Knowledge-independent traffic monitoring: Unsupervised detection of network attacks

• Published in: IEEE network Vol. 26; no. 1; pp. 13 - 21
• Main Authors: Casas, P., Mazel, J., Owezarski, P.
• Format: Journal Article
• Language: English
• Published: New York IEEE 01.01.2012; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Algorithms; Clustering algorithms; Computer crime; Feasibility; Internet; IP networks; Knowledge; Knowledge base; Monitoring; Monitoring systems; Network security; Networks; Partitioning algorithms; Strategy; Telecommunication network topology; Telecommunication traffic; Traffic engineering; Traffic flow
• ISSN: 0890-8044; 1558-156X
• DOI: 10.1109/MNET.2012.6135851

The philosophy of traffic monitoring for detection of network attacks is based on an acquired knowledge perspective: current techniques detect either the well-known attacks on which they are programmed to alert, or those anomalous events that deviate from a known normal operation profile or behavior. In this article we discuss the limitations of current knowledge-based strategy to detect network attacks in an increasingly complex and ever evolving Internet. In a diametrically opposite perspective, we place the emphasis on the development of unsupervised detection methods, capable of detecting network attacks in a changing environment without any previous knowledge of either the characteristics of the attack or the baseline traffic behavior. Based on the observation that a large fraction of network attacks are contained in a small fraction of traffic flows, we demonstrate how to combine simple clustering techniques to accurately identify and characterize malicious flows. To show the feasibility of such a knowledge-independent approach, we develop a robust multiclustering-based detection algorithm, and evaluate its ability to detect and characterize network attacks without any previous knowledge, using packet traces from two real operational networks.