Intrusion Detection Based on One-class SVM and SNMP MIB Data

To rapidly detect attack and properly do response , a lightweight and fast detection mechanism for traffic flooding attacks is proposed, which use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links and a machine learning approach based on a support vector machine (SVM) for attack classification. The involved SNMP MIB variables are selected by an effective feature selection mechanism and gathered effectively by the MIB update time prediction mechanism. Using MIB and SVM, it achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The intrusion detection mechanism with hierarchical structure setup has two phases, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Results of the experiment using MIB datasets collected from real experiments involving a DDoS attack demonstrate that it can be an an effective way for intrusion detection. The network attacks are detected with high efficiency, and classified with low false alarms.