A Thermodynamics-Based Model of Network Conversation Flux for Intrusion Detection

摘要

A novel system for conducting non-signature based, or pattemless, intrusion detection of computer networks is presented. This system uses principles of thermodynamics to model network conversation characteristics. Observing the properties of entropy, energy and temperature within the system develops a notion of baseline operating conditions. Perturbations in these properties are considered potential intrusions for further investigation. System functions are decomposed into a network sensing device, a real-time processing component and a forensics component State definitions for a variety of conditions are discussed. Finally, examples of valid intrusions and other network perturbations in real traffic collected in network operation center backbones are presented. Preliminary results indicate this system has significant potential for revealing anomalies in large network systems.