The ability of capturing unknown attacks is an attractive feature of anomaly-based intrusion detection and it is not surprising that research on such a topic represents one of the most promising directions in the field of network security. In this work we consider two different traffic descriptors and evaluate their ability in capturing different kinds of anomalies, taking into account three different measures of similarity in order to discriminate between the normal network behaviour and the presence of anomalies. An extensive performance analysis, carried out over the publicly available MAWILab dataset, has highlighted that a proper choice of the relevant traffic descriptor and the similarity measure can be particularly efficient in the case of unknown attacks, i.e. those attacks that cannot be detected by standard misuse-based systems.
A novel histogram-based network anomaly detection
CALLEGARI, CHRISTIAN;PAGANO, MICHELE;GIORDANO, STEFANO;BERIZZI, FABRIZIO
2016-01-01
Abstract
The ability of capturing unknown attacks is an attractive feature of anomaly-based intrusion detection and it is not surprising that research on such a topic represents one of the most promising directions in the field of network security. In this work we consider two different traffic descriptors and evaluate their ability in capturing different kinds of anomalies, taking into account three different measures of similarity in order to discriminate between the normal network behaviour and the presence of anomalies. An extensive performance analysis, carried out over the publicly available MAWILab dataset, has highlighted that a proper choice of the relevant traffic descriptor and the similarity measure can be particularly efficient in the case of unknown attacks, i.e. those attacks that cannot be detected by standard misuse-based systems.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.