Network intrusion detection systems often rely on matching patterns that are gleaned from known attacks. While this method is reliable and rarely produces false alarms, it has the obvious disadvantage that it cannot detect novel attacks. An alternative approach is to learn a model of normal traffic and report deviations, but these anomaly models are typically restricted to modeling IP addresses and ports, and do not include the application payload where many attacks occur. We describe a novel approach to anomaly detection.

We extract a set of attributes from each event (IP packet or TCP connection),including strings in the payload, and induce a set of conditional rules which have a very low probability of being violated in a nonstationary model of the normal network traffic in the training data. In the 1999 DARPA intrusion detection evaluation data set, we detect about 60% of 190 attacks at a false alarm rate of 10 per day (100 total). We believe that anomaly detection can work because most attacks exploit software or configuration errors that escaped field testing, so are only exposed under unusual consitions.


Though our rule learning techniques are applied to network intrusion detection, they are general enough for detecting anomalies in other applications.

Anomaly Detection


  Anomaly Detection.ppt (Size: 341 KB / Downloads: 1)

What is Anomaly Detection

Detection of deviation from what is consider ( or from its normal behavior)
Capable of detecting Novel attacks or new attacks
Identify a activity that are different from users or a system normal behavior
To detect unauthorized attempts to access the system

Sources of Network Data

Network probes
Packet filtering
Gathering information from router
Monitoring activity of specific user
monitoring memory and N/W usage
etc….

Packet Header Anomaly Detection

Trained on attack free traffic
Checking anomaly field of packet header.
Link Layer
Network Layer
Transport Layer
The model detect novel attacks.
Split large field
Merge small field
During training record each value of fields

ADWICE

This technique deal with massive data
Efficient data structure.
New search Index.
Dynamic nature of normal request and services.
Use clustering for training data.
Where similar data point group together into cluster. Cluster using a distance function for identify closest cluster.
ADWICE store cluster feature in main memory instead of all training data points.