Rule-Based Anomaly Detection on IP Flows

Download Now Free registration required

Executive Summary

Rule-based packet classification is a powerful method for identifying traffic anomalies, with network security as a key application area. While popular systems like Snort are used in many network locations, comprehensive deployment across Tier-1 service provider networks is costly due to the need for high-speed monitors at many network ingress points. This paper exploits correlations between packet and flow level information via a Machine Learning (ML) approach to associate packet level alarms with a feature vector derived from flow records on the same traffic. They describe a system architecture for network-wide flow-alarming and describe the steps required to establish a proof-of-concept. They evaluate prediction accuracy of candidate ML algorithms on actual packet traces.

  • Format: PDF
  • Size: 180.6 KB