Flow-based Statistical Aggregation Schemes for Network Anomaly Detection

In this paper, we present novel flow-based statistical aggregation schemes (FSAS) for network anomaly detection. An IP flow is a unidirectional series of IP packets of a given protocol, traveling between a source and destination, within a certain period of time. Based on "flow" concept, we developed a flow-based aggregation technique that dramatically reduces the amount of monitoring data and handles high amounts of statistics and packet data. FSSAS sets up flow-based statistical feature vectors and reports to a neural network classifier. The neural classifier uses back-propagation networks to classify the score metric of each flow. FSAS can detect both bandwidth type DOS and protocol type DOS. Moreover, flow here could be any set of packets sharing certain common property as "flow key". FSAS configures flow flexibly to provide security from network level to application level (IP, TCP, UDP, HTTP, FTP...), and different aggregation schemes, such as server-based, client-based flow. This novel IDS has been evaluated by using DARPA 98 data and CONEX test-bed data. Results show the success in terms of different aggregation schemes for both datasets