Knowledge-independent traffic monitoring: Unsupervised detection of network attacks

The philosophy of traffic monitoring for detection of network attacks is based on an acquired knowledge perspective: current techniques detect either the well-known attacks on which they are programmed to alert, or those anomalous events that deviate from a known normal operation profile or behavior. In this article we discuss the limitations of current knowledge-based strategy to detect network attacks in an increasingly complex and ever evolving Internet. In a diametrically opposite perspective, we place the emphasis on the development of unsupervised detection methods, capable of detecting network attacks in a changing environment without any previous knowledge of either the characteristics of the attack or the baseline traffic behavior. Based on the observation that a large fraction of network attacks are contained in a small fraction of traffic flows, we demonstrate how to combine simple clustering techniques to accurately identify and characterize malicious flows. To show the feasibility of such a knowledge-independent approach, we develop a robust multiclustering-based detection algorithm, and evaluate its ability to detect and characterize network attacks without any previous knowledge, using packet traces from two real operational networks.