A hands-off approach to network intrusion detection

Abstract

Networks are inherently vulnerable to attack and we need dynamic detection methods to find the evergrowing number and types of attacks. We assume that the access pattern of an attacker fundamentally differs from that of benign users. If that is true, we may be able to tease out the differences in the underlying structure of attackers and normal activity. Our research investigates unsupervised clustering techniques for network intrusion detection. The data comes from our most readily available source, the University of Virginia's network traffic. Our approach collapses all of the network communication between a host-source pair into a single descriptive data point, or netflow. The extracted features are then clustered to determine the different access patterns and separate types of communications. Features extracted from the netflow will be used to devise features that summarize all the network activity of an IP node. This aggregated IP level information is then used to cluster the IPs, which should enable us to differentiate between user groups. When a node's behavior changes by switching its associated cluster or it differs substantially from other similar nodes it may reveal a compromise. This approach should allow us to identify outliers that differ significantly from typical traffic of its corresponding cluster.