An Anomaly Detection System Based on Chi-Square Method with Dynamic BIN Algorithm

The statistic researches have been proposed to detect anomaly attacks using chi-square. In these researches, features such as the IP address and the port number are used as the probabilistic variables. The method based on multiple variables has not been proposed to aim to improve the accuracy of anomaly detection. If the number of packets increase, these packets are classified into BINs before the calculation of chi-square method. The classification method depends on the calculation parameters such as the window width and the number of BIN, and the packet distribution of night and day time. In addition, the classification method should be changed based on these parameters. In this paper, we propose the dynamic BIN method to classify the incoming packets automatically. We also propose the CSDM (Chi-square-based Space Division Method) to detect anomaly attacks using the dynamic BIN methods with multiple probabilistic variables. As the results of experiments using the source IP address, the destination port number, and the interval time deviation of arriving packets as the probabilistic variables, the proposed dynamic BIN realized the equal classification, which does not depends on the features of packets and the number of BIN. In addition, the dynamic BIN mechanism and CSDM method using two probabilistic variables could improve F-measure compared to the conventional method.