Modular Approach for Anomaly Based NIDS

Traditional approachs for detecting novel attacks in network traffic is to model the normal frequency of session IP addresses or server port usage and signal unusual combinations of these attributes as suspicious. Rather than just modeling user behavior, current systems also model network protocols from the data link through the application layer. This helps to detect attacks that exploit vulnerabilities in the implementation of protocol stacks. In this work we describe a modular approach for network anomaly detection. Our system incorporates individual modules to analyze the network traffic at three different levels (packet, flow, protocol),. The total anomaly score is computed from the anomaly scores of the individual modules, using a weighted attribute model. We detect 147 of 185 attacks in the DARPA off-line intrusion detection evaluation data set [1] at 10 false alarms per day (total 100 false alarms), after training on one week of attack-free traffic. We investigate the performance of the system when attack free training data is not available