Hybrid Modular Approach for Anomaly Detection
The traditional approach for detecting novel attacks in network traffic is to model the normal frequency of session IP addresses and server port usage and to signal unusual combinations of these attributes as suspicious. Rather than just modeling user behavior, recent systems model network protocols from the data link through the application layer in order to detect attacks that exploit vulnerabilities in the implementation of these protocols. The authors describe modular approach for network anomaly detection. Their system analyzes the network traffic at three different possible levels (packet, flow, protocol) with the help of three different modules.