1st International ICST Workshop on Enterprise Network Security

Research Article

Flow Anomaly Detection in Firewalled Networks

  • @INPROCEEDINGS{10.1109/SECCOMW.2006.359576,
        author={Michael J.  Chapple and Timothy E.  Wright and Robert M. Winding},
        title={Flow Anomaly Detection in Firewalled Networks},
        proceedings={1st International ICST Workshop on Enterprise Network Security},
  • Michael J. Chapple
    Timothy E. Wright
    Robert M. Winding
    Year: 2007
    Flow Anomaly Detection in Firewalled Networks
    DOI: 10.1109/SECCOMW.2006.359576
Michael J. Chapple1,*, Timothy E. Wright1,*, Robert M. Winding1,*
  • 1: University of Notre Dame, Notre Dame, IN
*Contact email: mchapple@nd.edu, twright@nd.edu, rwinding@nd.edu


Most contemporary intrusion detection systems rely upon comprehensive signature databases containing the characteristics of known attacks, leaving them unable to detect novel attacks. In this paper, we propose the flow anomaly detection system (FADS), an anomaly detection system based upon the analysis of network flow data in controlled environments. We show that the standard deviation and interquartile range techniques produce a manageable number of alerts when applied to this data and demonstrate the effectiveness of the system through analysis of case studies. We also demonstrate that FADS' performance is sufficient to facilitate implementation as an anomaly detection system