Progressive Differential Thresholding for Network Anomaly Detection

Author

Ali, Sardar ; Khan, Hassan ; Ahmad, Muhammad ; Khayam, Syed Ali

Author_Institution

Sch. of Electr. Eng. & Comput. Sci. (SEECS), Nat. Univ. of Sci. & Technol. (NUST), Islamabad, Pakistan

fYear

2011

fDate

5-9 June 2011

Firstpage

1

Lastpage

5

Abstract

In this paper, we propose a Progressive Differential Thresholding (PDT) framework for coordinated network anomaly detection. Under the proposed framework, nodes present on a packet´s path progressively encode their opinion (malicious or benign) inside a packet. Subsequent nodes on the path use the encoded opinion as side-information to adapt their anomaly detection thresholds and in turn improve their classification accuracies. Accuracy benefits of PDT are evaluated through experimental evaluations of multiple non-proprietary anomaly detectors on a publicly-available attack dataset. These evaluations indicate that, while being distributed and having negligible complexity and communication overheads, the proposed PDT framework provides considerable and consistent improvements in anomaly detection accuracy. We observe upto 54% improvements in ADS detection accuracy while upto 4 times reduction in the false alarm rates.

Keywords

security of data; classification accuracies; communication overheads; coordinated network anomaly detection; false alarm rates reduction; multiple nonproprietary anomaly detectors; progressive differential thresholding; publicly-available attack dataset; Accuracy; Complexity theory; Detectors; Entropy; IP networks; Peer to peer computing; Servers;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications (ICC), 2011 IEEE International Conference on

Conference_Location

Kyoto

ISSN

1550-3607

Print_ISBN

978-1-61284-232-5

Electronic_ISBN

1550-3607

Type

conf

DOI

10.1109/icc.2011.5963249

Filename

5963249