Research Article
Modular Approach for Anomaly Based NIDS
@INPROCEEDINGS{10.1109/COMSWA.2006.1665205, author={Suresh Reddy and Sukumar Nandi}, title={Modular Approach for Anomaly Based NIDS}, proceedings={1st International ICST Conference on Communication System Software and MiddleWare}, publisher={IEEE}, proceedings_a={COMSWARE}, year={2006}, month={8}, keywords={}, doi={10.1109/COMSWA.2006.1665205} }
- Suresh Reddy
Sukumar Nandi
Year: 2006
Modular Approach for Anomaly Based NIDS
COMSWARE
IEEE
DOI: 10.1109/COMSWA.2006.1665205
Abstract
Traditional approaches for detecting novel attacks in network traffic is to model the normal frequency of session IP addresses or server port usage and signal unusual combinations of these attributes as suspicious. Rather than just modeling user behavior, current systems also model network protocols from the data link through the application layer. This helps to detect attacks that exploit vulnerabilities in the implementation of protocol stacks. In this work we describe a modular approach for network anomaly detection. Our system incorporates individual modules to analyze the network traffic at three different levels (packet, flow, protocol). The total anomaly score is computed from the anomaly scores of the individual modules, using a weighted attribute model. We detect 147 of 185 attacks in the DARPA off-line intrusion detection evaluation data set at 10 false alarms per day (total 100 false alarms), after training on one week of attack-free traffic. We investigate the performance of the system when attack free training data is not available