Knowledge-independent traffic monitoring: Unsupervised detection of network attacks
The philosophy of traffic monitoring for detection of network attacks is based on an acquired knowledge perspective: current techniques detect either the well-known attacks on which they are programmed to alert, or those anomalous events that deviate from a known normal operation profile or behavior...
Saved in:
Published in | IEEE network Vol. 26; no. 1; pp. 13 - 21 |
---|---|
Main Authors | , , |
Format | Journal Article |
Language | English |
Published |
New York
IEEE
01.01.2012
The Institute of Electrical and Electronics Engineers, Inc. (IEEE) |
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | The philosophy of traffic monitoring for detection of network attacks is based on an acquired knowledge perspective: current techniques detect either the well-known attacks on which they are programmed to alert, or those anomalous events that deviate from a known normal operation profile or behavior. In this article we discuss the limitations of current knowledge-based strategy to detect network attacks in an increasingly complex and ever evolving Internet. In a diametrically opposite perspective, we place the emphasis on the development of unsupervised detection methods, capable of detecting network attacks in a changing environment without any previous knowledge of either the characteristics of the attack or the baseline traffic behavior. Based on the observation that a large fraction of network attacks are contained in a small fraction of traffic flows, we demonstrate how to combine simple clustering techniques to accurately identify and characterize malicious flows. To show the feasibility of such a knowledge-independent approach, we develop a robust multiclustering-based detection algorithm, and evaluate its ability to detect and characterize network attacks without any previous knowledge, using packet traces from two real operational networks. |
---|---|
Bibliography: | ObjectType-Article-2 SourceType-Scholarly Journals-1 ObjectType-Feature-1 content type line 23 |
ISSN: | 0890-8044 1558-156X |
DOI: | 10.1109/MNET.2012.6135851 |