In this study, we apply an anomaly-based approach to analyze traffic flows transferred over a network to detect the flows related to different types of attacks. Based on the information extracted from network flows a model of normal user behavior is discovered with the help of several clustering techniques. This model is then used to detect anomalies within recent time intervals. Since this approach is based on normal user behavior, it can potentially detect zero-day intrusions. Moreover, such a flow-based intrusion detection approach can be used in high speeds since it is based on information in packet headers, and, therefore, has to handle a considerably lesser amount of data. The proposed framework is tested on the data obtained with the help of a realistic cyber environment (RGCE) that enables one to construct real attack vectors. The simulations show that the proposed method results in a higher accuracy rate when compared to other intrusion detection techniques.
Zolotukhin Mikhail, Hämäläinen Timo, Kokkonen Tero, Siltanen Jarmo
M. Zolotukhin, T. Hämäläinen, T. Kokkonen and J. Siltanen, “Online detection of anomalous network flows with soft clustering,” 2015 7th International Conference on New Technologies, Mobility and Security (NTMS), Paris, 2015, pp. 1-5.