Classification of network anomalies in flow level network traffic using Bayesian networks

Network security is a topical issue today for everyone connected to Internet. However, malicious users try to obtain unauthorized access to network resources, affecting integrity, confidentiality, and availability. As a consequence, researchers, developers and network administrators have created many security mechanisms in order to enhance security. Among the security solutions that we can find in the market, Intrusion Detection Systems monitor inbound and outbound network activity, identifying suspicious traffic. IDS compare typical network activity with daily network activity, searching for anomalous traffic. If the IDS detects anomalous traffic, it sends an alert. In this work, we propose a Bayesian network classifier, which can detect normal or anomalous traffic. Through our Bayesian network model, it is possible to describe the cause-effect relationships that exist between the traffic features. Due to the high dimensionality of the data, and to the widespread use of the networks, we used a flow-level analysis, which saved a considerable computational load. We focus on network worms and brute force attacks, using the datasets of UNB ISCX IDS 2012 and UAN W32.Worms 2008. Results in terms of false positive and true positive rates show that the performance of the model has a high efficiency for classification of normal traffic and the set of selected attacks.

[1]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[2]  Y.M. Alkabani,et al.  Hardware/Software Partitioning of a Bayesian Spam Filter via Hardware Profiling , 2006, 2006 IEEE International Symposium on Industrial Electronics.

[3]  Luiz Eduardo Soares de Oliveira,et al.  Toward a reliable anomaly-based intrusion detection in real-world environments , 2017, Comput. Networks.

[4]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[5]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[6]  Manas Ranjan Patra,et al.  Hybrid intelligent systems for detecting network intrusions , 2015, Secur. Commun. Networks.

[7]  Jugal K. Kalita,et al.  Packet and Flow Based Network Intrusion Dataset , 2012, IC3.

[8]  Ji Zhang,et al.  Detecting anomalies from big network traffic data using an adaptive detection approach , 2015, Inf. Sci..

[9]  Chaouki Khammassi,et al.  A GA-LR wrapper approach for feature selection in network intrusion detection , 2017, Comput. Secur..

[10]  Roberto Manduchi,et al.  A Study on Bayes Feature Fusion for Image Classification , 2003, 2003 Conference on Computer Vision and Pattern Recognition Workshop.

[11]  Nagaraju Devarakonda,et al.  Intrusion Detection System using Bayesian Network and Hidden Markov Model , 2012 .

[12]  Jen-Tzung Chien,et al.  Towards Optimal Bayes Decision for Speech Recognition , 2006, 2006 IEEE International Conference on Acoustics Speech and Signal Processing Proceedings.

[13]  Kevin Murphy,et al.  Bayes net toolbox for Matlab , 1999 .

[14]  Mohiuddin Ahmed,et al.  A survey of network anomaly detection techniques , 2016, J. Netw. Comput. Appl..

[15]  Muhammad Sher,et al.  Flow-based intrusion detection: Techniques and challenges , 2017, Comput. Secur..

[16]  Philippe Leray,et al.  BNT STRUCTURE LEARNING PACKAGE : Documentation and Experiments , 2004 .

[17]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.