Anomaly Detection Using REONIT and Attack Confirmation by Neural Ensemble

Abstract

With the availability of the sophisticated vulnerability assessment tools that are publicly available on the Internet, information security breaches are on the rise every day. Existing techniques such as Misuse detection methods identify packets that match a known pattern or signature. However, these methods fail to detect unknown anomalies. Hence, anomaly detection methods were used to identify the traffic patterns that deviate from the modeled normal traffic behavior. The identified anomalies could be either an attack or normal traffic. The focus in this paper is to monitor the resources of remote server and to detect the malicious traffic. This led to two contributions in this paper. First is the design and implementation of Remote server monitoring (REONIT) tool and the second is the confirmation of attacks by neural ensemble. Local and remote server resources are monitored through REONIT. The REONIT has been implemented using the existing ideas and has the following components, viz., Authentication port let to monitor the distributed resources, Web Port let, which processes requests and generates dynamic content, RRD tool for data storage and visualization, XML for data representation in the form of graphs, and Message Alert, which warns the victim server if any eccentric traffic pattern occurs. REONIT tool was deployed in SSE Test bed* and the resources were monitored. The results were displayed as graphs. From the results, it is confirmed that the anomalous behavior and the high resource utilization observed in the display were due to attacks and not due to legitimate traffic.