Online Adaptive Anomaly Detection for Augmented Network Flows

Traditional network anomaly detection involves developing models that rely on packet inspection. Increasing network speeds and use of encrypted protocols make per-packet inspection unsuited for today´s networks. One method of overcoming this obstacle is flow based analysis. Many existing approaches are special purpose, i.e., limited to detecting specific behavior. Also, the data reduction inherent in identifying anomalous flows hinders alert correlation. In this paper we propose a dynamic anomaly detection approach for augmented flows. We sketch network state during flow creation enabling general purpose threat detection. We design and develop a support vector machine based adaptive anomaly detection and correlation mechanism capable of aggregating alerts without a-priori alert classification and evolving models online. We develop a confidence forwarding mechanism identifying a small percentage predictions for additional processing. We show effectiveness of our methods on both enterprise and backbone traces. Experimental results demonstrate the ability to maintain high accuracy without the need for offline training.