Detecting Network Anomalies Using CUSUM and EM Clustering

Intrusion detection has been extensively studied in the last two decades. However, most existing intrusion detection techniques detect limited number of attack types and report a huge number of false alarms. The hybrid approach has been proposed recently to improve the performance of intrusion detection systems (IDSs). A big challenge for constructing such a multi-sensor based IDS is how to make accurate inferences that minimize the number of false alerts and maximize the detection accuracy, thus releasing the security operator from the burden of high volume of conflicting event reports. We address this issue and propose a hybrid framework to achieve an optimal performance for detecting network traffic anomalies. In particular, we apply SNORT as the signature based intrusion detector and the other two anomaly detection methods, namely non-parametric CUmulative SUM (CUSUM) and EM based clustering, as the anomaly detector. The experimental evaluation with the 1999 DARPA intrusion detection evaluation dataset shows that our approach successfully detects a large portion of the attacks missed by SNORT while also reducing the false alarm rate.

[1]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[2]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[3]  Wei Lu,et al.  Unsupervised anomaly detection using an evolutionary extension of k-means algorithm , 2008, Int. J. Inf. Comput. Secur..

[4]  Gürsel Serpen,et al.  Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset within Misuse Detection Context , 2003, MLMTA.

[5]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[6]  Taeshik Shon,et al.  A hybrid machine learning approach to network anomaly detection , 2007, Inf. Sci..

[7]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[8]  Ashraf Saad,et al.  Hybrid intelligent systems for network security , 2006, ACM-SE 44.

[9]  Hervé Debar,et al.  A serial combination of anomaly and misuse IDSes applied to HTTP traffic , 2004, 20th Annual Computer Security Applications Conference.

[10]  Alfonso Valdes,et al.  Next Generation Intrusion Detection Expert System (NIDES), Software Users Manual , 1994 .

[11]  Emin Anarim,et al.  An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks , 2005, Expert Syst. Appl..

[12]  Cheng Xiang,et al.  Design of Multiple-Level Hybrid Classifier for Intrusion Detection System , 2005 .

[13]  Blaine Nelson,et al.  Can machine learning be secure? , 2006, ASIACCS '06.

[14]  Ajith Abraham,et al.  Modeling intrusion detection system using hybrid intelligent systems , 2007, J. Netw. Comput. Appl..

[15]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[16]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[17]  John E. Gaffney,et al.  Evaluation of intrusion detectors: a decision theory approach , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[18]  Sushil Jajodia,et al.  ADAM: Detecting Intrusions by Data Mining , 2001 .

[19]  Mohammad Zulkernine,et al.  A hybrid network intrusion detection technique using random forests , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[20]  Jerzy W. Rozenblit,et al.  A hybrid intrusion detection and visualization system , 2006, 13th Annual IEEE International Symposium and Workshop on Engineering of Computer-Based Systems (ECBS'06).

[21]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[22]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[23]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[24]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[25]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[26]  Kotagiri Ramamohanarao,et al.  Detecting Distributed Denial of Service Attacks by Sharing Distributed Beliefs , 2003, ACISP.

[27]  Gürsel Serpen,et al.  Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set , 2004, Intell. Data Anal..