Anomalous packet identification for network intrusion detection

A packet-level anomaly detection system for network intrusion detection in high-bandwidth network environments is described. The approach is intended for hardware implementation and could be included in the network interface, switch or firewall. Efficient implementation in software on a network host is also possible. Network traffic is characterized using a novel technique that maps packet-level payloads onto a set of counters using bit-pattern hash functions, which were chosen for their implementation efficiency in both hardware and software. Machine learning is accomplished by mapping unlabelled training data onto a set of two-dimensional grids and forming a set of bitmaps that identify anomalous and normal regions. These bitmaps are used as the classifiers for real-time detection. The proposed method is extremely efficient in both the offline machine learning and real-time detection components and has the potential to provide accurate detection performance due to the ability of the bitmaps to capture nearly arbitrary shaped regions in the feature space. Results of a preliminary study are presented that demonstrate the effectiveness of the technique.

[1]  Victor A. Skormin,et al.  Detecting Malicious Codes by the Presence of Their "Gene of Self-replication" , 2003, MMM-ACNS.

[2]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[3]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[4]  Salvatore J. Stolfo,et al.  A Geometric Framework for Unsupervised Anomaly Detection , 2002, Applications of Data Mining in Computer Security.

[5]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[6]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[7]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[8]  Christopher Krügel,et al.  Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[9]  R. Sekar,et al.  An Approach for Detecting Self-propagating Email Using Anomaly Detection , 2003, RAID.

[10]  Jim Alves-Foss,et al.  NATE: Network Analysis ofAnomalousTrafficEvents, a low-cost approach , 2001 .

[11]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[12]  José G. Delgado-Frias,et al.  A VLSI interconnection network router using a D-CAM with hidden refresh , 1996, Proceedings of the Sixth Great Lakes Symposium on VLSI.

[13]  Eleazar Eskin,et al.  A GEOMETRIC FRAMEWORK FOR UNSUPERVISED ANOMALY DETECTION: DETECTING INTRUSIONS IN UNLABELED DATA , 2002 .

[14]  Jim Alves-Foss,et al.  NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach , 2001, NSPW '01.

[15]  Stamatis Vassiliadis,et al.  A Flexible Bit-Pattern Associative Router for Interconnection Networks , 1996, IEEE Trans. Parallel Distributed Syst..