Title: Utilization of Statistical Control Charts for DoS Network Intrusion Detection

Issue Number: Vol. 7, No. 2
Year of Publication: Jun - 2018
Page Numbers: 166-174
Authors: Dimitris Sklavounos , Aloysius Edoh, George Paraskevopoulos
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong
DOI:  http://dx.doi.org/10.17781/P002391


The present work proposes a new method for denial of service (DoS) intrusion detection, by utilizing two types of statistical control charts on the UDP and ICMP source bytes. The utilized control charts are: the tabular cumulative sum (CUSUM) chart and the exponential weighted moving average (EWMA) chart. Both mechanisms are applied on the captured source bytes of the aforementioned protocols of the experimental dataset NSL-KDD. Two intrusion scenarios were evaluated. In the first scenario intrusion occurred at a set time instance in the UDP packets in a first case, while in the second case the intrusion occurred in UDP and ICMP packets as they were examined in a concurrent manner. In both cases, a shift in the source bytes mean value took place after the intrusion and this was clearly depicted in the CUSUM chart. In the second scenario several intrusions occurred at various time instances in the above protocols’ packets which have been clearly depicted in the EWMA chart. Thus, the intrusion detection in both scenarios was successfully achieved.