Noise-Resistant Payload Anomaly Detection for Network Intrusion Detection Systems

Anomaly-based intrusion detection systems are an essential part of a global security solution and effectively complement signature-based detection schemes. Its strength in detecting previously unknown and never seen attacks make it attractive, but it is more prone to higher false positives. In this paper, we present a simple payload based intrusion detection scheme that is resilient to contaminated traffic that may unintentionally be used during training. Our results show that, by adjusting the two tuning parameters used in our approach, the ability to detect attacks while maintaining low false positives is not hindered, even when 10% of the training traffic consists of attacks. Test results also show that our approach is not sensitive to changes in the parameters, and a wide range of values can be used to yield high per-packet detection rates (over 99.5%) while keeping false positives low (below 0.3%).

[1]  Salvatore J. Stolfo,et al.  Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[2]  I. Jolliffe Principal Component Analysis , 2002 .

[3]  V.A. Skormin,et al.  Anomalous packet identification for network intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  Jim Alves-Foss,et al.  NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach , 2001, NSPW '01.

[6]  Nnamdi Nwanze,et al.  Detection of anomalous network packets using lightweight stateless payload inspection , 2008, 2008 33rd IEEE Conference on Local Computer Networks (LCN).

[7]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[8]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[9]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[10]  V. Rao Vemuri,et al.  An application of principal component analysis to the detection and visualization of computer network attacks , 2006, Ann. des Télécommunications.

[11]  Eleazar Eskin,et al.  A GEOMETRIC FRAMEWORK FOR UNSUPERVISED ANOMALY DETECTION: DETECTING INTRUSIONS IN UNLABELED DATA , 2002 .

[12]  R. Sekar,et al.  An Approach for Detecting Self-propagating Email Using Anomaly Detection , 2003, RAID.

[13]  F. Cuppens,et al.  Efficient Intrusion Detection Using Principal Component Analysis , 2003 .

[14]  Jim Alves-Foss,et al.  NATE: Network Analysis ofAnomalousTrafficEvents, a low-cost approach , 2001 .

[15]  L. K. Hansen,et al.  Generalizable Patterns in Neuroimaging: How Many Principal Components? , 1999, NeuroImage.

[16]  Ali A. Ghorbani,et al.  SVision: A novel visual network-anomaly identification technique , 2007, Comput. Secur..