Field Size-based Packet Header Anomaly Detection with Rule-Based Normal Profile Updating for Intrusion Detection

Packet Header Anomaly Detection, or PHAD, is a technique for detecting network intrusion. It assigns scores to a packet using some method and uses these scores to predict whether this packet is benign or anomalous. In this method, the genuine packets usually seen in a network are used to create the...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:2024 IEEE International Conference on Signal Processing, Informatics, Communication and Energy Systems (SPICES) s. 1 - 6
Hlavní autoři: S, Vishnu Prasad, B, Malarkodi, KG, Michael Kutty
Médium: Konferenční příspěvek
Jazyk:angličtina
Vydáno: IEEE 20.09.2024
Témata:
Anomaly detection
Field size-based Scoring Method
Informatics
Intrusion detection
Machine learning
Network intrusion
Packet Header Anomaly Detection
Performance evaluation
Profile Updation
Signal processing
SPICE
Statistical analysis
Testing
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Packet Header Anomaly Detection, or PHAD, is a technique for detecting network intrusion. It assigns scores to a packet using some method and uses these scores to predict whether this packet is benign or anomalous. In this method, the genuine packets usually seen in a network are used to create the profile of header fields. During testing, packet header fields are extracted and compared with the values in this profile. A score is assigned to each packet based on the presence or absence of each header field of the packet in the profile. This score is compared with a threshold, and a label is assigned to the packet. Researchers employ two methods for generating the score: stationary and non-stationary methods. The main issue with this PHAD technique is the large amount of false alarms generated. To reduce these false alarms without compromising other parameters, a modified PHAD scheme with a new scoring method and the introduction of a mechanism to update the profile during the testing phase is proposed in this work. The proposed method was tested on two publicly available datasets, and the results show that the technique can reduce false alarms by about 11% without causing any reduction in the other parameters.
DOI:10.1109/SPICES62143.2024.10779865