A Proposal for Kelly Criterion–Based Lossy Network Compression

Report No. ARL-TR-7614
Authors: Sidney C Smith; Robert J Hammell II
Date/Pages: March 2015; 30 pages
Abstract: This proposal describes the development of a Kelly criterion–inspired compression algorithm to be used in distributed network intrusion detection applications. Most of these applications only send alerts to the central analysis servers. These alerts do not provide the forensic capability that the analysts require to determine if this is an actual or attempted intrusion. Standard lossless compression algorithms do not reduce the size of the traffic enough to prevent negatively impacting the site. Kelly's algorithm instructs a gambler how much to bet based upon the chance of winning and the potential payoff. There has been a significant amount of research into anomaly detection algorithms that will provide some indications of the maliciousness of a network session. We propose to combine expert knowledge, data mining, and best of breed anomaly detection algorithms to determine the likelihood that a session is malicious or the chance of "winning". Further, we propose using a Kelly criterion–inspired algorithm to select the amount of bandwidth or "wealth" for each session. We expect that this will minimize the total amount of traffic we transmit while maximizing the amount of malicious traffic we transmit.
Distribution: Approved for public release
  Download Report ( 0.509 MBytes )
If you are visually impaired or need a physical copy of this report, please visit and contact DTIC.

Last Update / Reviewed: March 1, 2015