A Finite State Machine Algorithm for Detecting TCP Anomalies: An Examination of the 1999 DARPA Intrusion Detection Evaluation Data Set

PDF

Authors
  1. Treurniet, J.
Corporate Authors
Defence R&D Canada - Ottawa, Ottawa ONT (CAN)
Abstract
The Transmission Control Protocol (TCP) is a well-defined protocol, and as such, a finite state machine can be defined to reflect the progression of a TCP connection, including deviations from the protocol standard. The 1999 DARPA Intrusion Detection Evaluation (IDE) data set was used to test the model. It was found that the model effectively detects implementations of TCP that do not follow the protocol standard and network events such as loss of availability. The model was then used to analyse the TCP anomalies of an operational data set, in which several instances of scanning activity were also successfully detected. A comparison of the anomalies found in the Week 1 DARPA IDE data set with those found in the operational data showed that the behaviour of the simulated TCP traffic does not contain the variations found in an operational setting.

Il y a un résumé en français ici.

Keywords
TCP;anomaly detection;DARPA Intrusion Detection Evaluation;finite state machine
Report Number
DRDC-OTTAWA-TM-2005-168 — Technical Memorandum
Date of publication
01 Nov 2005
Number of Pages
34
DSTKIM No
CA026845
CANDIS No
524809
Format(s):
CD ROM

Permanent link

Document 1 of 1

Date modified: