Enhanced network traffic anomaly detector

Authors:
Suresh Reddy;Sukumar Nandi
Affiliations:
Department of Computer Science and Engineering, Indian Institute of Technology, Guwahati, India;Department of Computer Science and Engineering, Indian Institute of Technology, Guwahati, India
Venue:
ICDCIT'05 Proceedings of the Second international conference on Distributed Computing and Internet Technology
Year:
2005

Citing 8
Cited 0

The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Difficulties in simulating the internet

IEEE/ACM Transactions on Networking (TON)
Learning nonstationary models of normal network traffic for detecting novel attacks

Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Network traffic anomaly detection based on packet bytes

Proceedings of the 2003 ACM symposium on Applied computing
Utilizing Statistical Characteristics of N-grams for Intrusion Detection

CW '03 Proceedings of the 2003 International Conference on Cyberworlds
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A sense of self for Unix processes

SP'96 Proceedings of the 1996 IEEE conference on Security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network intrusion detection systems often rely on matching patterns that are learned from known attacks. While this method is reliable and rarely produces false alarms, it has the disadvantage that it cannot detect novel attacks. An alternative approach is to learn a model of normal traffic and report deviations, but these anomaly models are typically restricted to modeling IP addresses and ports. We describe an anomaly detection system which models all the fields of network, transport layer and payload of a packet at the byte level, by giving more weight to the most anomalous attributes. We investigated all the attributes and assigned weights to the attributes based on their anomalous behavior. We detect 144 of 185 attacks in the DARPA off-line intrusion detection evaluation data set [1] at 10 false alarms per day (total 100 false alarms), after training on one week of attack-free traffic. We investigate the performance of the system when attack free training data is not available.