1st International ICST Conference on Communication System Software and MiddleWare

Research Article

Modular Approach for Anomaly Based NIDS

  • @INPROCEEDINGS{10.1109/COMSWA.2006.1665205,
        author={Suresh  Reddy and Sukumar  Nandi},
        title={Modular Approach for Anomaly Based NIDS},
        proceedings={1st International ICST Conference on Communication System Software and MiddleWare},
  • Suresh Reddy
    Sukumar Nandi
    Year: 2006
    Modular Approach for Anomaly Based NIDS
    DOI: 10.1109/COMSWA.2006.1665205
Suresh Reddy1,*, Sukumar Nandi1,*
  • 1: Department of Computer Science and Engineering, Indian Institute of Technology, Guwahati, North-Guwahati- 780139, Assam, India.
*Contact email: sureshg@iitg.ernet.in, sukumar@iitg.ernet.in


Traditional approaches for detecting novel attacks in network traffic is to model the normal frequency of session IP addresses or server port usage and signal unusual combinations of these attributes as suspicious. Rather than just modeling user behavior, current systems also model network protocols from the data link through the application layer. This helps to detect attacks that exploit vulnerabilities in the implementation of protocol stacks. In this work we describe a modular approach for network anomaly detection. Our system incorporates individual modules to analyze the network traffic at three different levels (packet, flow, protocol). The total anomaly score is computed from the anomaly scores of the individual modules, using a weighted attribute model. We detect 147 of 185 attacks in the DARPA off-line intrusion detection evaluation data set at 10 false alarms per day (total 100 false alarms), after training on one week of attack-free traffic. We investigate the performance of the system when attack free training data is not available