Detecting anomalous behavior: optimization of network traffic parameters via an evolution strategy

Detecting intrusions falls into two categories: anomaly detection and misuse detection. The former refers to the detection of abnormal behavior in the use of network services and computing resources. Misuse detection, on the other hand, relies on the identification of “well defined patterns of attack that exploit” vulnerabilities in network and computer software. Most of the commercially available intrusion detection products fall into this category. They work by “mechanically... matching known patterns of attack against monitored activity” within the packet payload only. On the other hand, some intrusion detection techniques focus on “packet header information only”. Throughout academia and industry, there appears to be a lack of research in identifying probable attacks by combining the use of payload characteristics and packet header information, that is, by analyzing the entire packet. This paper addresses this void. This work poses the selection of packet information as an optimization problem for the purposes of anomaly detection. Specifically, using the characteristics of network attacks, we designed an evolution strategy (ES) that is able to detect anomalous network behavior and identify the source of the attack through the analysis of packet header and payload information. We demonstrate that evolution strategies are appropriate for those problems that require simultaneous optimization of multiple parameters in the context of network security. Preliminary results are very encouraging suggesting that network traffic can be parameterized, and, through the optimization of these parameters, evolution strategies can detect anomalous behavior in network traffic