MCAD: Multiple connection based anomaly detection - IEEE Xplore

MCAD: Multiple connection based anomaly detection XIN HE

Sri Parameswaran

School of Computer Science and Engineering University of New South Wales and National ICT Australia (NICTA) Sydney, Australia Email: [email protected]

School of Computer Science and Engineering University of New South Wales and National ICT Australia (NICTA) Sydney, Australia Email: [email protected]

Abstract—This paper describes a novel multi-connection based anomaly detection system. Previous techniques consume enormous amounts of time due to pre-processing features (unsupervised anomaly detection), or due to the lead time in creating specialized rules (supervised anomaly detection). The system described in this paper, MCAD, uses the observed premise that anomalous connections by one attacker are very similar to each other (e.g. an attacker will try to use similar connections to probe a network). MCAD tests for similarity amongst connections within clustered groups, and if the similarity for connections of the group is above a predetermined threshold, then these connections are deemed anomalous. MCAD was tested on two weeks of MIT/LL DARPA dataset. The total number connections tested was over a million. From this testing, MCAD was able to detect 15 types of multiple connection based attacks in which 14 types of attacks were fully detected while the 15th attack was detected 2/3 of the time. The false positive rate was 0.466%.

I. I NTRODUCTION Network security is increasingly of concern to researchers as the Internet continues to grow in volume of traffic, complexity and capability. Network Intrusion Detection Systems protect information resources in an inter-networked system, alerting the user to any suspicious activity. Anomaly detection is a popular intrusion detection method which does not require the creation of signatures for each known attack. Anomaly detection can be divided into supervised anomaly detection [20][22] and unsupervised anomaly detection [27]. Both the supervised and unsupervised anomaly detection methods are based on statistical learning, applying known learning techniques to network traffic to extract salient features and compute statistics to detect anomalies that may occur. Supervised anomaly detection methods require long periods of purely attack free data as training set; whereas unsupervised anomaly detection methods need to select and summarize features from available network traffic before detection (i.e.,pre-process data). A TCP connection consists of several packets, each of which has a header and pay-load. Attacks can be perpetrated upon a single-connection or multiple-connections [13]. Single-connection based attack is one that solely involves a single connection; whereas multiple-connections based attack involves multiple connections (bursts of connections) [14]. In this paper, we propose a novel multiple connection based anomaly detection MCAD system, which detects multiple TCP connections based attacks. The multiple connection based attacks include denial of service attacks which is one of the significant problems in network security [8][23] and also cover considerable probe attacks [7][12], guess password attacks and etc. This system we built needs neither attack-free training data (as in supervised learning) nor pre-processed complex feature

1-4244-2424-5/08/$20.00 ©2008 IEEE

selection (as in unsupervised learning). 1 The work in this paper relies on the premise that whenever multiple connection based attacks are perpetrated, they are usually perpetrated by the use of identical or similar connections. Unlike unsupervised learning, which requires examining millions of packets to summarize features before detection of intrusions, MCAD only relies upon the header information of a handful of connections. MCAD groups connections together based on source, destination, and the number of packets, compares the connections with each other within the group, and if there is substantial similarity between connections within the group, the group is deemed abnormal (the work uses a minimum of three connections to cluster to a group, though higher minimum values could also be used). A series of experiments on the Lincoln Lab’s 1999 DARPA dataset [2][3][18] (the latest dataset classified multiple connection based attacks in detail) demonstrate that MCAD system has high detection rate and low false alarm rate. We analyzed and evaluated parameters, to determine which of parameters affect the performance of detection. We also use a 2007 CAIDA dataset to compare the behaviors of DDos (Distributed Denial of Service) attacks and non-DDos traffic. Paper Organization The outline for the remainder of this paper is as follows. In Section II, related work is described. Section III describes multiple connection-based anomaly detection approach. Section IV shows how the anomaly detection system is implemented and simulated. In Section V, the performance of this approach is evaluated and results are provided. Finally, the paper is concluded in Section VI. II. R ELATED W ORK Network anomaly detection can be divided into two: supervised; and unsupervised. Supervised anomaly detection requires attack-free data for training the system. ADAM [6] and NIDES [4] are frequency-based anomaly detectors. They develop models of normal traffic distribution based on addresses and ports during the training phase which uses attack free data. ADAM is a classifier which uses data mining techniques to detect attacks. During the execution phase, ADAM runs a sliding-window and detects anomalies whenever packets do not match the created model. NIDES is similar to ADAM, but also in addition distinguishes between short and long term behavior. 1 Note that complex feature selection means that parameters (features) that are not readily available in the packet are derived from multiple packets, multiple connections, time and etc. For example, one of the features might be, the number of connections per time period through a particular port. Deriving such features is complex and time consuming.

999

ICCS 2008

Mahoney et al. [20][21][22] proposed supervised anomaly detection approaches which use time-based models (i.e., the probability of an event happening given the time since it last occurred). PHAD (Packet Header Anomaly Detector) differs from ALAD (Application Layer Anomaly Detector) in the attributes (such as acknowledgment number, payload etc) used to monitor packets. LERAD (Learning Rules for Anomaly Detector) [21] automatically generates rules from training data to find the relationship between different attributes. Similarly, Barbara et al. [6] and Qin et al. [25] generate association rules and frequent episode rules for internet supervised anomaly detection. Supervised anomaly detection methods [6][19][21] need purely attack free datasets. Such data is hard to obtain since it is time consuming to filter out the anomalies, expensive and even after taking precautions, some dirty packets may still linger in the training dataset [10]. To solve the problem of reduced reliability, unsupervised anomaly detection methods were proposed. Unsupervised anomaly detection does not require purely attack-free training data. Instead, it detects intrusions from normal data (containing attacks within the normal traffic). Two assumptions underpin unsupervised anomaly detection: one, the majority of the traffic is normal; and, two, attacks statistically deviate from normal traffic [17]. Unsupervised anomaly detection can be categorized into: probability-based anomaly detection [10]; distance-based anomaly detection [11][17][26][27][31] and multi-dimensional anomaly detection [28]. Examples of distance-based anomaly detection include kernel distance-based anomaly detection [11], clustering based anomaly detection [27] and k-th nearest neighbor (K-NN) anomaly detection [17]. Eskin et al. [11] presented a geometric framework for unsupervised anomaly detection using a kernel function. In their framework, data elements are mapped to a feature space. Anomalies are detected by determining which points lie in sparse regions of the feature space. Clustering methods group instances into different sets. Such clusters are used within distance-based anomaly detection systems [27][31]. For each instance in the dataset, the system calculates the distance to the centroid of each cluster and assigns it to the closest cluster. If the ratio between the number of instances in a specific cluster and the number of instances in the whole dataset is less than a given threshold, that cluster is declared abnormal. Mining outliers, using distance to the k-th nearest neighbor is proposed in [17][26]. These approaches are based on computing the summation of the Euclidean distance of the k-th nearest neighbors from one instance to decide whether this instance is inside a sparse data region. However, traditional unsupervised anomaly detection methods need pre-processing to extract and summarize features from the network data [14][15][16][30]. Extracting traffic details from the observed data is time consuming and is difficult to implement on-line [24][26]. Anomaly detection methods classify packets according to multiple fields. Some approaches look at packet header only [20][29], and the benefit of examining just the header is that avoids the need to analyzes upper layer protocols such as HTTP and FTP. This reduces complexity. Other approaches look at both packet header and packet payload [19][21][32]. Our multiple connection based detection method is an improved unsupervised anomaly detection method. Unlike traditional unsupervised anomaly detection systems which rely on pre-processed data, MCAD only relies on values from TCP and IP headers for each incoming connection. Neither does MCAD rely on attack free data (as in supervised learning).

A. Contributions • For the first time a method has been proposed which examines the similarity of connections to identify anomalies in multiple TCP connections; • An Anomaly Metric has been proposed which gives a numerical value to determine the similarity of connections; and • A system of divisions has been proposed to detect disparate attacks. III. M ETHODOLOGY A. Overview Attackers create multiple connections to access many machines (such as probe confidential information) or establish many connections to consume computing resources and make such systems unavailable to its intended users. Two observations underpin the work in the paper. The first is that the number of packets in an attack connection is limited (usually less than 50). This observation is supported by looking at extensive data which we have examined. The second is that malicious connections are similar to one another (mainly because these connections are automated). This observation is one which is used by most people who build signature based systems to prevent attacks [5]. Figure 1 illustrates that the number of packets is limited in attack connections (i.e. never more than 50 in training dataset). If a mathematical measure can be created to detect the similarity between connections, then it is possible to detect such attack connections automatically.

Fig. 1.

Attacks Distribution

B. Features Our network anomaly detection method focuses on TCP connections only. IP destination address (IPdst), IP source address (IPsrc), TCP destination port (TCPdst) and TCP source port (TCPsrc) are the axis features which identify a connection [25]. Other features named character features are used to describe the behaviors of packets and connections. These character features are Acknowledgement Number (ACK), Sequence Number (SEQ), Window Size (WIN), Flags (FLG), Time to live (TTL), Total Length (TLEN), Identification (ID) and Header Checksum (CHE). C. Approaches The flow chart in Figure 2 shows the design for MCAD, the multiple connection based anomaly detection approach. There are three phases in the multiple connection based anomaly detection method. The first phase filters connections with too many packets (since connections with large number of packets are usually not attacks). The second phase groups connections into separate sets based on the axis features and the number of packets in each connection. Finally, the third phase measures the similarity to detect whether the group of connections is similar.

1000

packets

Filtering

will be allocated into the above divisions. Step3 After grouping connections, we extract character features from the packets of each group. From these features, we calculate the Anomaly Metric which gives us a measure of similarity between connections within a group.

Filtering packets into connections connections Count < J?

Not considered for detection

Algorithm 1 Anomaly M etric SG Calculation Input: C, P , ρ; Output: Anomaly M etric SG ; Initialize cf ⇐ 0; for i = 1 to I do Initialize cp ⇐ 0; for n = 1 to N do Initialize comparison value h ⇐ 0; for all m such that 1 ≤ m ≤ M do Read character f eature ρin from Cm ; end for Find the number h of most frequent value of ρin from C; cp ⇐ h + cp; {cp is the summation of h} end for cf ⇐ cp + cf ; {cf is the summation of cp} end for SG ⇐ cf /(M ∗ N ∗ I);

Grouping Grouping same number of packets

Grouping same IPsrc and TCPsrc different IPdst

Grouping same IPsrc and IPdst different TCPdst

Grouping same IPsrc same IPdst and same TCPdst

Compute Anomaly Metric S 1

Compute Anomaly Metric S 2

Compute Anomaly Metric S 3

Anomaly

Normal

Computing

Fig. 2.

Design Flow Chart

These phases are explained in greater detail below: Step1 The system checks the number of packets for each incoming connection. If the number is less than the Strobe Threshold (J), the connection is considered. Note that the choices of this threshold value may affect detection rate (or false negative alarm rate). Using Figure 5, we chose J to be 50. Step2 MCAD separates connections based on axis features in the following way. 1) The first division contains connections which have the same number of packets, same IPsrc, same TCPsrc, but different IPdst. The connections with identical number of packets, IPsrc and TCPsrc containing different IPdst are grouped together. A number of groups will be identified within this division. Such a separation based on the above parameters is typical of Distributed Denial of Service attacks. 2) the second division contains connections which have the same number of packets, same IPsrc and same IPdst, but different TCPdst. Similar to the first division, a number of groups will be identified here, but with identical IPsrc and IPdst containing different TCPdst. This division targets certain types of attacks which are shown in Table II (last few attacks classified as D2). 3) The third division contains connections which have the same number of packets, same IPsrc, IPdst, and same TCPdst. Similar to the first division, a number of groups will be identified here, but with identical IPsrc, IPdst, and TCPdst. Note that this division targets those attacks classified as D3 in Table II 2 Note that the same connection might be in more than one division. Within a Time Window, each incoming connection 2 Note that TCPsrc in division two and division three does not include wellknown ports, such as 80, 22, 23, etc.

Algorithm 1 depicts the calculation of Anomaly Metric SG (0 ≤ SG ≤ 1), where C (Cm , 1 ≤ m ≤ M ) is a set of connections; P (Pn , 1 ≤ n ≤ N ) is a set of packets in a connection; ρ (ρi , 1 ≤ i ≤ I) is a set of character features in a packet ; M is the total number of connections in a group; N is the total number of packets inside a connection; I is the total number of character features chosen in each packet; ρin is the value of the ith character feature from the nth packet in a connection Cm . For example, if there are 10 connections with 11 packets for each of them, the ACK of the second packet (n is 2) of each connection is extracted and examined. Let us say this ACK values for the 2th packet are 1, 1, 1, 20, 30, 40, 50, 1, 1, 1. There are six packets which have the same value at this packet arrival position (comparison value h is 6). If the values become 1, 1, 1, 30, 30, 30, 30, 1, 1, 1, then there are four packets which have same value 30 and six packets which have same value 1. Then we consider h is six instead four, because we always choose the number of most frequent value. If at each packet arrival position, each corresponding character feature has the same values for the whole group, the value of Anomaly Metric for this group is 1 (SG = 1). It means that the connections within this group are totally the same. In contrast, each corresponding character feature has different values, the value of Anomaly Metric is 0 (SG = 0). It represents that these connections within the group are completely dissimilar. Figure 8 decides a threshold S (close to 1) to estimate similarity for abnormal connections within groups. Here, three divisions are utilized to cluster groups, so the threshold value S1, S2 and S3 for each division are not same. When the Anomaly Metric is greater than this threshold S, the connections in the group are declared as anomalies. IV. E XPERIMENTAL S ETUP We use the 1999 DARPA dataset provided by the Lincoln Lab. Data from 11 days (including one day attack-free data and two weeks normal data including attacks) are used in our experiment. Two day data (week4 Monday, Week4 Tue) which are non-attack-free data were used for training (in normal use we do not need training, but for initial use we needed to decide on threshold values needed for the system, and the data from these two days were used to find threshold values), while the other nine day data were used for testing.

1001

Connection Filter

False Negative Alarm Rate %

Ethereal

TCP/IP Packets Filter

Detector

Division 3 Division 2

Detector

Division 1

Strobe

30 26 22 18 14 10 6 2 -2

Training Dataset





















Amount of packets

Fig. 5. Fig. 3.

MCAD was implemented using Perl code. The simulation design flow is shown in Figure 3. The packet headers are captured and extracted (using Ethereal). They are divided into segments which are based on a Time Window which is limited by time-sequence consecutive incoming packets. Two Time Window sizes were used: one, a 10,000 packets Time Window; and two, a 100,000 packets Time Window. Figure 4, shows that the smaller Time Window size gives better results with lower false positive alarm rate [9]. 3 DetectionRate =

TP TP + FN

divisions. After that, the system will compute the Anomaly Metric (AM ) for each group of connections within each division.

(1)

F alseP ositiveAlarmRate =

FP TN + FP

(2)

F alseN egativeAlarmRate =

FN TP + FN

(3)

Fig. 4.

Calculation on Threshold Value for Strobe

Simulation Design Flow

Time Window Comparison

Our MCAD system only detects TCP/IP packets thus a filter called (TCP/IP Packets Filter) was created, which removes non-TCP packets (such as ICMP and UDP packets). A second filter named (Connection Filter) assigns packets into corresponding connections (i.e.,picks the packets from the same connections from a multitude of packets). The Strobe in Figure 3 stops the connections when the number of packets in a connection exceeds the Strobe Threshold value J. (If the number of packets in a connection is greater than J, it will not go through the Detector. The incoming connections will be clustered by same number of packets (Amount of Pkts) first and then assigned to the three 3 Note that True Positive (TP) is the number of attacks are correctly classified as malicious; True Negative (TN) is the number benign connections are correctly classified as benign connections; False Positive (FP) is the number of benign connections are falsely classified as malicious connections; False Negative (FN) is the number of attacks are falsely classified as benign.

Fig. 6.

Feature Selection One

Before the detection, we selected eight character features to describe each packet in a connection, which are ACK, SEQ, WIN, FLG, TTL, TLEN, ID and CHE. To find the most appropriate character features for detection, the Anomaly Metric was computed. Figure 6, plots Number of Connections (No. of Conn.) vs. Anomaly Metric for each of the above character feature. ID and CHE do not have any significant Anomaly Metric, and as such should not be used for detection. The character features TTL and FLG always give a large Anomaly Metric value, and thus should not be used for detection. Thus we further consider the leftover character features ACK, SEQ, WIN and TLEN. To examine the distribution of the leftover character features ACK, SEQ, WIN and TLEN, the combination of the above features were plotted. Figure 7 plots the Number of Connections vs. the Anomaly Metric. Each of the lines in the plot gives the Anomaly Metric for a combination of features. The combinations considered were all possible combinations of ACK, SEQ, WIN and TLEN (i.e., ACK+SEQ, ACK+WIN, ACK+TLEN, SEQ+WIN, SEQ+TLEN, WIN+TLEN, ACK+SEQ+WIN, ACK+SEQ+TLEN, ACK+WIN+TLEN, SEQ+WIN+TLEN, ACK+SEQ+WIN+TLEN). In Figure 7, ACK is referred to as A, WIN as W, TLEN as T and SEQ as S. Thus ACK+SEQ+TLEN is referred to as AST. Since our underlying assumption is that the number of connections which are anomalous are very small in comparison to the total number of connections, we have to find an area under the graph which is small. As we expect the similarity to be high for anomalous connections, the threshold Anomaly Metric must be closer to 1. Thus the distribution which will provide us with the smallest number of connections (i.e., area under the curve on the right of the threshold value in plot shown in Figure 7) when the threshold value is high. For this to be as small as possible, the peak has to be on the left side of

1002

Fig. 7.

V. E VALUATION AND R ESULT A. Resources of filtered packets Table I, shows the number of filtered connections. There are a total of 35,763,317 incoming packets and 1,181,334 TCP connections are filtered from 11 days of simulation data. The Week4 Monday and Week4 Tue data are used as the training set to determine threshold values. The total number of considered connections for MCAD detection is 1,146,940, which is 97% of all connections from this dataset. The other 3% contained connections with greater than 50 (J = 50) packets. 4

Feature Selection Two

the plot. Thus we select character features ACK+SEQ (with the left most peak) to detect anomalies. The threshold value for Anomaly Metric was chosen by plotting (see Figure 8). False Negative and False Positive percentages vs. Anomaly Metric. As can be seen in Figure 8, Division 2 false positives plateaus out at 0.95, when the fasle negatives are seen to rapidly increase. Thus the choice of 0.95 for the threshold value S2 for Division 2. Likewise 0.85 for the threshold value S3 was chosen for Division 3.

Fig. 8.

Unfiltered packets Filtered TCP connections MCAD

Fig. 9.

Comparison on DARPA and CAIDA

Data Set Testing 31,526,960 1,124,718 1,092,336

Total 35,763,317 1,181,334 1,146,940

TABLE I C ONNECTION F ILTERING

B. Detected Accuracy Table II, summarizes the detected attacks. The first column lists the name of the attack. The second columns shows which Division the attacks belong to. The third column displays the number of occurrences of listed attacks specified in the data set. The number of detected attacks by MCAD is listed in column four. The fifth column specified the number of connections MCAD deemed anomalous. Attacks guesstelnet guessftp guesspop guest dict back Apache2 sshprocesstable processtable mailbomb mscan satan neptune ipsweep portsweep

Calculation on Threshold Value of Anomaly Metric

Note that Division 1 was chosen to detect Distributed Denial of service attacks (DDos). Since we did not have a dataset which clearly classified the dirty connections, it is difficult to calculate a threshold value. However, CAIDA backscatter dataset [1], a well known DDos dataset, was shown to high Anomaly Metric when it was grouped under Division 1. This high Anomaly Metric shows that using a similarity method such a ours is a good way of detecting DDos attacks as well. To illustrate the number of DDos attacks in the CAIDA dataset in comparison to DARPA dataset, the plot in Figure 9, shows the Number of Connections (Grouped by Division 1) vs. Anomaly Metric for dataset DARPA and CAIDA for 100,000 connections each. There are total 3042 connections grouped by division 1 in the DARPA set, while there are 84,665 connections in CAIDA set. Since the Anomaly Metric for the CAIDA dataset is all above 0.95, it can be safely assumed, that most of these connections are likely to be DDos attacks.

Training 4,236,357 56,616 54,604

Division D3 D3 D3 D3 D3 D3 D3 D3 D3 D3 D3 D2+D3 D2+D3 D2 D2

No. 5 2 1 3 1 5 5 1 3 4 2 2 7 1 15

Detected No. 5 2 1 3 1 5 5 1 3 4 2 2 7 1 10

Conn. of Concern 57 75 28 21 40 123 239 501 620 2220 54,108 19,166 168,226 195 426

TABLE II D ETECTION OF ATTACKS

There were a total of 15 types of TCP based multiple connection attacks. Note that the ipsweep here is actually a attack which is done using port sweep rather than ping. Thus we are able to pick this attack with a TCP based system. MCAD detects 100% of multiple connection TCP attacks, except for portsweep attacks [2][3]. Our Detection Rate is 91.2% (TP = 52 attacks and FN = 5 under Anomaly Metric 0.85). The reason for the partial failure of the detecting the portsweep attack is that the number of connections are very small (eg. 5) and thus mix with other connections in a group, an erroneously report a low Anomaly Metric. False positive rate is derived from the data set within nine days (testing set). Our anomaly detection system provides 4 Note that there are totally 1,967,434 TCP connections were filtered from DARPA99 dataset. The Filtered TCP connections and MCAD connections in Table I are connections clustered by Division two and Division three.

1003

a overall low false positive alarm rate (false alarm rate) of only 0.466% (TN = 842,344 connections and FP = 3947 connections under Anomaly Matrix 0.85). Due to the way others have presented results, and have used datasets, it is not easy to perform direct comparison. However, we have made the following broad comparisons. Lazarevic et al.[14] gives a study of anomaly detection schemes for multiple connections detection (using DARPA’98 dataset). Four different detection techniques were shown, which are LOF approach, NN approach, Mahalanobis approach and Unsupervised SVM. For the lowest false alarm rate (around 1%), the detection rates (for 6 types of multiple TCP connection based attacks) are 30%, 26%, 13% and for LOF, NN and Mahalanobis respectively. LOF approach can achieve almost 100% detection rate if 8% false alarm rate is tolerated; NN can achieve an 82% detection rate (8% false alarm rate); The best detection rate for Maharanees is 75% with a 12% false alarm rate; and Unsupervised SVM has a 95% detection rate when the false alarm rate reaches 12%. Our MCAD achieve a complete detection rate for all attacks listed in Table II, other than the portsweep attack and a low false alarm rate just 0.466%. Table III shows the comparison with other methods for multiple connection based attacks detection. Detection Method LOF NN Mahalanobis-based Unsupervised SVM MCAD

Attacks Type No. Total No. 6 12 6 12 6 12 6 12 15 57

Detection No. 8 9 6 11 52

TABLE III A NOMALY D ETECTION A PPROACHES

VI. D ISCUSSION AND C ONCLUSIONS In this paper, we proposed a multiple connection based anomaly detection (MCAD) method. MCAD focuses on detecting multiple connection based attacks which includes Denial of Service Attacks, probe attacks etc. The method does not need attack-free data and nor does it need pre-processing to extract features. In MCAD, features used are from packet header only. We simulated MCAD and got 0.466% false positive alarm rate from nine days of testing data. The work also accurately detected all attacks except for some portsweep attacks which contain very small number of connections. Since the proposed detection mechanism is based upon the fact that the number of packets in an attack are limited (in this case less than 50), it is possible an attacker might pad it with dummy packets. This is a problem which we seek to address in the future. Another related problem might be that the attacker continuously changes the parameters used to attack (so that this system cannot pick it up). This is another problem which we will strive to solve in the near future. The false alarm rate is mainly due to requests to popular HTTP pages which have similar patterns. This type of packets can be filtered out before the detection. R EFERENCES [1] Backscatter-2007 data, 2007. Available at: http://data.caida.org. [2] Detection scoring truth, 2007. Available at: http://www.ll.mit.edu/IST/ideval/docs/1999/master-listfilecondensed.txt. [3] Identification scoring truth, 2007. Available at: http://www.ll.mit.edu/IST/ideval/docs/1999/master identifications.list.

[4] D. Anderson, T. Frivold, A. Tamaru, and A. Valdes. Next-generation intrusion detection expert system (nides), software users manual, betaupdate release. Technical Report SRI–CSL–95–07, Computer Science Laboratory, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025-3493, May 1994. [5] S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical Report 1999-15, 2000. [6] D. Barbara, J.Couto, S.Jajodia, and N.Wu. Adam: Detecting intrusion by data mining. In the 2001 IEEE Workshop on Information Assurance and Security, 2001. [7] J. Caberera, B. Ravichandran, and R. Mehra. Statistical traffic modeling for network intrusion detection. In 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2000. [8] C.Douligeris and A. Mitrokotsa. Ddos attacks and defense mechanisms: a classification. In proceedings of the 3rd IEEE International Symposium on Signal Processing and Information Technology, 2003. [9] W. Chimphlee, A. H. Adbullah, M. N. M. Sap, S. Chimphlee, and S. Srinoy. Unsupervised clustering methods for identifying rare events in anomaly detection. Proceedings of world academy of science, engineering and technology, 8:253–258, 2005. [10] E. Eskin. Anomaly detection over noisy data using learning probability distributions. In Proceedings of the International Conference on Machine Learning (ICML), 2000. [11] E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo. A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In Applications of Data Mining in Computer Security, 2002. [12] S. Jin, D. S. Yeung, X. Wang, and E. C. C. Tsang. A feature space analysis for anomaly detection. In 2005 IEEE International Conference on Systems, Man and Cybernetics, 2005. [13] K. Kendall. A database of computer attack for the evaluation of intrusion detection systems. Master’s thesis, MIT Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, 1999. [14] A. Lazarevic, A. Ozgur, L. Ertoz, J. Srivastava, and V. Kumar. A comparative study of anoamly detection schemes in network intrusion detection. In Proceeding of the Third SIAM Internatoinal Conference on Data Mining, 2003. [15] W. Lee and S. Stolfo. Data mining approaches for intrusion detection. In 7th USENIX, San Antonio, TX, 1998. [16] K. Leung and C. Leckie. Unsupervised anomaly detection in network intrusion detection using clusters. In Proc. 28th Australasian CS Conf., volume 38 of CRPITV, 2005. [17] Y. Li, B. Fang, L. Guo, and Y. Chen. Network security: Network anomaly detection based on tcm-knn algorithm. In ASIACCS ’07. ACM press, 2007. [18] R. Lippmann, J. Haines, D. Fried, J. Korba, , and K. Das. The 1999 darpa off-line intrusion detection evaluation. Computer Networks: The International Journal of Computer and Telecommunications Networking, 34(4), 2000. [19] M. Mahoney. Network traffic anomaly detection based on packet bytes. In Proceedings of the 2003 ACM symposium on Applied computing, 2003. [20] M. Mahoney and P. Chan. Phad: Packet header anomaly detection for identifying hostile network traffic. Technical Report CS-2001-4, Florida Tech., 2001. [21] M. Mahoney and P. Chan. Learning models of network traffic for detecting novel attacks. Technical Report 2002-08, 2002. [22] M. Mahoney and P. Chan. Learning nonstationary models of normal network traffic for detecting novel attacks. In 8th ACM SIGKDD, 2002. [23] A. Mitrokotsa and C.Douligeris. Detecting denial of service attacks using emergent self-organizing maps. In Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005. [24] C. Noble and D. Cook. Graph-based anomaly detection. In Proceedings of KDD-03, 2003. [25] M. Qin and K. Hwang. Frequent episode for internet anomaly detection. In the Third IEEE International Symposium on Network Computing and Applications(NCA), 2004. [26] S. Ramaswamy, R. Rastogi, and K. Shim. Efficient algorithms for mining outliers from large data sets, 2000. [27] R. Rouil, N. Chevrollier, and N. Golmie. Unsupervised anomaly detection system using next-generation router architecture. In MILCOM 2005. Advanced Network Technologies Division, 2005. [28] B. Scholkopf, J. Platt, J. Shawe-Taylor, A. Smola, and R. Williamson. Estimating the support of a high-dimensional distribution. Technical Report 87-99, 1999. [29] S. B. Shamsuddin and M. E. Woodward. Modeling protocol based packet header anomaly detector for network and host intrusion detection systems. CANS, pages 209–227, 2007. [30] M. Shyu, S. Chen, K. Sarinnapakorn, and L. Chang. A novel anomaly detection scheme based on principal component classier. In Proceedings of the IEEE Foundations and New Directions of Data Mining Workshop, 2003. [31] Q. Wang and V. Megalooikonomou. A clustering algorithm for intrusion detection. In Proceedings of Canadian Conference on Electrical and Computer Engineering, 2003. [32] S. Zanero and S. M. Savaresi. Unsupervised learning techniques for an intrusion detection system. In ACM Symposium on Applied Computing, 2004.

1004