Nonparametric Kullback-Leibler distance-based method for networks intrusion detection

Anomaly detection enables identifying atypical events in network systems. Revealing denial of service (DOS) and distributed DOS (DDOS) is a critical security challenge confronting network technologies. This work advocates using Kullback-Leibler distance (KLD) to track DOS and DDOS flooding attacks, including SYN flood, UDP flood, and Smurf attacks. The proposed mechanism's key novelty is the amalgamation of the desirable characteristics of KLD with the sensitivity of an exponential smoothing algorithm. Notably, the use of exponentially smoothing is expected to improve the detector sensitivity to small anomalies. Besides, the proposed mechanism does not need knowledge about data distribution. Meanwhile, kernel density estimation usage to set a threshold for ES-KLD decision statistic improves the flexibility of the proposed mechanism. Tests on the publicly available DARPA99 dataset showing enhanced outputs of the developed approach in detecting cyber-attacks compared to other traditional monitoring procedures.