Author(s)

Mohammed Ali Elseddig¹, Mohamed Mejri²

¹Computer Science and Information Technology, Sudan University of Science and Technology, Khartoum, Sudan.
²Computer Science Department, Laval University, Quebec, Canada.

Internet services and web-based applications play pivotal roles in various sensitive domains, encompassing e-commerce, e-learning, e-healthcare, and e-payment. However, safeguarding these services poses a significant challenge, as the need for robust security measures becomes increasingly imperative. This paper presented an innovative method based on differential analyses to detect abrupt changes in network traffic characteristics. The core concept revolves around identifying abrupt alterations in certain characteristics such as input/output volume, the number of TCP connections, or DNS queries—within the analyzed traffic. Initially, the traffic is segmented into distinct sequences of slices, followed by quantifying specific characteristics for each slice. Subsequently, the distance between successive values of these measured characteristics is computed and clustered to detect sudden changes. To accomplish its objectives, the approach combined several techniques, including propositional logic, distance metrics (e.g., Kullback-Leibler Divergence), and clustering algorithms (e.g., K-means). When applied to two distinct datasets, the proposed approach demonstrates exceptional performance, achieving detection rates of up to 100%.

IDS, SOC, SIEM, KL-Divergence, K-Mean, Clustering Algorithms, Elbow Method

Ali Elsiddig, M. and Mejri, M. (2024) Incident Detection Based on Differential Analysis. Journal of Information Security, 15, 378-409. doi: 10.4236/jis.2024.153022.