Characteristics of network traffic flow anomalies
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Network traffic anomaly detection based on packet bytes
Proceedings of the 2003 ACM symposium on Applied computing
Principles of Computer Security: Security+ and Beyond
Principles of Computer Security: Security+ and Beyond
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Aberrant Behavior Detection in Time Series for Network Monitoring
LISA '00 Proceedings of the 14th USENIX conference on System administration
Anomaly detection in IP networks
IEEE Transactions on Signal Processing
| Hi-index | 0.01 |
Protecting network systems against novel attacks is a pressing problem. In this paper, we propose a new anomaly detection method based on inbound network traffic distributions. For this purpose, we first present the diverse distributions of TCP/IP protocol header fields at the border router of a real campus network, and then characterize the distributions when well-known denial-of-service (DoS) attacks are present. We show that the distributions give promising baselines for detecting network traffic anomalies. Moreover we introduce the concept of entropy to transform the obtained distribution into a metric of declaring anomaly. Our preliminary explorations indicate that the proposed method is effective at detecting several DoS attacks on the real network.