In the current internet communication, techniques used by attackers for intrusion and denial of services (DoS) become very exquisite, and new types of worms and viruses appear one after another incessantly, and those rogue programs abuse the available band to put the network communication into disorder or elicit the leakage of information, to pose a big problem in the security of the internet.
In view of this situation, attention has been directed recently to an anomaly-sensitive intrusion detection system (IDS), a system that is tuned for specifically detecting a new type of attack to a network. According to the rationale of this anomaly-sensitive IDS, the normal operation state of a network is defined in advance, and the IDS checks the current state of the network, compares the current state with the normal state, evaluates how much the current state is diverged from the normal state, and determines whether there is an intrusion in the network based on the evaluation result. As compared with the offence-sensitive IDS represented by Snort (M. Roesch, “Snort-Lightweight Intrusion Detection for Networks,” Proc. Usenix LISA '99 Conf., November 1999), the anomaly-sensitive IDS is advantageous in that it can detect a new type of attack because it does not require any rules or signatures for the detection of an intrusion. Moreover, in addition to the detection of an unauthorized access to a network, the anomaly-sensitive IDS allows detection of the anomalies of a network such as failure of the hardware components of the network or the shut-down of a server in the network, and thus the intrusion detection technique based on the anomaly detection becomes an important element in the management of a network.
According to the anomaly-sensitive intrusion detection, it is necessary to properly define the normal operation state of a network, and for this purpose to introduce an operation state assessment parameter, which allows one to make the quantitative evaluation of the operation state of a network. Y. Uchiyama et al. offer a method specifically directed to the detection of DoS attacks (Y. Uchiyama et al., “Detecting and Tracing DDoS Attacks in the Traffic Analysis Using Auto Regressive Model,” IEICE Transactions on Traffic Measurement and Analysis, Vol. E87-D, No. 12, p. 2635, December 2004). According to the method, the number of packets for a certain unit of time expected from the past operation is introduced as a feature value, and the normal operation state is defined in terms of the feature value. However, when the normal operation state of a network is defined in terms of the number of packets passed for a certain unit of time, that is, in terms of an absolute value of a single parameter such as the feature value, the method will not be able to promptly respond to the abrupt change in traffic flow of the network during its normal operation. To cope with this problem, N. Nakai, et al., determine the numbers of packets observed for different types of traffics, take them as feature values, calculate the ratios of the feature values between different types of traffic, and use the ratios for the definition of the normal state of a network (N, Nakai et al., “Detection of the Intrusion of a Network Based on the Change of Internal Condition of Traffic,” Research Report of the Japanese Society for Electronic Information Technology, NS2005-5, April, 2005). An alternative method is offered by T. Oikawa, et al. (T. Oikawa, et al., “Detection of the Intrusion of a Network by Means of Statistical Clustering,” Research Report of the Japanese Society for Electronic Information Technology, NS2002-143, October, 2002). In the same manner as above, this method also determines the packet numbers for different types of traffics, calculates correlation coefficients between different types of traffics using main component analysis, and defines the normal operation condition of a network using a main component coordinate obtained as a result of the calculation. Since the various types of traffics flowing through a network are controlled according to a number of protocols, it is possible for the flow of a given type of traffic and its change to retain a certain relationship to each other at a normal operation condition, and thus the definition of the normal operation condition based on such a correlation will be effective in the detection of an anomaly if any of the network.
However, according to the method offered by T. Oikawa, evaluation of the operation condition of a network is achieved by referring to the single main component coordinate, which has been obtained through the plotting of the correlation coefficients between different feature values, and thus it is difficult to identify the cause responsible for the anomaly. In view of this, Japanese Patent Application No. 2005-323007 titled “Method and System for Detecting an Anomaly of a Network,” provides a method for identifying, if there is an anomaly, the cause responsible for its occurrence, the method comprising evaluating the operation condition of a network based on plural correlation coefficients calculated for each pair of feature values. In order to reduce the loss of information with regard to the normal operation condition of a network, this method defines the normal operation condition based on a histogram representing the occurrence probabilities of correlation coefficients, instead of the average or variance of correlation coefficients, and evaluates the severity of an anomaly by determining correlation coefficients between different feature values, and comparing a histogram derived therefrom with the occurrence probability profile of the corresponding normal histogram.