Reduction of False Alarm Rate in Detecting Network Anomaly using Mahalanobis Distance and Similarity Measure

Abstract

This paper discusses about a network anomaly detection system which is aimed at reduction of the number of false positives and negatives generated by conventional IDSs. A statistical model of the network activities is built using the payload and is trained with the normal behavior of user(s) in the network over a period of time. This model in-turn is used to detect deviations that are high from the expected behavior which indicate a security breach or a possible attack. The payload of the network traffic is analyzed by the system in an unsupervised manner and then classifies as normal traffic during training phase. The value-byte frequency of the application payload is calculated for each normal packet based on payload length and port number. The Mahalanobis distance and a similarity measure is then used to measure the similarity of the incoming data with the already computed values in the detection phase. This distance is then compared against a threshold value and generates an alert if it exceeds the value. In the clustering phase we provide a method to reduce the resource consumption which can easily update the stored profile using an incremental algorithm and the model is continuously updated so that it is accurate. The modeling method that is being followed is completely unsupervised and also tolerant to noise in the training data. The method proposed is also resistant to mimicry-attack. This system is designed to be integrated into other detectors in order to mitigate false positive rates so that this enriches the chances of detecting zero-day worms and new attack exploits