Flow-based Statistical Aggregation Schemes for Network Anomaly Detection

Document Type

Conference Proceeding

Publication Date

12-1-2006

Abstract

In this paper, we present a novel Flow-based Statistical Aggregation Schemes (FSAS) for Network Anomaly Detection. An IP flow is a unidirectional series of IP packets of a given protocol, traveling between a source and destination, within a certain period of time. Based on "flow" concept, we developed a flow-based aggregation technique that dramatically reduces the amount of monitoring data and handles high amounts of statistics and packet data. FSSAS sets up flow-based statistical feature vectors and reports to Neural Network Classifier. Neural Classifier uses Back-Propagation networks to classify score metric of each flow. FSAS can detect both bandwidth type DOS and protocol type DOS. Moreover, flow here could be any set of packets sharing certain common property as "flow key". FSAS configures flow flexibly to provide security from network level to application level (IP, TCP, UDP, HTTP, FTP...), and different aggregation schemes, such as server -based, client-based flow. This novel IDS has been evaluated by using DARPA 98 data and CONEX test-bed data. Results show the success in terms of different aggregation schemes for both datasets. © 2006 IEEE.

Identifier

34250167266 (Scopus)

ISBN

[1424400651, 9781424400652]

Publication Title

Proceedings of the 2006 IEEE International Conference on Networking Sensing and Control Icnsc 06

First Page

786

Last Page

791

This document is currently not available here.

Share

COinS