Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Accuracy improving guidelines for network anomaly detection systems

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

An unprecedented growth in computer and communication systems in the last two decades has resulted in a proportional increase in the number and sophistication of network attacks. In particular, the number of previously-unseen attacks has increased exponentially in the last few years. Due to the rapidly evolving nature of network attacks, a considerable paradigm shift has taken place in the intrusion detection community. The main focus is now on Network Anomaly Detection Systems (NADSs) which model and flag deviations from normal/benign behavior of a network and can hence detect previously-unseen attacks. Contemporary NADS borrow concepts from a variety of theoretical fields (e.g., Information theory, stochastic and machine learning, signal processing, etc.) to model benign behavior. These NADSs, however, fall short of achieving acceptable performance levels as therefore widespread commercial deployments. Thus, in this paper, we firstly evaluate the performance of eight prominent network-based anomaly detectors under malicious portscan attacks to identify which NADSs perform better than others and why. These NADSs are evaluated on three criteria: accuracy (ROC curves), scalability (with respect to varying normal and attack traffic rates, and deployment points) and detection delay. These criteria are evaluated using two independently collected datasets with complementary strengths. We then propose novel methods and promising guidelines to improve the accuracy and scalability of existing and future anomaly detectors. Experimental analysis of the proposed guidelines is also presented for the proof of concept.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Symantec Internet Security Threat Reports I–XI (Jan 2002–Jan 2008)

  2. Computer Economics: 2001 Economic impact of malicious code attacks, http://www.computereconomics.com/cei/press/pr92101.html

  3. http://wisnet.niit.edu.pk/projects/adeval/Literature_survey/Bibliography.doc

  4. Lippmann R.P., Haines J.W., Fried D.J., Korba J., Das K.: The 1999 DARPA offline intrusion detection evaluation. Comp. Netw. 34(2), 579–595 (2000)

    Article  Google Scholar 

  5. Williamson, M.M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: ACSAC (2002)

  6. Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Usenix Security (2003)

  7. Sellke, S., Shroff, N.B., Bagchi, S.: Modeling and automated containment of worms. In: DSN (2005)

  8. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symp Sec and Priv (2004)

  9. Schechter, S.E., Jung, J., Berger, A.W.: Fast detection of scanning worm infections. In: RAID (2004)

  10. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Usenix Security (2004)

  11. Chen, S., Tang, Y.: Slowing down internet worms. In: IEEE ICDCS (2004)

  12. Ganger, G., Economou, G., Bielski, S.: Self-Securing network interfaces: what, why, and how. Carnegie Mellon University Technical Report, CMU-CS-02-144 (2002)

  13. Mahoney, M.V., Chan, P.K.: PHAD: packet header anomaly detection for indentifying hostile network traffic. Florida Tech. technical report CS-2001-4 (2001)

  14. Mahoney, M.V., Chan, P.K.: Learning models of network traffic for detecting novel attacks. Florida Tech. technical report CS-2002-08 (2002)

  15. Mahoney, M.V., Chan, P.K.: Network traffic anomaly detection based on packet bytes. In: ACM SAC (2003)

  16. Lakhina, A., Crovella, M., Diot, C.: Characterization of network-wide traffic anomalies in traffic flows. In: ACM Internet Measurement Conference (IMC) (2004)

  17. Lakhina, A., Crovella, M., Diot, C.: Diagnosing network-wide traffic anomalies. In: ACM SIGCOMM (2004)

  18. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: ACM SIGCOMM (2005)

  19. Soule, A., Salamatian, K., Taft, N.: Combining filtering and statistical methods for anomaly detection. In: ACM/Usenix IMC (2005)

  20. Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning of internet worms. In: ACM CCS (2003)

  21. Gu, Y., McCullum, A., Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: ACM/Usenix IMC (2005)

  22. Next-Generation Intrusion Detection Expert System (NIDES), http://www.csl.sri.com/projects/nides/

  23. Peakflow-SP and Peakflow-X, http://www.arbornetworks.com/peakflowsp, http://www.arbornetworks.com/peakflowx

  24. Cisco IOS Flexible Network Flow, http://www.cisco.com/go/netflow

  25. LBNL/ICSI Enterprise Tracing Project, http://www.icir.org/enterprise-tracing/download.html

  26. WisNet ADS Comparison Homepage, http://wisnet.seecs.edu.pk/projects/adeval

  27. Wong, C., Bielski, S., Studer, A., Wang, C.: Empirical analysis of rate limiting mechanisms. In: RAID (2005)

  28. Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for HTTP. In: RAID (2007)

  29. Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., Srivastava, J.: A comparative study of anomaly detection schemes in network intrusion detection. In: SIAM SDM (2003)

  30. Mueller, P., Shipley, G.: Dragon claws its way to the top. In: Network Computing, http://www.networkcomputing.com/1217/1217f2.html (2001)

  31. The NSS Group: intrusion detection systems group test (Edition 2) http://nsslabs.com/group-tests/intrusion-detection-systems-ids-group-test-edition-2.html (2001)

  32. Yocom, B., Brown, K.: Intrusion battleground evolves, Network World Fusion, http://www.nwfusion.com/reviews/2001/1008bg.html(2001)

  33. Durst R., Champion T., Witten B., Miller E., Spagnuolo L.: Testing and evaluating computer intrusion detection systems. Comm. ACM 42(7), 53–61 (1999)

    Article  Google Scholar 

  34. Shipley, G.: ISS realsecure pushes past newer IDS players. In: Network Computing, http://www.networkcomputing.com/1010/1010r1.html (1999)

  35. Shipley, G.: Intrusion Detection, Take Two. In: Network Computing, http://www.nwc.com/1023/1023f1.html (1999)

  36. Roesch, M.: Snort—lightweight intrusion detection for networks. In: USENIX LISA (1999)

  37. Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., Zissman, M.A.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: DISCEX, (2) pp. 12–26 (2000)

  38. DARPA-sponsored IDS Evaluation (1998 and 1999) by MIT Lincoln Lab, www.ll.mit.edu/IST/ideval/data/data_index.html

  39. Debar, H., Dacier, M., Wespi, A., Lampart, S.: A workbench for intrusion detection systems. IBM Zurich Research Laboratory (1998)

  40. Denmac Systems, Inc.: Network based intrusion detection: a review of technologies (1999)

  41. Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Secure Networks, Inc. (1998)

  42. Aguirre, S.J., Hill, W.H.: Intrusion detection Fly-Off: implications for the United States Navy. MITRE Technical Report MTR 97W096 (1997)

  43. Puketza N., Chung M., Olsson R.A., Mukherjee B.: A software platform for testing intrusion detection systems. IEEE Softw 14(5), 43–51 (1997)

    Article  Google Scholar 

  44. Puketza N.F., Zhang K., Chung M., Mukherjee B., Olsson R.A.: A methodology for testing intrusion detection systems. IEEE Trans. Soft. Eng. 10(22), 719–729 (1996)

    Article  Google Scholar 

  45. McHugh, J.: The 1998 Lincoln laboratory IDS evaluation (A Critique). In: RAID (2000)

  46. Mahoney, M.V., Chan, P.K.: An analysis of the 1999 DARPA/ Lincoln laboratory evaluation data for network anomaly detection. In: RAID (2003)

  47. Pang, R., Allman, M., Paxson, V., Lee, J.: The devil and packet trace anonymization. ACM CCR 36(1) (2006)

  48. Pang, R., Allman, M., Bennett, M., Lee, J., Paxson, V., Tierney, B.: A first look at modern enterprise traffic. In: ACM/USENIX IMC (2005)

  49. Winpcap homepage, http://www.winpcap.org/

  50. Symantec Security Response, http://securityresponse.symantec.com/avcenter

  51. Shannon C., Moore D.: The spread of the Witty worm. IEEE Sec. Priv. 2(4), 46–50 (2004)

    Article  Google Scholar 

  52. Ringberg, H., Rexford, J., Soule, A., Diot, C.: Sensitivity of PCA for traffic anomaly detection. In: ACM SIGMETRICS (2007)

  53. Ashfaq, A.B., Joseph, M.J., Mumtaz, A., Ali, M.Q., Sajjad, A. and Khayam, S.A.: A comparative evaluation of anomaly detectors under portscan attacks. In: Recent Advances in Intrusion Detection (RAID) (2008)

  54. Filiol E., Josse S.: A statistical model for undecidable viral detection. J. Comput. Virol. 3, 65–74 (2007)

    Article  Google Scholar 

  55. Filiol, E., Josse, S.: Malicious cryptography. In: CanSecWest (2008)

  56. van Trees H.L.: Detection, Estimation and Modulation Theory: Part I, 1st edn. Wiley-Interscience, New Yok (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Electrical Engineering and Computer Science, National University of Science and Technology (NUST), Islamabad, 44000, Pakistan

    Ayesha Binte Ashfaq, Muhammad Qasim Ali & Syed Ali Khayam

Authors
  1. Ayesha Binte Ashfaq
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Muhammad Qasim Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Syed Ali Khayam
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ayesha Binte Ashfaq.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ashfaq, A.B., Ali, M.Q. & Khayam, S.A. Accuracy improving guidelines for network anomaly detection systems. J Comput Virol 7, 63–81 (2011). https://doi.org/10.1007/s11416-009-0133-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0133-5

Keywords

Search

Navigation