Designing a two-level monitoring method to detect network abnormal behaviors

Monitoring network traffic behavior is very critical for securing computing infrastructures. In this paper, we focus on enhancing the way of detecting anomalous network traffic behaviors by proposing a new two-level detection method that consists of abnormality detection and exact attack type identification. The abnormality detection is performed with the rules generated by Classification and Regression Trees (CART). Then, Support Vector Machine (SVM) is applied to design a predictive model to identify exact attack types (among DoS, U2R, R2L, and Probes). Since feature extraction is an important step for designing an efficient predictive model, we used Higuchi fractal dimension and statistical measures (mean, median, and standard deviation) with an overlapping sliding window operation to extract features. Among the extracted features, only significant features are selected by applying statistical analysis and used to design a predictive model. As results, we found that our approach shows about 80.03% accuracy in detecting network abnormal behaviors. From a comparative study, we concluded that our proposed SVM-based predictive model is superior to a broadly known NN-based predictive model for identifying exact types of attacks.