ULISSE, a network intrusion detection system

In this paper we present a tool for network anomaly detection and network intelligence which we named ULISSE. It uses a two tier architecture with unsupervised learning algorithms to perform network intrusion and anomaly detection. ULISSE uses a combination of clustering of packet payloads and correlation of anomalies in the packet stream. We show the experiments we conducted on such architecture, we give performance results, and we compare our achievements with other comparable existing systems.

[1]  A. Madansky Identification of Outliers , 1988 .

[2]  Philip K. Chan,et al.  Detecting novel attacks by identifying anomalous network packet headers , 2001 .

[3]  Stefano Zanero Improving Self Organizing Map Performance for Network Intrusion Detection , 2005 .

[4]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[5]  Stefano Zanero,et al.  Analyzing TCP Traffic Patterns Using Self Organizing Maps , 2005, ICIAP.

[6]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[7]  M. V. Velzen,et al.  Self-organizing maps , 2007 .

[8]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[9]  Isabelle Guyon,et al.  An Introduction to Variable and Feature Selection , 2003, J. Mach. Learn. Res..

[10]  Dit-Yan Yeung,et al.  Parzen-window network intrusion detectors , 2002, Object recognition supported by user interaction for service robots.

[11]  Marc Dacier,et al.  Intrusion detection , 1999, Comput. Networks.

[12]  Philip K. Chan,et al.  Learning nonstationary models of normal network traffic for detecting novel attacks , 2002, KDD.

[13]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[14]  Charu C. Aggarwal,et al.  On the Surprising Behavior of Distance Metrics in High Dimensional Spaces , 2001, ICDT.

[15]  Charu C. Aggarwal,et al.  On effective classification of strings with wavelets , 2002, KDD.

[16]  Graham J. Williams,et al.  On-Line Unsupervised Outlier Detection Using Finite Mixtures with Discounting Learning Algorithms , 2000, KDD '00.

[17]  Giuseppe Serazzi,et al.  Unsupervised learning algorithms for intrusion detection , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[18]  Sergio M. Savaresi,et al.  Unsupervised learning techniques for an intrusion detection system , 2004, SAC '04.

[19]  Jonathan Goldstein,et al.  When Is ''Nearest Neighbor'' Meaningful? , 1999, ICDT.

[20]  Kenji Yamanishi,et al.  Discovering outlier filtering rules from unlabeled data: combining a supervised learner with an unsupervised learner , 2001, KDD '01.

[21]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[22]  Khaled Labib,et al.  NSOM: A Real-Time Network-Based Intrusion Detection System Using Self-Organizing Maps , 2002 .

[23]  Philip K. Chan,et al.  A machine learning approach to detecting attacks by identifying anomalies in network traffic , 2003 .

[24]  Victoria J. Hodge,et al.  A Survey of Outlier Detection Methodologies , 2004, Artificial Intelligence Review.

[25]  Philip K. Chan,et al.  Learning rules for anomaly detection of hostile network traffic , 2003, Third IEEE International Conference on Data Mining.