Title :
Detecting novel scans through pattern anomaly detection
Author_Institution :
SRI Int., Princeton, NJ, USA
Abstract :
We introduce a technique for detecting anomalous patterns in a categorical feature (one that takes values from a finite alphabet). It differs from most anomaly detection methods used to date in that it does not require attack-free training data, and it improves upon previous methods known to us in that it is aware when it is adequately trained to generate meaningful alerts, and it models data not as normal and anomalous but as falling into one of a number of modes discovered by competitive learning. We apply the technique to port patterns in TCP sessions (the alphabet being the port numbers) and highlight interesting patterns detected in simulated and real traffic. We propose extensions where the learned pattern library can be seeded and some patterns of interest can be labeled, so that certain patterns generate an alert no matter how frequently they are observed, while others labeled benign do not generate alerts even if rarely seen. Finally, we outline a hybrid system approach to closely integrate anomaly and misuse detection, arguing that the historical dichotomy with which many researchers approach these techniques is now artificial.
Keywords :
authorisation; military computing; telecommunication traffic; transport protocols; unsupervised learning; DARPA; Defense Advanced Research Projects Agency; TCP sessions; alert generation; anomalous patterns; categorical feature; competitive learning; hybrid system; learned pattern library; misuse detection; novel scans; pattern anomaly detection; pattern labelling; port patterns; traffic; Contracts; Distribution functions; Government; Intrusion detection; Libraries; Subcontracting; Telecommunication traffic; Trademarks; Traffic control; Training data;
Conference_Titel :
DARPA Information Survivability Conference and Exposition, 2003. Proceedings
Print_ISBN :
0-7695-1897-4
DOI :
10.1109/DISCEX.2003.1194880
