detecting time jittering in a connection chain n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
DETECTING TIME-JITTERING IN A CONNECTION CHAIN PowerPoint Presentation
Download Presentation
DETECTING TIME-JITTERING IN A CONNECTION CHAIN

Loading in 2 Seconds...

play fullscreen
1 / 21

DETECTING TIME-JITTERING IN A CONNECTION CHAIN - PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on

DETECTING TIME-JITTERING IN A CONNECTION CHAIN. Khoa Le Mentor: Dr. Stephen Huang, Yingwei Kuo. M. A. D. Stepping-Stone Intrusion. B. Internet. C. Correlation-Based Approach. Attack. Time Jittering. S 1. ?. Y. Stepping-Stone Correlation. Decision. N. S 2. Normal.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'DETECTING TIME-JITTERING IN A CONNECTION CHAIN' - chaka


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
detecting time jittering in a connection chain
DETECTING TIME-JITTERING IN A CONNECTION CHAIN

Khoa Le

Mentor: Dr. Stephen Huang, YingweiKuo

correlation based approach
Correlation-Based Approach

Attack

Time Jittering

S1

?

Y

Stepping-Stone Correlation

Decision

N

S2

Normal

detecting time jittering
Detecting Time-Jittering

Time-Jiterring Detection

Decision

Attack

S1

N

Y

Stepping-Stone Correlation

Decision

N

S2

Normal

inter arrival time gaps
Inter-arrival time (gaps)
  • The gaps between packets will change when jittering is applied.
  • Some gaps contract, while others expand
    • Resulting in different probability distributions
hypothesis
Hypothesis
  • The jittered traffic seems to fit lognormal distribution more than the normal traffic
algorithm
Algorithm

Training Data

(Non-Chaffed)

Testing Data

Distribution Parameter Estimation

(MLE Algorithm)

Distribution Parameter Estimation

(MLE Algorithm)

Parameters of the Model

Parameters of the Model

Distribution GOF Test

(KS Test or AD Test)

Distribution GOF Test

(KS Test or AD Test)

Test Statistic

Test Statistic

Profile Building

(Threshold Calculation)

Threshold Testing

Jittered

Non-jittered

parameters estimation
Parameters Estimation
  • Input:
    • A set of observed inter-arrival time

{x1, ... , xn },

    • The probability density function f(x) of a testing distribution model (Lognormal and Pareto distribution were used)
    • Least Squares, Maximum Likelihood Estimates, etc
  • Output:
    • The estimated parameters of the testing model.
goodness of fit gof
Goodness of Fit (GOF)
  • Evaluate the “distance” (test statistic) between the data and the testing distribution
  • Kolmogorov-Smirnov Test, Anderson-Darling Test, etc
kolmogorov smirnov test
Kolmogorov-Smirnov Test

D = max(|F(x)-G(x)|)

profile building
Profile Building
  • For every training data set, collect its test statistic.
  • Have a cluster of test statistics, called it the profile.
  • Any given traffic that does not have test statistic falling in that cluster is tagged as jittered traffic.
testing phase
Testing Phase

Training Data

(Non-Chaffed)

Testing Data

Distribution Parameter Estimation

(MLE Algorithm)

Distribution Parameter Estimation

(MLE Algorithm)

Parameters of the Model

Parameters of the Model

Distribution GOF Test

(KS Test or AD Test)

Distribution GOF Test

(KS Test or AD Test)

Test Statistic

Test Statistic

Profile Building

(Threshold Calculation)

Threshold Testing

Jittered

Non-jittered

testing phase1
Testing Phase
  • For any given traffic, it goes through all the same procedures
  • Its test statistic will be tested against the threshold
detection rate
Detection Rate
  • False Positive Rate
    • Falsely raise alarm when no jittering occurs
  • True Positive Rate
    • Raise alarm correctly
detection rate example
Detection Rate Example

True Negative Rate

False Negative Rate

False Positive Rate

True Positive Rate

result
Result
  • Accuracy depends on the following three factors:
    • The percentage of packets that are being delayed
    • The mean of the delaying probability distribution
    • The standard deviation of the distribution
jittered rate
Jittered Rate
  • For a fixed mean and standard deviation, the accuracy is proportional to the jittered rate
standard deviation
Standard Deviation
  • For high jittered rate, the accuracy is proportional to the standard deviation.
slide19
Mean
  • For low jittered rate, the accuracy
  • is proportional to the mean.
summary of my work
Summary of My Work
  • Implemented the algorithm on time-jittering
  • Analyzed the result
  • Drew conclusions about the behavior of the jittering effect