Network-based mimicry anomaly detection using divergence measures

To evade detection by network-based anomaly detectors, sophisticated attackers are trying to make their malicious traffic resemble legitimate traffic by running attacks through ports used on a daily basis (e.g., port 80 for HTTP). This mimicry traffic is potentially neglected by detectors. In this paper, we propose a Kullback-Leibler (KL) divergence-based method for detecting anomalous traffic mimicking legitimate traffic. Our method firstly observes the port pair distribution of traffic flows, which is a novel statistical traffic feature proposed in this work. Secondly, our method computes the KL divergence between the port pair distributions of the current and previous time intervals. Our method starts to find anomalous flows when the KL divergence deviates from a specified threshold. We tested the performance of our method with traffic which was mixed by four synthetic mimicry anomalies and real-world backbone traffic. The results indicated that our method could precisely detect all synthetic anomalies. Furthermore, our method additionally revealed six real-world anomalies that were hidden in the testing backbone traffic.