2nd International IEEE/Create-Net Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities

Research Article

Modular Approach for Anomaly Based NIDS

  • @INPROCEEDINGS{10.1109/TRIDNT.2006.1649119,
        author={Suresh  Reddy and Sukumar  Nandi},
        title={Modular Approach for Anomaly Based NIDS},
        proceedings={2nd International IEEE/Create-Net Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities},
        publisher={IEEE},
        proceedings_a={TRIDENTCOM},
        year={2006},
        month={7},
        keywords={},
        doi={10.1109/TRIDNT.2006.1649119}
    }
    
  • Suresh Reddy
    Sukumar Nandi
    Year: 2006
    Modular Approach for Anomaly Based NIDS
    TRIDENTCOM
    IEEE
    DOI: 10.1109/TRIDNT.2006.1649119
Suresh Reddy1,*, Sukumar Nandi1,*
  • 1: Department of Computer Science and Engineering, Indian Institute of Technology, Guwahati, North-Guwahati- 780139, Assam, India
*Contact email: sureshg@iitg.ernet.in, sukumar@iitg.ernet.in

Abstract

Traditional approachs for detecting novel attacks in network traffic is to model the normal frequency of session IP addresses or server port usage and signal unusual combinations of these attributes as suspicious. Rather than just modeling user behavior, current systems also model network protocols from the data link through the application layer. This helps to detect attacks that exploit vulnerabilities in the implementation of protocol stacks. In this work we describe a modular approach for network anomaly detection. Our system incorporates individual modules to analyze the network traffic at three different levels (packet, flow, protocol),. The total anomaly score is computed from the anomaly scores of the individual modules, using a weighted attribute model. We detect 147 of 185 attacks in the DARPA off-line intrusion detection evaluation data set [1] at 10 false alarms per day (total 100 false alarms), after training on one week of attack-free traffic. We investigate the performance of the system when attack free training data is not available