Table 2. Mean Projection values calculated for test UDPtracesUDP TraceMP25.03.2004 (Slammer) 8220.03.2004 (Witty) 1276.03.2004 3213.03.2004 40In the article our developments in feature extractionfor Intrusion Detection systems are presented. Weshowed that Matching Pursuit may be considered asvery promising methodology which can be used innetworks security framework. Upon previous experimentswe concluded that Matching Pursuit Mean Projectiondiffers significantly for normal and attackedtraces [17]. Hereby we verified that Matching PursuitMean Projection ADS approach successfully detectsSlammer and Witty worms.The major contributions <strong>of</strong> this paper is a novel algorithmfor detecting anomalies based on signal decomposition.In the classification/decision module weproposed to use developed matching pursuit featuressuch as mean projection. We tested and evaluated thepresented features and showed that experimental resultsproved the effectiveness <strong>of</strong> our method.The proposed Matching Pursuit signal based algorithmapplied for anomaly detection IDS will be usedas detection/decision module in the INTERSECTIONProject security-resiliency framework for heterogeneousnetworks.AcknowledgementThe research leading to these results has receivedfunding from the European Community’s SeventhFramework Programme (FP7/2007-2013) under grantagreement no. 216585 (INTERSECTION Project).ReferencesFigure 8. IDS decision block diagram6. Practical Usability <strong>of</strong> the Proposed MethodSignal-based anomaly detection type IDS will beused as the secondary detection/decision module tosupport real-time IDS. Such approach is proposedfor <strong>of</strong>f-network layer <strong>of</strong> the INTERSECTION framework.The operator will have a chance to observe the results<strong>of</strong> signal-based IDS in a near real-time in orderto trigger or stop the reaction <strong>of</strong> real-time IDS.Such approach will both increase the security (less detectedanomalies/attacks) and increase the tolerance(less false positives). The overview <strong>of</strong> the MatchingPursuit IDS role in the INTERSECTION architectureis given in Figure 8.7. Conclusion[1] Esposito M., Mazzariello C., Oliviero F., RomanoS.P., Sansone C., Real Time Detection <strong>of</strong> NovelAttacks by Means <strong>of</strong> Data Mining Techniques. ICEIS(3) 2005: 120-127.[2] Esposito M., Mazzariello C., Oliviero F., RomanoS.P., Sansone C., Evaluating Pattern RecognitionTechniques in Intrusion Detection Systems. PRIS2005: 144-153.[3] FP7INTERSECTION INfrastructure for heTErogeneous,Reislient, Secure, Complex, Tightly Inter-OperatingNetworks Project Description <strong>of</strong> Work.[4] C.-M. Cheng, H.T.Kung, K.-S. Tan, Use <strong>of</strong> spectralanalysis in defense against DoS attacks, IEEEGLOBECOM 2002, pp. 2143-2148.[5] P. Barford, J. Kline, D. Plonka, A. Ron, Asignal analysis <strong>of</strong> network traffic anomalies,ACMSIGCOMM InternetMeasurement Workshop 2002.[6] P. Huang, A. Feldmann, W. Willinger,A nonintrusive,wavelet-based approach to detectingnetwork performance problems, ACM SIGCOMMInternet Measurement Workshop, Nov. 2001.[7] L. Li, G. Lee, DDos attack detection and wavelets,IEEE ICCCN03, Oct. 2003, pp. 421-427.[8] A. Dainotti, A. Pescape, G. Ventre, Wavelet-basedDetection <strong>of</strong> DoS Attacks, 2006 IEEE GLOBECOM- Nov 2006, San Francisco (CA, USA).[9] S. Mallat and Zhang Matching Pursuit with timefrequencydictionaries. IEEE Transactions on SignalProcessing., vol. 41, no 12, pp. 3397-3415, Dec 1993.International Journal <strong>of</strong> Intelligent Engineering and Systems 4 (<strong>2008</strong>) 18–24 23
[10] J.A. Troop. Greed is Good: Algorithmic Resultsfor Sparse Approximation. IEEE Transactions onInformation Theory., vol. 50, no. 10, october 2004 r.[11] R. Gribonval Fast Matching Pursuit with a MultiscaleDictionary <strong>of</strong> Gaussian Chirps. IEEE Transactionson Signal Processing., vol. 49, no. 5, may 2001.[12] P. Jost, P. Vandergheynst and P. Frossard Tree-BasedPursuit: Algorithm and Properties. Swiss FederalInstitute <strong>of</strong> Technology Lausanne (EPFL),SignalProcessing Institute Technical Report.,TR-ITS-2005.013, May 17th, 2005.[13] Andrysiak T., Choraś M., Image Retrieval Based onHierarchical Gabor Filters, InternationalJournal Applied Mathematics and Computer Science(AMCS), vol. 15, no. 4, 471-480, 2005.[14] A. Dainotti, A. Pescape, G. Ventre, Worm TrafficAnalysis and Characterization, Proceedings <strong>of</strong> ICC,IEEE CS Press, 1435-1442, 2007.[15] WIDE Project: MAWI Working Group TrafficArchive at tracer.csl.sony.co.jp/mawi/[16] The CAIDA Dataset on the Witty Worm - March19-24, 2004, Colleen Shanon and David Moore,www.caida.org/passive/witty.[17] Renk R., Saganowski Ł., Houbowicz W., ChoraśM., Intrusion Detection System Based on MatchingPursuit, in Proc. Intelligent Networks and IntelligentSystems, ICINIS ’08, 213-216, IEEE CS Press, <strong>2008</strong>.International Journal <strong>of</strong> Intelligent Engineering and Systems 4 (<strong>2008</strong>) 18–24 24