Title page for ETD etd-07192006-152001

Type of Document Dissertation
Author Patcha, Animesh
URN etd-07192006-152001
Title Network Anomaly Detection with Incomplete Audit Data
Degree PhD
Department Electrical and Computer Engineering
Advisory Committee
Advisor Name Title
Park, Jung-Min Jerry Committee Chair
DaSilva, Luiz A. Committee Member
Hou, Yiwei Thomas Committee Member
North, Christopher L. Committee Member
Shukla, Sandeep K. Committee Member
  • high speed networks
  • Anomaly detection
  • weighted sampling
  • denial-of-service
  • expectation-maximization
Date of Defense 2006-07-06
Availability unrestricted
With the ever increasing deployment and usage of gigabit networks, traditional network anomaly detection based intrusion detection systems have not scaled accordingly. Most, if not all, systems deployed assume the availability of complete and clean data for the purpose of intrusion detection. We contend that this assumption is not valid. Factors like noise in the audit data, mobility of the nodes, and the large amount of data generated by the network make it difficult to build a normal traffic profile of the network for the purpose of anomaly detection.

From this perspective, the leitmotif of the research effort described in this dissertation is the design of a novel intrusion detection system that has the capability to detect intrusions with high accuracy even when complete audit data is not available. In this dissertation, we take a holistic approach to anomaly detection to address the threats posed by network based denial-of-service attacks by proposing improvements in every step of the intrusion detection process. At the data collection phase, we have implemented an adaptive sampling scheme that intelligently samples incoming network data to reduce the volume of traffic sampled, while maintaining the intrinsic characteristics of the network traffic. A Bloom filters based fast flow aggregation scheme is employed at the data pre-processing stage to further reduce the response time of the anomaly detection scheme. Lastly, this dissertation also proposes an expectation-maximization algorithm based anomaly detection scheme that uses the sampled audit data to detect intrusions in the incoming network traffic.

  Filename       Size       Approximate Download Time (Hours:Minutes:Seconds) 
 28.8 Modem   56K Modem   ISDN (64 Kb)   ISDN (128 Kb)   Higher-speed Access 
  animesh_final_dissertation.pdf 642.69 Kb 00:02:58 00:01:31 00:01:20 00:00:40 00:00:03

Browse All Available ETDs by ( Author | Department )

dla home
etds imagebase journals news ereserve special collections
virgnia tech home contact dla university libraries

If you have questions or technical problems, please Contact DLA.