Simulation of self-similarity in network utilization patterns as a precursor to automated testing of intrusion detection systems

The behavior of a certain class of automatic intrusion detection systems (IDSs) may be characterized as sensing patterns of network activity which are indicative of hostile intent. An obvious technique to test such a system is to engage the IDSs of interest, and then use human actors to introduce the activities of a would-be intruder. While having the advantage of realism, such an approach is difficult to scale to large numbers of intrusive behaviors. Instead it would be preferable to generate traffic which includes these manifestations of intrusive activity automatically, While such traffic would be difficult to produce in a totally general way, there are some aspects of network utilization which may be reproducible without excessive investment of resources. In particular, real network loading often exhibits patterns of self-similarity, which may be seen at various levels of time scaling. These patterns should be replicated in simulated network traffic as closely as is feasible, given the computational ability of the simulator. This motivates interest in an efficient way to detect multiscale phenomena in network traffic, as well as a means to create simulated traffic that exhibits the desired characteristics. We propose the use of multiresolution wavelet analysis as a technique which may be used to accomplish the desired detection, and subsequent construction of self-similarity in the simulated traffic. Following a multiresolution decomposition of the traffic using an orthogonal filterbank, the resulting wavelet coefficients may be filtered according to their magnitude. Some of the coefficients may be discarded, yielding an efficient representation. We investigate the effect of compression upon the reconstructed signal's self-similarity, as measured by its estimated Hurst parameter.