Anomalous packet identification for network intrusion detection

Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004. Pub Date : 2004-06-10 DOI:10.1109/IAW.2004.1437798

D. Summerville, N. Nwanze, V. Skormin

{"title":"Anomalous packet identification for network intrusion detection","authors":"D. Summerville, N. Nwanze, V. Skormin","doi":"10.1109/IAW.2004.1437798","DOIUrl":null,"url":null,"abstract":"A packet-level anomaly detection system for network intrusion detection in high-bandwidth network environments is described. The approach is intended for hardware implementation and could be included in the network interface, switch or firewall. Efficient implementation in software on a network host is also possible. Network traffic is characterized using a novel technique that maps packet-level payloads onto a set of counters using bit-pattern hash functions, which were chosen for their implementation efficiency in both hardware and software. Machine learning is accomplished by mapping unlabelled training data onto a set of two-dimensional grids and forming a set of bitmaps that identify anomalous and normal regions. These bitmaps are used as the classifiers for real-time detection. The proposed method is extremely efficient in both the offline machine learning and real-time detection components and has the potential to provide accurate detection performance due to the ability of the bitmaps to capture nearly arbitrary shaped regions in the feature space. Results of a preliminary study are presented that demonstrate the effectiveness of the technique.","PeriodicalId":141403,"journal":{"name":"Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004.","volume":"33 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IAW.2004.1437798","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

A packet-level anomaly detection system for network intrusion detection in high-bandwidth network environments is described. The approach is intended for hardware implementation and could be included in the network interface, switch or firewall. Efficient implementation in software on a network host is also possible. Network traffic is characterized using a novel technique that maps packet-level payloads onto a set of counters using bit-pattern hash functions, which were chosen for their implementation efficiency in both hardware and software. Machine learning is accomplished by mapping unlabelled training data onto a set of two-dimensional grids and forming a set of bitmaps that identify anomalous and normal regions. These bitmaps are used as the classifiers for real-time detection. The proposed method is extremely efficient in both the offline machine learning and real-time detection components and has the potential to provide accurate detection performance due to the ability of the bitmaps to capture nearly arbitrary shaped regions in the feature space. Results of a preliminary study are presented that demonstrate the effectiveness of the technique.

查看原文本刊更多论文

网络入侵检测中的异常报文识别

介绍了一种用于高带宽网络环境下网络入侵检测的数据包级异常检测系统。该方法用于硬件实现，可以包含在网络接口、交换机或防火墙中。在网络主机上的软件中有效地实现也是可能的。网络流量使用一种新颖的技术来表征，该技术使用位模式哈希函数将数据包级有效负载映射到一组计数器上，选择这些计数器是为了在硬件和软件中实现效率。机器学习是通过将未标记的训练数据映射到一组二维网格上并形成一组识别异常和正常区域的位图来完成的。这些位图被用作实时检测的分类器。所提出的方法在离线机器学习和实时检测组件中都非常有效，并且由于位图能够捕获特征空间中几乎任意形状的区域，因此有可能提供准确的检测性能。初步研究结果证明了该技术的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004.

自引率

0.00%

发文量