less detectedanomalies/attacks) and increase the tolerance(less false positives). The overview of the MatchingPursuit IDS role in the INTERSECTION architectureis given in Figure 8.7. Conclusion[1] Esposito M., Mazzariello C., Oliviero F., RomanoS.P., Sansone C., Real Time Detection of NovelAttacks by Means of Data Mining Techniques. ICEIS(3) 2005: 120-127.[2] Esposito M., Mazzariello C., Oliviero F., RomanoS.P., Sansone C., Evaluating Pattern RecognitionTechniques in Intrusion Detection Systems. PRIS2005: 144-153.[3] FP7INTERSECTION INfrastructure for heTErogeneous,Reislient, Secure, Complex, Tightly Inter-OperatingNetworks Project Description of Work.[4] C.-M. Cheng, H.T.Kung, K.-S. Tan, Use of spectralanalysis in defense against DoS attacks, IEEEGLOBECOM 2002, pp. 2143-2148.[5] P. Barford, J. Kline, D. Plonka, A. Ron, Asignal analysis of network traffic anomalies,ACMSIGCOMM InternetMeasurement Workshop 2002.[6] P. Huang, A. Feldmann, W. Willinger,A nonintrusive,wavelet-based approach to detectingnetwork performance problems, ACM SIGCOMMInternet Measurement Workshop, Nov. 2001.[7] L. Li, G. Lee, DDos attack detection and wavelets,IEEE ICCCN03, Oct. 2003, pp. 421-427.[8] A. Dainotti, A. Pescape, G. Ventre, Wavelet-basedDetection of DoS Attacks, 2006 IEEE GLOBECOM- Nov 2006, San Francisco (CA, USA).[9] S. Mallat and Zhang Matching Pursuit with timefrequencydictionaries. IEEE Transactions on SignalProcessing., vol. 41, no 12, pp. 3397-3415, Dec 1993.International Journal of Intelligent Engineering and Systems 4 (2008) 18–24 23