Abstract
Network intrusion detection systems often rely on matching patterns that are learned from known attacks. While this method is reliable and rarely produces false alarms, it has the disadvantage that it cannot detect novel attacks. An alternative approach is to learn a model of normal traffic and report deviations, but these anomaly models are typically restricted to modeling IP addresses and ports. We describe an anomaly detection system which models all the fields of network, transport layer and payload of a packet at the byte level, by giving more weight to the most anomalous attributes. We investigated all the attributes and assigned weights to the attributes based on their anomalous behavior. We detect 144 of 185 attacks in the DARPA off-line intrusion detection evaluation data set [1] at 10 false alarms per day (total 100 false alarms), after training on one week of attack-free traffic. We investigate the performance of the system when attack free training data is not available.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Reddy, S., Nandi, S. (2005). Enhanced Network Traffic Anomaly Detector. In: Chakraborty, G. (eds) Distributed Computing and Internet Technology. ICDCIT 2005. Lecture Notes in Computer Science, vol 3816. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11604655_45
Download citation
DOI: https://doi.org/10.1007/11604655_45
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30999-4
Online ISBN: 978-3-540-32429-4
eBook Packages: Computer ScienceComputer Science (R0)