INVESTIGATING THRESHOLDS FOR THE USE OF SELF-SIMILARITY AS A METRIC FOR NETWORK INTRUSION DETECTION
Loading...
Authors
McCurdy, William E.
Subjects
operational technology
OT
self-similarity
network traffic
simulated networks
physical testbed
Hurst parameter
H
network traffic generation
anomaly detection
OT
self-similarity
network traffic
simulated networks
physical testbed
Hurst parameter
H
network traffic generation
anomaly detection
Advisors
Bollmann, Chad A.
Date of Issue
2024-12
Date
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
Operational technology (OT) networks routinely operate without human activity and govern systems that are geographically dispersed. Many of these networks use aged protocols designed for reliability instead of security and remain vulnerable to intrusion or malicious disruption. System administrators use many factors to assess network traffic for indications of anomalies, both to predict component failure and detect intrusion.This work extends findings by Martin investigating the efficacy of self-similarity, as measured by the Hurst parameter (H), as a metric for anomaly detection. Prior research has shown that wired and wireless network traffic exhibit self-similar behavior which has been attributed to several factors related to the behavior of human users on the network. Recent work has shown that networks with little to no human activity are not self-similar or exhibit low levels of self-similarity.Using synthetically generated traffic sent over a physical network testbed, our work investigates minimum detection thresholds for indications of anomalies, such as self-similar traffic sources on a network that exhibits little to no self-similarity under routine operations. We find that the degree of difference in H between native and non-native traffic impacts detection thresholds and reliability. Further, depending on the burstiness of the non-native OT traffic, anomalies that generate less than 0.5% of additional traffic are detectable with an F1 score of 0.93.
Type
Thesis
Description
Series/Report No
Organization
Identifiers
NPS Report Number
Sponsors
ONR Code 33, Arlington, VA 22217
Funder
Format
Citation
Distribution Statement
Distribution Statement A. Approved for public release: Distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.