Nonparametric Kullback-Leibler distance-based method for networks intrusion detection

Benamar Bouyeddou, Benamar Kadri, Fouzi Harrou, Ying Sun

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations


Anomaly detection enables identifying atypical events in network systems. Revealing denial of service (DOS) and distributed DOS (DDOS) is a critical security challenge confronting network technologies. This work advocates using Kullback-Leibler distance (KLD) to track DOS and DDOS flooding attacks, including SYN flood, UDP flood, and Smurf attacks. The proposed mechanism's key novelty is the amalgamation of the desirable characteristics of KLD with the sensitivity of an exponential smoothing algorithm. Notably, the use of exponentially smoothing is expected to improve the detector sensitivity to small anomalies. Besides, the proposed mechanism does not need knowledge about data distribution. Meanwhile, kernel density estimation usage to set a threshold for ES-KLD decision statistic improves the flexibility of the proposed mechanism. Tests on the publicly available DARPA99 dataset showing enhanced outputs of the developed approach in detecting cyber-attacks compared to other traditional monitoring procedures.
Original languageEnglish (US)
Title of host publication2020 International Conference on Data Analytics for Business and Industry: Way Towards a Sustainable Economy (ICDABI)
ISBN (Print)9781728196756
StatePublished - Oct 26 2020

Bibliographical note

KAUST Repository Item: Exported on 2021-02-26


Dive into the research topics of 'Nonparametric Kullback-Leibler distance-based method for networks intrusion detection'. Together they form a unique fingerprint.

Cite this