A NETWORK-BASED ANOMALY DETECTION SYSTEM USING

MULTIPLE NETWORK FEATURES

Yuji Waizumi, Yohei Sato and Yoshiaki Nemoto

Graduate School of Information Sciences, Tohoku University

6-6-05, Aramaki-Aza-Aoba, Aobaku, Sendai-shi, Miyagi, 980-8579 Japan

Keywords:

Anomaly Detection, Multiple Network Features, Intrusion Detection System, Principal Component Analysis.

Abstract:

Accuracy of anomaly-based intrusion detection greatly depends on features, the numerical values representing

characteristics of network trafﬁc. In order to increase accuracy, it is necessary to choose appropriate features

that can correctly detect anomalous events. In this paper, we stress the fact that a speciﬁc kind of anomaly

changes speciﬁc features. We propose a highly accurate and robust intrusion detection system using multiple

features. Each feature is used for evaluating anomalous events independently by a statistical detection method.

Through experiments, we investigate the accuracy of the proposed scheme.

1 INTRODUCTION

The use of Internet has expanded to global scale.

Along with its growth, network crimes and illegal ac-

cesses are also on the rise. Network Intrusion De-

tection Systems (NIDSs) are commonly used to de-

fend against such crimes. The two most common

detection techniques adopted by NIDSs are signature

based detection and anomaly based detection. Signa-

ture based detection techniques search for character-

istics of known attacks. Although this technique can

precisely detect illegal accesses deﬁned in the signa-

ture database, it can not detect novel attacks.

The anomaly detection technique deﬁnes the nor-

mal state of the network trafﬁc. It regards any net-

work state deviating from the normal state as anoma-

lous. Thus, anomaly detection technique can be used

to detect unknown attacks. However, this method has

also high detection error rate because it is difﬁcult to

precisely deﬁne the normal network state. Although

many researches have been carried out in the anomaly

detection ﬁeld (Debra et al., 1995) (SPADE, ) (Ma-

honey and Chan, 2001) (M.Mahoney, 2003) to reduce

the detection error, the detection accuracy is insufﬁ-

cient.

A more detailed trafﬁc information is necessary to

build an advanced anomaly detection system. In this

paper, we propose a new anomaly detection technique

based on multiple features of network trafﬁc. The pro-

posed features are selected based on three different

type of attack characteristics. The three features are

1) the number of packets, 2) characteristics of pack-

ets of ﬂow units and 3) histogram of character code of

payloads. To detect any anomalous trafﬁc, we adopt

Principal Component Analysis.

2 THREE DIFFERENT

FEATURES BASED ON

CHARACTERISTICS OF

ATTACKS

The attacks of (DARPA, 1999) are classiﬁed into four

types, Denial of Service (DoS),Probe,Remote to Lo-

cal (R2L),User to Root (U2R).

In order for NIDS to detect attacks, the trafﬁc

should be studied in a different basis. We reclassify

these attacks based on the type of anomalies they cre-

ate, as follows:

C1 Anomaly in the amount of trafﬁc and the range of

communication (DoS, Probe)

C2 Anomaly in communication procedures (Probe)

C3 Anomaly in content of communication

(DoS,R2L,U2R)

410

Waizumi Y., Sato Y. and Nemoto Y. (2007).

A NETWORK-BASED ANOMALY DETECTION SYSTEM USING MULTIPLE NETWORK FEATURES.

In Proceedings of the Third International Conference on Web Information Systems and Technologies - Internet Technology, pages 410-413

DOI: 10.5220/0001279304100413

 SciTePress

We next propose three feature sets corresponding

to the above anomalies.

2.1 Timeslot Type Feature Set

Based on C1, we deﬁne Timeslot type feature set

which numerically expresses the amount of trafﬁc and

the range of the communication. This feature set ex-

presses the state of the network as a 34-dimensional

vector. The Timeslot type feature set is extracted by

counting the following items at ﬁxed interval of time

. # of TCP, UDP, ICMP packets (3 elements), # of

bytes sent and received through all TCP connections

(1 element), # of TCP ports, # of occurrences of TCP

ﬂags (5 elements), # of DNS (UDP, port 53) packets

(1 element), # of fragmented packets (1 element) and

# of values of the 4 ﬁelds of IP addresses.

-1.0

-0.5

0.0

0.5

1.0

1.5

2.0

2.5

3.0

0 5 10 15 20 25 30 35

Feature Value

Normalized Frequency

Figure 1: Timeslot type feature set of normal network state.

-100

100

200

300

400

500

600

0 5 10 15 20 25 30 35

Feature Value

Normalized Frequency

Figure 2: Timeslot type feature set of scanning ftp services.

The Timeslot type feature set is suitable for the

detection of attacks which bring about changes in the

amount of trafﬁc. Examples of such attacks are scan-

ning speciﬁc port numbers and Flood DoS. Figure 1

and 2 show a normal network state and a probe traf-

ﬁc, respectively. From these ﬁgures, we can see that

a few speciﬁc elements extracted attack trafﬁc(ﬁgure

2) are extremely larger than other elements compared

to the normal network state(ﬁgure 1).

2.2 Flow Count Type Feature Set

Flow Count type feature set is deﬁned from C2 of the

reclassiﬁcation to express the state of a ﬂow by cal-

culating the number of packets, ﬂags, etc. Here, a

ﬂow is deﬁned as the aggregation of packets which

have same attributes deﬁned by using 5-tuple (pro-

tocol,source and destination IP addresses, source and

destination port numbers) (Brownlee, 1998). The start

and the end of a TCP Flow are decided depending on

ﬂag bits. The end of a UDP ﬂow, thus, is decided by

setting timeout T

The Flow Count type feature sets of TCP and UDP

are 19-dimensional vector and 7-dimensional vector,

respectively, and are deﬁned as follows. Items about

a TCP ﬂow are # of packets (1 element), # of ﬂows

of the current ﬂow’s port number (1 element), # of

fragmented packets (1 element), # of occurrences of

the 8 TCP ﬂags (8 elements) and # of occurrences of

packets with only one kind of ﬂag (8 elements). Items

about a UDP ﬂow are # of packets (1 element), # of

ﬂows of the current ﬂow’s port number (1 element), #

of fragmented packets (1 element), # of sent and re-

ceived packets (2 elements) and # of sent and received

bytes (2 elements).

This feature set is deﬁned to detect attacks which

bring about anomalous changes in the ﬂow structure.

In other words, this feature set is deﬁned to detect at-

tacks which contain anomalous sequence of the ﬂags

and access to the ports which are not used by normal

programs. Figure 3 and 4 depict examples of Flow

Count type feature sets. Some speciﬁc elements of

the port sweep trafﬁc are extremely high.

-0.04

-0.02

0.00

0.02

0.04

0.06

0.08

0.10

0.12

0 2 4 6 8 10 12 14 16 18

Feature Value

Normalized Frequency

Figure 3: Flow Count type feature set of normal ﬂow.

-160

-140

-120

-100

-80

-60

-40

-20

0 2 4 6 8 10 12 14 16 18

Feature Value

Normalized Frequency

Figure 4: Flow Count type feature set of port sweep.

A NETWORK-BASED ANOMALY DETECTION SYSTEM USING MULTIPLE NETWORK FEATURES

411

2.3 Flow Payload Type Feature Set

From reclassiﬁcation C3, we deﬁne Flow Payload

type feature set to detect anomaly of the transmitted

data by calculating the character code distribution of

their payloads. This feature set consists of the ratio of

appearance frequencies of 8-bit codes of the ﬂow pay-

load. This feature is extracted from the trafﬁcs from

client to server and from server to client separately.

Hence this feature is expressed by a 512-dimensional

vector.

The items of the Flow Payload type are as follows:

• The appearance probability of each code in the

trafﬁc from client to server (256 elements)

• The appearance probability of each code in the

trafﬁc from server to client (256 elements)

-2

0 100 200 300 400 512

Feature Value

Normalized Frequency

Figure 5: Flow Payload type feature set of a normal ﬂow.

-500

500

1000

1500

2000

2500

3000

3500

4000

4500

0 100 200 300 400 512

Feature Value

Normalized Frequency

Figure 6: Flow Payload type feature set of a ﬂow of imap

attack.

Figure 5 and 6 show a normal ﬂown and a ﬂow

of imap attack, respectively. Some elements of Flow

Payload type feature set of an imap attack are excep-

tionally high. It is considered that these high values

indicate buffer overﬂow trafﬁc. Examples of such at-

tacks are worms and DoS attacks that exploit vulnera-

bilities of softwares and insert large amounts of codes

in order to provoke buffer overﬂow.

3 DETECTION OF ATTACKS BY

USING MULTIPLE MODULES

The proposed method detect attacks by combining the

results of modules which are deﬁned per each feature

set, as explained in 2. We unify the results of these

modules and obtain the ﬁnal result. While detecting

the attacks by using Flow Payload type feature sets,

we use the ﬁve subsets of TCP ﬂows which are re-

lated to the ports 20, 21, 23, 25, 80. Consequently,

the number of modules corresponding to each feature

set of the proposed method are as follows.

• Timeslot type - 1 module

• Flow Count type- 2 modules

• Flow Payload type - 6 modules

The ﬁnal result of the proposed detection system

is the logical OR of the detection results of these

modules. That is, if any one of these modules identi-

ﬁes an anomaly, the system generates an alert.

The detection modules of the proposed system

adopt the detection method described in (OIKAWA

et al., 2002) which uses Principal Component Analy-

sis (PCA). This method undergoes through Learning

phase and Detecting phase. At Learning phase, the

principal component axis is obtained from learning

data by using PCA. This axis shows the characteris-

tics of variance involving the correlations of normal

trafﬁc. At detection phase , distances from the prin-

cipal component axis (Projection Distance) are cal-

culated as Anomaly Score for newly extracted feature

sets. When the anomaly score of a feature set sur-

passes a threshold, it is judged as attack at Detecting

phase.

4 VERIFICATION AND

EVALUATION OF THE

PROPOSED SYSTEM

4.1 Experimental Environment

In this experiment, we use the data set in (DARPA,

1999) which includes ﬁve-week data. We carry out

experiments taking two scenarios in mind. In sce-

nario 1, we use the data of week 1 and 3 (attack-free)

together for learning, and the data of week 4 and 5

(including attacks) for detection test. In scenario 2, to

conﬁrm our system’s ability to detect attacks even if

attack-included data is used for learning, data of each

day of week 4 and 5 are used for learning as well as

for detecting attacks. Of course, the information of

WEBIST 2007 - International Conference on Web Information Systems and Technologies

412

Table 1: Detection Results (Scenario 1).

Method Detection rate(%)

Proposed Method 60.8%(104/171)

(M.Mahoney, 2003) 71.4%(132/185)

(Tyson et al., 2000) 55.6%(15/27)

(Neumann and Porras, 1999) 50.3%(85 / 169)

(Vigna et al., 2000) 46.8%(81 / 173)

(Barbara et al., 2001) 40.2%(41 / 102)

Table 2: Detection Results (Scenario 2).

Method Detection rate(%)

The proposed System 58.5%(100/171)

NETAD 37.8%(70/185)

the attacks are not used for learning. In both scenar-

ios, we normalize all elements of feature sets to zero

mean and unit variance.

The parameters setup of the experiment are fol-

lows: # of permissible false alarms is 10/day(R. and

et al, 2000), time-slot interval is 60 seconds, time out

) of UDP ﬂow is 600 seconds and validity time

) is 600 seconds.

The total number of false alarms permitted in two

weeks(10 days) is 100 (10 per day). The threshold of

projection distance for each day for each module is

determined by preliminary experiment.

4.2 Detection Performance

The detection results of the proposed system and con-

ventional systems are shown in Table 1. The pro-

posed system has better results for both the number

of attacks detected and the detection rate compared

to other methods, except for NETAD (M.Mahoney,

2003). The total number of each method is different

because each method observes different objects.

The detection results of the proposed system and

NETAD for scenario 2 are shown in Table 2. Table

2 shows that the detection number and the detection

rate of NETAD, which shows best performance when

attack-free data is used for learning, have greatly de-

creased. On the other hand, the detection result of

the proposed system hardly deteriorates and the detec-

tion number and detection rate are higher than those

of NETAD. Most of the anomaly-based IDS require

attack-free data for learning. But in practice, such

attack-free data are very hard to get and it is thought

that the learning data that such IDSs learn have at least

a few attacks. The results of scenario 2 are close to

those of a real network. Therefore, the detection abil-

ity of the proposed system does not deteriorate much

even under an environment close to that of a real net-

work, scenario 2. This proves that our proposed sys-

tem has high accuracy and robustness.

5 CONCLUSION

In this paper, we have proposed a anomaly detec-

tion system using three different feature sets which

are extracted based on the reclassiﬁcation of attacks.

Our proposed method effectively detects wide range

of attacks by independently treating the feature sets,

and suppresses the negative effect of attack trafﬁc in-

cluded in learning data by using a statistical method

in learning phase.

We have demonstrated that our proposed system

can achieve high detection rate and high robustness

by experiments using the data set in (DARPA, 1999).

REFERENCES

Barbara, D., Jajodia, S., Wu, N., and Speegle, B. (2001).

Adam: Detecting intrusions by data mining.

Brownlee, N. (1998). Network management and realtime

trafﬁcﬂow measurement. Journal of Network and Sys-

tems Management, 6(2):223–227.

DARPA (1999). Mit lincoln laboratory - darpa intrusion de-

tection evaluation. http://www.ll.mit.edu/

IST/ideval/.

Debra, A., F.Lunt, T., Tamaru, H. J. A., and Valdes, A.

(1995). Detecting unusual program behavior using the

statistical component of the nextgeneration intrusion

detection expert system(nides). Technical report.

Mahoney, M. V. and Chan, P. K. (2001). Detecting novel at-

tacks by identifying anomalousnetwork packet head-

ers. Technical report.

M.Mahoney (2003). Network trafﬁc anomaly detection

based on packet bytes. In ACM-SAC, pages 346–350.

Neumann, P. and Porras, P. (1999). Experience with emer-

ald to date. In Proceedings of First USENIX Work-

shop on Intrusion Detection and Network Monitoring,

pages 73–80.

OIKAWA, T., WAIZUMI, Y., OHTA, K., KATO, N., and

NEMOTO, Y. (2002). Network anomaly detection us-

ing statistical clustering method. Technical report.

R., L. and et al (2000). The 1999 darpa off-line intrusion

detection evaluation. 34:579–595.

SPADE. http://www.silicondefense.com/

software/spice/.

Tyson, M., Berry, P., Williams, N., Moran, D., and Blei, D.

(2000). Derbi: Diagnosis, explanation and recovery

from computer break-ins. Technical report.

Vigna, G., Eckmann, S., and Kemmerer, R. (2000). The

stat tool suite. In Proceedings of the 2000 DARPA

Information Survivability Conference and Exposition

(DISCEX).

A NETWORK-BASED ANOMALY DETECTION SYSTEM USING MULTIPLE NETWORK FEATURES

413