Markov Chain analysis of packet sequence for intrusion detection

Bockholt, Chad
Journal Title
Journal ISSN
Volume Title
Research Projects
Organizational Units
Journal Issue

Intrusion Detection is a broad and complex field in cybersecurity. There are varieties of existing methods with varying degrees of success, which attempt to classify various types of traffic as benign, or attacking. A tool that can do this consistently and reliably, and with minimal overhead is ideal, benefiting with respect to analysis overhead, as well as level of information privilege. This paper attempts to provide such a tool through packet sequence analysis.

Packet sequence, as referred to in this paper, is the order and number of the exchange of packets. Sequential probability ratio test (SPRT) analysis is done on the sequence history of each pair of IP addresses in attempt to determine if the flow can be classified as an attack based solely on this. SPRT is performed for single class, two class, and with more specialized attack classes.

Through manipulation of a large variety of parameters and analysis of results indicated that packet sequence can, under the right circumstances provide an indication of an attack. While this is true most of the attacks seen in the data tested, there is a high level of parameter tuning process involved. While likely not all attacks will be identifiable by this method, for those attacks which do not appear readily and obviously useful, there are several which show promise with different configurations of parameters, and could potentially be useful with a higher degree of tuning.

Intrusion Detection, Markov Model, Packet Sequence, Privacy Preserving Analysis