A Covariance Matrix Based Approach to Internet Anomaly Detection

  • Shuyuan Jin
  • Daniel So Yeung
  • Xizhao Wang
  • Eric C. C. Tsang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3930)


Detecting multiple network attacks is essential to intrusion detection, network security defense and network traffic management. This paper presents a covariance matrix based detection approach to detecting multiple known and unknown network anomalies. It utilizes the difference of covariance matrices among observed samples in the detection. A threshold matrix is employed in the detection where each entry of the matrix evaluates the covariance changes of the corresponding features. As case studies, extensive experiments are conducted to detect multiple DoS attacks – the prevalent Internet anomalies. The experimental results indicate that the proposed approach achieves high detection rates in detecting multiple known and unknown anomalies.


Covariance Matrix False Alarm Rate Intrusion Detection Anomaly Detection Intrusion Detection System 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Feinstein, L., Schnackenberg, D.: Statistical Approaches to DDoS Attack Detection and Response. In: Proceedings of the DARPA Information Survivability Conference and Expostion (DISCEX 2003) (April 2003)Google Scholar
  2. 2.
    Manikopoulos, C., Papavassiliou, S.: Network Intrusion and Fault Detection: A Statistical Anomaly Approach. IEEE Communications Magazine (October 2002)Google Scholar
  3. 3.
    Blazek, R.B., Kim, H., Rozovskii, B., Tartakovsky, A.: A Novel Approach to Detection of Denial-of-Service Attacks Via Adaptive Sequential and Batch-Sequential Change-Point Detection Methods. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection (June 2002)Google Scholar
  4. 4.
    Conte, E., De Maio, A., Ricci, G.: Covariance matrix estimation for adaptive CFAR detection in compound-Gaussian clutter. IEEE Transactions on Aerospace and Electronic Systems 38(2) (April 2002)Google Scholar
  5. 5.
    Yang, Z., Wang, X.: Blind turbo multiuser detection for long-code multipath CDMA. IEEE Transactions on Communications 50(1) (January 2002)Google Scholar
  6. 6.
    Conte, E., Maio, A.D., Ricci, G.: Recursive estimation of the covariance matrix of a compound-Gaussian process and its application to adaptive CFAR detection. IEEE Transactions on Signal Processing 50(8) (August 2002)Google Scholar
  7. 7.
    Ye, N., Emran, S., Chen, Q., Vilbert, S.: Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection. IEEE Transaction on Computers 51(7) (2002)Google Scholar
  8. 8.
    Cormode, G., Muthukrishnan, S.: What’s New: Finding Significant Differences in Network Data Streams. In: IEEE INFOCOM 2004 (March 2004)Google Scholar
  9. 9.
    Estan, C., Varghese, G.: Data streaming in computer networks. In: Proceedings of workshop on Management and processing of Data Streams (2003), http://www.research.att.com/conf/mpds2003/schedule/estanV.ps
  10. 10.
    Jin, S., Yeung, D.: A Covariance Analysis Model for DDoS Attack Detection. In: Proceedings of IEEE ICC 2004, Paris, France (June 2004)Google Scholar
  11. 11.
    Lincoln Laboratories: 1999 DARPA Intrusion Detection Evaluation (1999), http://www.ll.mit.edu/IST/ideval/index.html
  12. 12.
    Lee, W.: A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. Ph.D. dissertation, Columbia University (1999)Google Scholar
  13. 13.
    Lee, W., Stolfo, S.: A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Trans. Information and System Security 3(4), 227–261 (2000)CrossRefGoogle Scholar
  14. 14.
    Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: RAID, pp. 220–237 (2003)Google Scholar
  15. 15.
    Jin, S., Yeung, D., Wang, X., Tsang, E.C.C.: A Second-order Statistical Detection Approach with Application to Internet Anomaly Detection. In: IEEE International Conference on Machine Learning and Cybernetics (August 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Shuyuan Jin
    • 1
  • Daniel So Yeung
    • 1
  • Xizhao Wang
    • 2
  • Eric C. C. Tsang
    • 1
  1. 1.Department of ComputingHongKong Polytechnic UniversityHongKong
  2. 2.School of Mathematics and Computer ScienceHebei UniversityBaodingChina

Personalised recommendations