Show simple item record

dc.contributor.advisorChan, Philip K.
dc.contributor.authorMahoney, Matthew V.
dc.contributor.authorChan, Philip K.
dc.date.accessioned2013-11-01T18:08:01Z
dc.date.available2013-11-01T18:08:01Z
dc.date.issued2001-11-10
dc.identifier.citationMahoney, M.V., Chan, P.K. (2001). PHAD: packet header anomaly detection for identifying hostile network traffic (CS-2001). Melbourne, FL. Florida Institute of Technology.en_US
dc.identifier.otherCS-2001-04
dc.identifier.urihttp://hdl.handle.net/11141/94
dc.description.abstractWe describe an experimental packet header anomaly detector (PHAD) that learns the normal range of values for 33 fields of the Ethernet, IP, TCP, UDP, and ICMP protocols. On the 1999 DARPA off-line intrusion detection evaluation data set (Lippmann et al. 2000), PHAD detects 72 of 201 instances (29 of 59 types) of attacks, including all but 3 types that exploit the protocols examined, at a rate of 10 false alarms per day after training on 7 days of attack-free internal network traffic. In contrast to most other network intrusion detectors and firewalls, only 8 attacks (6 types) are detected based on anomalous IP addresses, and none by their port numbers. A number of variations of PHAD were studied, and the best results were obtained by examining packets and fields in isolation, and by using simple nonstationary models that estimate probabilities based on the time since the last event rather than the average rate of events.en_US
dc.language.isoen_USen_US
dc.rightsCopyright held by authors.en_US
dc.titlePHAD: packet header anomaly detection for identifying hostile network trafficen_US
dc.typeTechnical Reporten_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record