Design and Implementation of an Anomaly Detection System: an Empirical Approach

Network management platforms provide flexible facilities for setting up custom applications able to detect network anomalies on a specific environment. This is because each network is made of users, services and computers with a specific behaviour that is then reflected in the generated network traffic. Goal of this paper is to show that in every network there are some global variables that can be profitably used for detecting network anomalies, regardless of the type of network users and equipment. As most of the relations among these variables are fixed, this paper shows that it is possible to define generic network rules aimed to automatically detect selected network anomalies. Finally, it covers the design and implementation of an open-source application used to effectively validate this work on a large campus network. 1 Background and Motivation This paper focuses on network-based intrusion detection and it explores a different approach to the problem. Intrusion detection techniques can be categorised into signature detection and anomaly detection [1][2]. Signature detection systems use patterns of well-known attacks or weak spots of the system to match and identify known intrusions. They perform a pattern matching between network traffic captured and attack signature. If the matching succeds, then the system generates an alarm. The main advantage of signature detection paradigm is that it can accurately and efficiently detect instances of known attacks. The main disadvantage is that it lacks the ability to detect the newly

[1]  Mark W. Sylor,et al.  Using Time over Threshold to Reduce Noise in Performance and Fault Management Systems , 2000, DSOM.

[2]  Luca Deri,et al.  Monitoring networks using ntop , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[3]  Keith McCloghrie,et al.  Management Information Base for network management of TCP/IP-based internets , 1990, RFC.

[4]  Kathleen A. Jackson INTRUSION DETECTION SYSTEM (IDS) PRODUCT SURVEY , 1999 .

[5]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[6]  Marcus J. Ranum,et al.  Implementing a generalized tool for network monitoring , 1997, Inf. Secur. Tech. Rep..

[7]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[8]  Matthew C. Kolon,et al.  Juniper Networks Routers: The Complete Reference , 2002 .

[9]  Joseph L. Hellerstein,et al.  Rule Induction of Computer Events , 2001, DSOM.

[10]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[11]  Steven Waldbusser,et al.  Remote Network Monitoring Management Information Base , 1995, RFC.

[12]  Stephen Northcutt,et al.  Network Intrusion Detection: An Analyst's Hand-book , 1999 .

[13]  David Plonka,et al.  FlowScan: A Network Traffic Flow Reporting and Visualization Tool , 2000, LISA.

[14]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .