Therminator: Configuring the Underlying Statistical Mechanics Model
Abstract
The rapid increase in sophisticated Internet attacks has left the security industry lagging far behind, In an attempt to improve network security, Therminator, a patternless intrusion detection system, was developed in 2001 by NPS in conjunction with NSA. The Therminator model uses statistical mechanics to analyze network traffic as a system of exchanges, Being highly configurable enables Therminator to be adapted for any net-work configuration. Until now, however, no exploration had been conducted on the configuration parameters of the underlying statistical mechanics model. It is important to understand the effects of these parameters to optimize anomaly detection. Thus the current study explored these parameters using HTTP traffic generated in a controlled test environment. Results were as follows: equations were developed for state counting to determine bucket state space sizes; bucket state space size was found to be symmetrical about the midpoint of the boundary conditions; proper display period was based on traffic rate; and lastly, the more orthogonal anomalous traffic was to the normal traffic, the larger the perturbation was in the state graph. These results provide needed insight into properly configuring Therminator for optimal anomaly detection, ultimately affording the Department of Defense greater network security,
Document Details
- Document Type
- Technical Report
- Publication Date
- Dec 01, 2003
- Accession Number
- ADA420540
Entities
People
- Daniel W. Ettlich
Organizations
- Naval Postgraduate School