Cyberterrorism Curriculum Issues

Download Report

Transcript Cyberterrorism Curriculum Issues

A Wavelet Approach to
Network Intrusion
Detection
W. Oblitey & S. Ezekiel
IUP Computer Science Dept.
Secure IT - 2005
1
Intrusion Detection:


Provides monitoring of system resources to help
detect intrusion and/or identify attacks.
Complimentary to blocking devices.




Insider attacks.
Attacks that use traffic permitted by the firewall.
Can monitor the attack after it crosses through the
firewall.
Helps gather useful information for



Detecting attackers,
Identifying attackers,
Reveal new attack strategies.
Secure IT - 2005
2
Classification:

Intrusion Detection Systems classified
according to how they detect malicious
activity:

Signature detection systems



Also called Misuse detection systems
Anomaly detection systems
Also classified as:

Network-based intrusion detection systems


Monitor network traffic
Host-based intrusion detection systems.

Monitor activity on host machines
Secure IT - 2005
3
Signature Detection:

Achieved by creating signatures:






Models of attack
Monitored events compared to models to determine
qualification as attacks.
Excellent at detecting known attacks.
Requires the signatures to be created and entered
into the sensor’s database before operation.
May generate false alarms (False Positives).
Problem:


Needs a large number of signatures for effective detection.
The database can grow very massive.
Secure IT - 2005
4
Anomaly Detection:


Creates a model of normal use and looks
for activity that does not conform to the
model.
Problems with this method:
Difficulty in creating the model of normal
activity
 If the network already had malicious activity
on it, is it ‘normal activity’?
 Some patterns classified as anomalies may
not be malicious.

Secure IT - 2005
5
Network-Based IDS




By far the most commonly employed form
of Intrusion Detection Systems.
To many people, “IDS” is synonymous
with “NIDS”.
Matured more quickly than the host-based
equivalents.
Large number of NIDS products available
on the market.
Secure IT - 2005
6
Deploying NIDS

Points to consider:




Where do sensors belong in the network?
What is to be protected the most?
Which devices hold critical information assets?
Cost effectiveness;



We cannot deploy sensors on all network segments.
Even not manageable.
We need to carefully consider where sensors are to
be deployed.
Secure IT - 2005
7
Locations for IDS Sensors

Just inside the firewall.




On the DMZ.



The firewall is a bottleneck for all traffic.
All inbound/outbound traffic pass here.
The sensor can inspect all incoming and outgoing traffic.
The publicly reachable hosts located here are often get attacked.
The DMZ is usually the attacker’s first point of entry into the
network.
On the server farm segment.

We can monitor mission-critical application servers.



Example: Financial, Logistical, Human Resources functions.
Also monitors insider attacks.
On the network segments connecting the mainframe or
midrange hosts.

Monitor mission-critical devises.
Secure IT - 2005
8
The Network Monitoring Problem


Network-based IDS sensors employ sniffing to
monitor the network traffic.
Networks using hubs:



Can monitor all packets.
Hubs transmit every packet out of every connected
interface.
Switched networks:


The sensor must be able to sniff the passing traffic.
Switches forward packets only to ports connected to
destination hosts.
Secure IT - 2005
9
Monitoring Switched Networks

Use of Switch Port Analyzer (SPAN)
configurations.



Use of hubs in conjunction with the switches.


Causes switch to copy all packets destined to a given
interface.
Transmits packets to the modified port.
The hub must be a fault-tolerant one.
Use of taps in conjunction with the switches.


Fault-tolerant hub-like devices.
Permit only one-way transmission of data out of the
monitoring port.
Secure IT - 2005
10
NIDS Signature Types


These look for patterns in packet payloads
that indicate possible attacks.
Port signatures


Watch for connection attempts to a known or
frequently attacked ports.
Header signatures

These watch for dangerous or illogical
combinations in packet headers.
Secure IT - 2005
11
Network IDS Reactions Types

Typical reactions of network-based IDS
with active monitoring upon detection of
attack in progress:
TCP resets
 IP session logging
 Shunning or blocking


Capabilities are configurable on persignature basis:

Sensor responds based on configuration.
Secure IT - 2005
12
TCP Reset Reaction

Operates by sending a TCP reset packet to
the victim host.




This terminates the TCP session.
Spoofs the IP address of the attacker.
Resets are sent from the sensor’s
monitoring/sniffing interface.
It can terminate an attack in progress but
cannot stop the initial attack packet from
reaching the victim.
Secure IT - 2005
13
IP Session Logging

The sensor records traffic passing between the
attacker and the victim.



Limitation:




Can be very useful in analyzing the attack.
Can be used to prevent future attacks.
Only the trigger and the subsequent packets are
logged.
Preceding packets are lost.
Can impact sensor performance.
Quickly consumes large amounts of disk space.
Secure IT - 2005
14
Shunning/Blocking


Sensor connects to the firewall or a packetfiltering router.
Configures filtering rules


Needs arrangement of proper authentication:



Blocks packets from the attacker
Ensures that the sensor can securely log into the
firewall or router.
A temporary measure that buy time for the
administrator.
The problem with spoofed source addresses.
Secure IT - 2005
15
Host-based IDS




Started in the early 1980s when networks were
not do prevalent.
Primarily used to protect only critical servers
Software agent resides on the protected system
Signature based:


Detects intrusions by analyzing logs of operating
systems and applications, resource utilization, and
other system activity
Use of resources can have impact on system
performance
Secure IT - 2005
16
HIDS Methods of Operation

Auditing logs:





system logs, event logs, security logs, syslog
Monitoring file checksums to identify changes
Elementary network-based signature techniques
including port activity
Intercepting and evaluating requests by
applications for system resources before they
are processed
Monitoring of system processes for suspicious
activity
Secure IT - 2005
17
Log File Auditing

Detects past activity


Cannot stop the action that set off the alarm
from taking place.
Log Files:
Monitor changes in the log files.
 New entries for changes logs are compared
with HIDS attack signature patterns for match
 If match is detected, administrator is alerted

Secure IT - 2005
18
File Checksum Examination

Detects past activity:




Cannot stop the action that set off the alarm
from taking place.
Hashes created only for system files that
should not change or change infrequently.
Inclusion of frequently changing files is a
huge disturbance.
File checksum systems, like Tripwire, may
also be employed.
Secure IT - 2005
19
Network-Based Techniques




The IDS product monitors packets
entering and leaving the host’s NIC for
signs of malicious activity.
Designed to protect only the host in
question.
The attack signatures used are not as
sophisticated as those used in NIDs.
Provides rudimentary network-based
protections.
Secure IT - 2005
20
Intercepting Requests



Intercepts calls to the operating system
before they are processed.
Is able to validate software calls made to
the operating system and kernel.
Validation is accomplished by:
Generic rules about what processes may have
access to resources.
 Matching calls to system resources with
predefined models which identify malicious
activity.

Secure IT - 2005
21
System Monitoring


Can preempt attacks before they are executed.
This type of monitoring can:






Prevent files from being modified.
Allow access to data files only to a predefined set of
processes.
Protect system registry settings from modification.
Prevent critical system services from being stopped.
Protect settings for users from being modified.
Stop exploitation of application vulnerabilities.
Secure IT - 2005
22
HIDS Software



Deployed by installing agent software on the
system.
Effective for detecting insider-attacks.
Host wrappers:




Inexpensive and deployable on all machines
Do not provide in-depth, active monitoring measures
of agent-based HIDS products
Sometimes referred to as personal firewalls
Agent-based software:

More suited for single purpose servers
Secure IT - 2005
23
HIDS Active Monitoring Capabilities

Options commonly used:

Log the event


Alert the administrator


Through email or SNMP traps
Terminate the user login


Very good for post mortem analysis
Perhaps with a warning message
Disable the user account

Preventing access to memory, processor time, or
disk space.
Secure IT - 2005
24
Advantages of Host-based IDS

Can verify success or failure of attack


Monitors user and system activities




By preventing access to system resources
By immediately identifying a breach when it occurs
Does not rely on particular network infrastructure


Useful in forensic analysis of the attack
Can protect against non-network-based attacks
Reacts very quickly to intrusions


By reviewing log entries
Not limited by switched infrastructures
Installed on the protected server itself


Does not require additional hardware to deploy
Needs no changes to the network infrastructure
Secure IT - 2005
25
Active/Passive Detection


The ability of an IDS to take action when they
detect suspicious activity.
Passive Systems:





Take no action to stop or prevent the activity.
They log events.
They alert administrators.
They record the traffic for analysis.
Active Systems:


They do all the recordings that passive systems do,
They interoperate with firewalls and routers


Can cause blocking or shunning
They can send TCP resets.
Secure IT - 2005
26
Our Approach



We present a variant but novel approach
of the anomaly detection scheme.
We show how to detect attacks without
the use of data banks.
We show how to correlate multiple inputs
to define the basis of a new generation
analysis engine.
Secure IT - 2005
27
Signals and signal Processing:

Signal definition:


Signals play important part in our daily lives


Examples: speech, music, picture, and video.
Signal Classification:




A function of independent variables like time, distance,
position, temperature, and pressure.
Analog – the independent variable on which the signal
depends is continuous.
Digital – the independent variable is discrete.
Digital signals are presented a a sequence of numbers
(samples).
Signals carry information

The objective of signal processing is to extract this useful
information.
Secure IT - 2005
28
Energy of a Signal:



We can also define a signal as a function of
varying amplitude through time.
The measure of a signal’s strength is the area
under the absolute value of the curve.
This measure is referred to as the energy of the

signal and is defined as:
2

Energy of continuous signal Ea 
  x(t )  dt



Energy of discrete signal Ed 
Secure IT - 2005

  x(t ) 
2
t 
29
What is Wavelet? ( Wavelet Analysis)




Wavelets are functions that satisfy certain mathematical
requirements and are used to represent data or other functions
Idea is not new--- Joseph Fourier--- 1800's
Wavelet-- the scale we use to see data plays an important role
FT non local -- very poor job on sharp spikes
Wavelet db10
Sine wave
Secure IT - 2005
30
History of wavelets









1807 Joseph Fourier- theory of frequency analysis-- any 2pi functions f(x) is
the sum of its Fourier Series
1909 Alfred Haar-- PhD thesis-- defined Haar basis function---- it is compact
support( vanish outside finite interval)
1930 Paul Levy-Physicist investigated Brownian motion ( random signal) and
concluded Haar basis is better than FT
1930's Littlewood Paley, Stein ==> calculated the energy of the function
1960 Guido Weiss, Ronald Coifman-- studied simplest element of functions
space called atom
1980 Grossman (physicist) Morlet( Engineer)-- broadly defined wavelet in
terms of quantum mechanics
1985 Stephen Mallat--defined wavelet for his Digital Signal Processing work
for his Ph.D.
Y Meyer constructed first non trivial wavelet
1988 Ingrid Daubechies-- used Mallat work constructed set of wavelets
The name emerged from the literature of geophysics, by a route through
France. The word onde led to ondelette. Translation wave led to wavelet
Secure IT - 2005
31
Fourier Series and Energy
f ( x )  a0 

 (a
k 1
k
cos kx  bk sin kx )
where the coefficients are calculated by
a0
2
1

2
ak 
1

f ( x ) dx
0
2
 
f ( x ) cos( kx ) dx
0
bk 
1
2
 
f ( x ) sin( kx ) dx
0
Energy of a function
1
energy 
2
f ( x)
2

2
f ( x ) dx
Secure IT - 2005
0
32
Functions




Functions (Science and Engg) often use time as their
parameter
g(t)-> represent time domain
since typical function oscillate – think it as wave– so
G(f) where f= frequency of the wave, the function
represented in the frequency domain
A function g(t) is periodic, there exits a nonzero
constant P s.t. g(t+P)=g(t) for all t, where P is called
period

periodic function has 4 important attributes




Amplitude– max value it has in any period
Period---2P
Frequency f=1/P(inverse)– cycles per second, Hz
Phase—Cos is a Sin function with a phase    / 2
Secure IT - 2005
33
Fourier, Haar



Amplitude, time  amplitude , frequency
1965 Cooley and Tukey – Fast Fourier
Transform
1 

Haar
1
0

x<




 ( x)  1

0


2

1

<x  1 
2

otherwise 


 ( x),
 (2 x), (2 x  1),
 (4 x), (4 x  1), (4 x  2), (4 x  3),
Secure IT - 2005
34
CWT

continuous wavelet transform (CWT) of a
function f(t) a mother wavelet  (t )

mother wavelet may be real or complex with the
following properties

  (t )dt  0
1.the total area under the curve=0,
 2. the total area of |  (t ) |
is finite  | (t ) | dt  
 3. Admissible condition



2
2



oscillate above and below the t-axis
energy of the function is finite function is localize
Infinite number of functions satisfies above
conditions– some of them used for wavelet
transform
 example

Morlet wavelet
Secure IT - 2005
 Mexican hat wavelet

35

once a wavelet  (t ) has been chosen , the
CWT of a square integrable function f(t) is
defined as
1
 t b
W (a, b)   f (t )
 
 dt
* denotes complex
|a|  a 

*

conjugate
 a ,b (t ) is a copy of  a ,0 (t ) shifted b units along the time axis
For any a,
Thus b is a translation parameter
Setting b=0,
Here a is a scaling parameter
a>1 stretch the wavelet and 0<a<1 shrink it
 a ,0 (t ) 
1
t
 
|a| a
Secure IT - 2005
36
Wavelets

F ( )   f (t )e jwt dt
Fourier Transform


CWT =

C( scale, position)=
f (t )  ( scale, position, t) dt

3
Scaling wave means
(or Shrinking) it
2.5
2
1
1.5
0.5
1
2
3
4
5
2.5
6
5
7.5
-0.5
Secure IT - 2005
-1
10
12.5
15
simply Stretching
17.5
Shifting
f (t) f(t-k)
37
Wavelets Continue







Wavelets are basis functions w jk (t ) in continuous time
A basis is a set of linearly independent function that can be
used to produce a function f(t)
b jk w jk (t )
f(t) = combination of basis function = 
j ,k
w jk (t ) is constructed from a single mother wave w(t) -normally it is a small wave-- it start at 0 and ends at t=N
wj 0  w(2 j t )
Shrunken ( scaled)
shifted
w j 0 (t )  w(t  k )
A typical wavelet w jk (t ) compressed j times and shifted k
times is w (t )  w(2 j t  k )
jk


Property:- Remarkable property is orthogonality i.e. their innerproducts are zero
This leads to a simple formula for bjk
Secure IT - 2005
38

Haar Transform

Digitized sound, image are discrete.  we need discrete
wavelet



 c (t  k )   c  d (2 t  k )
 where ck and dj,k are coefficients to be calculated
 example:- consider the array of 8 values
(1,2,3,4,5,6,7,8)
 4 average values 4 difference ( detail coefficients)
 calculate average, and difference for 4 averages
 continue this way
 Method is called PYRAMID DECOMPOSITION
f (t ) 
j
k 


k
k 
k
j 0
j ,k
Haar transform depends on coeff ½, ½ and
½, - ½
if we replace 2 by √2 then it is called coarse detail and fine
detail
Secure IT - 2005
39
Transforms



Transform of a signal is a new representation of that
signal
Example:- signal x0,x1,x2,x3 define y0,y1,y2,y3
Questions




1. What is the purpose of y's
2. Can we get back x's
Answer for 2: The Transform is invertible-- perfect
reconstruction
Divide Transform in to 3 groups



1. Lossless( Orthogonal)-- Transformed Signal has the same
length
2. Invertible (bi-orthogonal)-- length and angle may change- no information lost
3. Lossy ( Not invertible)-Secure IT - 2005
40
Answer to Q1: Purpose
IT SEES LARGE vs SMALL
X0=1.2, X1= 1.0, x2=-1.0, x3=-1.2
Y=[2.2 0 -2.2 0]
Key idea for wavelets is the concept of " SCALE"
We can take sum and difference again==> recursion
=> Multiresolution
Main idea of Wavelet analysis– analyze a function at
different scales– mother wavelet use to construct
wavelet in different scale and translate each relative to
the function being analyzed
Z=[ 0 0 4.4
0]
Reconstruct =====>compression 4:1








Secure IT - 2005
41
Secure IT - 2005
42
Secure IT - 2005
43
Secure IT - 2005
44
Secure IT - 2005
45
Secure IT - 2005
46
Secure IT - 2005
47
Secure IT - 2005
48







Real electricity consumption
peak in the center, followed by two drops,
shallow drop, and then a considerably weaker
peak
d1 d2 shows the noise
d3– presents high value in the beginning and at
the end of the main peak, thus allowing us to
locate the corresponding peak
d4 shows 3 successive peak– this fits the shape
of the curve remarkably
a1,a2 strong resemblance
a3 reasonable---- a4 lost lots of information
Secure IT - 2005
49
Secure IT - 2005
50
Secure IT - 2005
51
Secure IT - 2005
52
Secure IT - 2005
53









JPEG (Joint Photographic Experts Group)
1. Color images ( RGB) change into luminance, chrominance, color
space
2. color images are down sampled by creating low resolution
pixels – not luminance part– horizontally and vertically, ( 2:1 or
2:1, 1:1)– 1/3 +(2/3)*(1/4)= ½ size of original size
3. group 8x8 pixels called data sets– if not multiple of 8– bottom
row and right col are duplicated
4. apply DCT for each data set– 64 coefficients
5. each of 64 frequency components in a data unit is divided by a
separate number called quantization coefficients (QC) and then
rounded into integer
6. QC encode using RLE, Huffman encoding, Arithmetic Encoding (
QM coder)
7. Add Headers, parameters, and output the result
 interchangeable format= compressed data + all tables need for
decoder
 abbreviated format= compressed data+ not tables ( few tables)
 abbreviated format =just tables + no compressed data
- 2005
54
DECODER DO THE REVERSE OFSecure
THEITABOVE
STEPS




JPEG 2000
divide into 3 colors
each color is partitioned into rectangular, non-overlapping
regions called tiles– that are compressed individually
A tile is compressed into 4 main steps






or JPEG Y2k
1. compute wavelet transform – sub band of wavelets– integer, fp,--L+1 levels, L is the parameter determined by the encoder
2. wavelet coeff are quantized, -- depends on bit rate
3. use arithmetic encoder for wavelet coefficients
4. construct bit stream– do certain region, no order
Bit streams are organized into layers, each layer contains
higher resolution image information
thus decoding layer by layer is a natural way to achieve
progressive image transformation and decompression
Secure IT - 2005
55
Secure IT - 2005
56
Secure IT - 2005
57
A
V
H
D
Secure IT - 2005
58
Secure IT - 2005
59
Lowpass Filter = Moving Average









y(n)= x(n)/2 + x(n-1)/2 here h(0)=1/2 and
h(1)=1/2
Fits standard form for k=0,1
x= unit impulse
x=(...0 0 0 0 1 0 0 0...) then y=(...0 0 1/2 1/2 0 0..)
average filter= 1/2 (identity) + 1/2 (delay)
Every linear operator acting on a single vector x can
be rep by y=Hx
main diagonal come from identity--subdiagonal come
from delay
we have finite (two) coefficients--> FIR finite impulse
response
low pass==> scaling function
It smooth out bumps in the signal(high freq
component
Secure IT - 2005
60
Highpass Filter Moving Difference









y(n)= 1/2[x(n)-x(n-1)]
h(0)=1/2
h(1)=-1/2
y=H1x
Filter Bank === Lowpass and Highpass
they separate the signal into frequency bank
Problem:-- Signal length doubled,
both are same size as signal ==> gives double size
of the original signal
Solution:-- Down Sampling
Secure IT - 2005
61
Down Sampling








We can keep half of Ho and H1 and still recover x
Save only even-numbered components ( delete odd
numbered elements) -- denoted by (↓2)-- decimation
(↓2)y = (... y(-4) y(-2)y(0)y(2).......)
Filtering + Down sampling ==> Analysis Bank (
brings half size signal)
Inverse of this process==> Synthesis bank
i,e, Up sampling + Filtering
Add even numbered components zeros ( It will bring
full size) denoted by (↑2)
y = (↓2 y)= (↑2)(↓2 y)
Secure IT - 2005
62
Scaling function and Wavelets








corresponding to low pass--> there is scaling function  (t )
corresponding to high pass--> there is wavelet function (t )
dilation equation--> scaling function  (t )  2 N c(k ) (2t  k )

k 0
In terms of original low pass filters
N
we have  (t )  2 h(k ) (2t  k )
k 0
for h(0) and h(1) = 1/2 we have (t )   (2t )   (2t  1)
the graph  (t ) compressed by 2 gives  (2t ) and shifted by
1/2 gives  (2t  1)
By similar way the wavelet equation  (t )   (2t )   (2t  1)
Secure IT - 2005
63
Wavelet Packet



Walsh-Hadamard transform-- complete binary tree -> wavelet packet
"Hadamard matrix"==> all entries are 1 and -1 and
all rows are orthogonal-- divide two time by
sqrt(2)==> orthogonal & symmetric
sums z0=0
Compare with wavelet-- computations
sums y0 and y2
difference z2=4.4
x
sums z1=0.4
difference y1 and y3
difference z3=0
Secure IT - 2005
64
Filters and Filter Banks

Filter is a linear time-invariant operator
It acts on input vector x --- Out put vector y is the convolution
of x with a fixed vector h
h--> contains filter coefficients-- our filters are digital not
analog-- h(n) are discrete time t= nT,
T is sampling period assume it is 1 here
x(n) and y(n) comes all the time t= 0, +_ 1....
y(n) = Σh(k) x(n-k) = convolution h* x in the time domain

Filter Bank= Set of all filters








Convolution by hand--- arrange it as ordinary multiplication -- but don't
carry digits from one column to another
x= 3 2 4 h= 1 5 2
x * h = 3 17 20 24 8
Secure IT - 2005
65
Our Network Topology:

We set up a star topology network;





Four computers in an island
Each running Linux RedHat 9.2
The machines are connected by a switch
The switch is connected to a PIX 515E Firewall
3Com Ethernet Hub sits between the switch and the firewall




For Sniffing and capturing packets
We duplicated this island six times and connected
them with routers.
We then connected the islands, via the routers, to a
central Cisco switch.
For simulation purposes, we installed
Windows XP on one machine in island one.
Secure IT - 2005
66
Data Collection:


We generated packets with a Perl script on a Linux
system.
We used the three most common protocols for our
simulation:


For each protocol:





HTTP, FTP, and SMTP.
We generated a constant traffic;
We created 50 datasets each consisting of the number of
packets transmitted over two minute intervals.
We executed the same traffic scripts with a random pause
between 0 and 60 seconds.
We then rerun the traffic between 0 and 15 seconds to create
additional datasets.
We collected all the 150 datasets by Ethereal for further
analysis.
Secure IT - 2005
67
Results: Figure 1
Secure IT - 2005
68
Figure 2
Secure IT - 2005
69
Figure 3
Secure IT - 2005
70
Figure 4
Secure IT - 2005
71
Figure 5
Secure IT - 2005
72
Figure 6
Secure IT - 2005
73
Conclusion & Future Direction

We have presented:
A wavelet based – framework for network
monitoring
 This is our first phase for the development of
an engine for Network Intrusion Analysis
 This will not depend on databases and thus
will minimize false negatives and false
positives

Secure IT - 2005
74
References

[1] K. Ilgun, A real-time intrusion detection system for
UNIX, IEEE Symp. On Security and Privacy, 1993.
[2] P.Porras & R. Kemmerer, Penetration State Transition
Analysis- A Rule Based Intrusion Detection Approach,
Computer Security Applications Conference, 1992
[3]http://enterprisesecurity.symantec.com/content/
productlink.cfm
[4] http://newsroom.cisco.com/dlls/fspnisapi32b3.html
[5] http://www.iss.net
[6] A.Haar. Zur Theorie der orthogonalen
Funktionensysteme. Mathematische Annalen, 69:331371, 1910. Also in PhD thesis.
[7]A. Grossmann and J. Morlet, Decomposition of Hardy

[8] Y.Meyer. Ondeletted et operatrurs, Tome 1, Hermann Ed.,






functions into square integrable wavelets of constant
shape, SIAM J. Math. Phys., 15 (1984), pp 723-736.
1990
Secure IT - 2005
75
References







[9] S. Mallat. A theory for multiresolution signal decomposition: the
wavelet representation. IEEE Transactions on pattern recognition
and Machine Intelligence, 11(7):674-693, July 1989.
[10]I. Daubechies, Ten Lectures on Wavelets, no 61 in CBMS-NSF
Series in Applied Mathematics, SIAM, Philadelphia, 1992
[11]R. R. Coifman, A real variable characterization of Hp, Studia
Math, 51 (1974).
[12] R. R. Coifman, Y. Meyer, S. Quake, and M.V. Wickerhauser,
Signal Processing and compression with wave packets, in
Proceedings of the International Conference on Wavelets, Marseilles,
1989, Y. Meyer, ed., Masson, Paris.
[13]S. Ezekiel, Low-dimensional chaotic signal characterization using
approximate entropy, 3rd IASTED International Conference Circuits,
Signals, and Systems Cancun, May, 2003
[14] S. Ezekiel, Heart Rate Variability Signal Processing by Using
Wavelet Based Multifractal Analysis, IASTED International
Conference, Digital Signal Processing and Control, USA, May , 2001
[15]C.E.Shannon "A Mathematical Theory of Communication", Bell
Syst. Tech. J., 27,379-423, 623-56.
Secure IT - 2005
76