Normal Profile Updating Method for Enhanced Packet Header Anomaly Detection

  • Walid Mohamed Alsharafi
  • Mohd Nizam OmarEmail author
  • Nashwan Ahmed Al-Majmar
  • Yousef Fazea
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 1073)


There is a significant need for various Intrusion Detection Systems (IDS) methods for packet behavior anomaly detection, due to the consistent exposure of packets to frequent intrusion threats. Thus, Packet Header Anomaly Detection (PHAD) considered as one of many significant approaches that is used for detecting threats on network packet. However, this approach still suffers from high generation of false alarm rate. This paper investigates a Normal Profile Updating Method (NPUM) for enhancing the PHAD based IDS model. This method updates normal profile of anomaly IDS using further processing of both the normal and abnormal data identified by anomaly detector. Simulation experiments and DARPA intrusion detection evaluation data sets are used for testing the proposed method. Results show that the proposed method can reduce the false positive alarms and improve the performance in terms of accuracy of detection. The major contributions of this research include the design of an enhanced PHAD-based IDS. This would contribute toward the enhanced IDSs to strengthen network security.


IDS PHAD Anomaly detection Normal profile False alarm 


  1. 1.
    Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutorials 18(2), 1153–1176 (2016)CrossRefGoogle Scholar
  2. 2.
    Mahoney, M.V.: Network traffic anomaly detection based on packet bytes. In: Proceedings of the 2003 ACM Symposium on Applied Computing, pp. 346–350. ACM (2003)Google Scholar
  3. 3.
    Mahoney, M.V., Chan, P.K.: PHAD: packet header anomaly detection for identifying hostile network traffic (2001)Google Scholar
  4. 4.
    Aydın, M.A., Zaim, A.H., Ceylan, K.G.: A hybrid intrusion detection system design for computer network security. Comput. Electr. Eng. 35(3), 517–526 (2009)CrossRefGoogle Scholar
  5. 5.
    Garg, A., Maheshwari, P.: PHAD: packet header anomaly detection. In: 2016 10th International Conference on Intelligent Systems and Control (ISCO), pp. 1–5. IEEE (2016)Google Scholar
  6. 6.
    Deka, R.K., Kalita, K.P., Bhattacharya, D.K., Kalita, J.K.: Network defense: approaches, methods and techniques. J. Netw. Comput. Appl. 57, 71–84 (2015)CrossRefGoogle Scholar
  7. 7.
    Al-Safwani, N., Fazea, Y., Ibrahim, H.: ISCP: In-depth model for selecting critical security controls. Comput. Secur. 77, 565–577 (2018)CrossRefGoogle Scholar
  8. 8.
    Elbasiony, R.M., Sallam, E.A., Eltobely, T.E., Fahmy, M.M.: A hybrid network intrusion detection framework based on random forests and weighted k-means. Ain Shams Eng. J. 4(4), 753–762 (2013)CrossRefGoogle Scholar
  9. 9.
    Lee, K.-C., Chang, J., Chen, M.-S.: PAID: packet analysis for anomaly intrusion detection. In: Washio, T., Suzuki, E., Ting, K.M., Inokuchi, A. (eds.) PAKDD 2008. LNCS (LNAI), vol. 5012, pp. 626–633. Springer, Heidelberg (2008).
  10. 10.
    Shamsuddin, S.B., Woodward, M.E.: Modeling protocol-based packet header anomaly detector for network and host intrusion detection systems. In: Bao, F., Ling, S., Okamoto, T., Wang, H., Xing, C. (eds.) CANS 2007. LNCS, vol. 4856, pp. 209–227. Springer, Heidelberg (2007).
  11. 11.
    Yassin, W., Udzir, N.I., Abdullah, A., Abdullah, M.T., Muda, Z., Zulzalil, H.: Packet header anomaly detection using statistical analysis. In: de la Puerta, J.G., et al. (eds.) International Joint Conference SOCO 2014-CISIS 2014-ICEUTE 2014. AISC, vol. 299, pp. 473–482. Springer, Cham (2014).
  12. 12.
    Kamarudin, M.H., Maple, C., Watson, T., Sohrabi, S.N.: A new unified intrusion anomaly detection in identifying unseen web attacks. Secur. Commun. Netw. 2017(2539034), 1–18 (2017)CrossRefGoogle Scholar
  13. 13.
    Cao, X., Chen, B., Li, H., Fu, Y.: Packet header anomaly detection using Bayesian topic models (2016).
  14. 14.
    Mahboubian, M., Udzir, N.I.: A naturally inspired statistical intrusion detection model. Int. J. Comput. Theor. Eng. 5(3), 578 (2013)CrossRefGoogle Scholar
  15. 15.
    Kamarudin, M.H., Maple, C., Watson, T., Sohrabi S.N.: Packet header intrusion detection with binary logistic regression approach in detecting R2L and U2R attacks. In: 2015 4th International Conference on Cyber Security, Cyber Warfare, and Digital Forensic, pp. 101–106 (2015)Google Scholar
  16. 16.
    Massachusetts Institute of Technology: DARPA intrusion detection scenario specific datasets. Lincoln Laboratory (1999).
  17. 17.
    Alsharafi, W.M., Omar, M.N.: A detector generating algorithm for intrusion detection inspired by AIS. ARPN J. Eng. Appl. Sci. 10(2) (2015). ISSN-1819-6608Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Walid Mohamed Alsharafi
    • 1
    • 2
  • Mohd Nizam Omar
    • 1
    Email author
  • Nashwan Ahmed Al-Majmar
    • 2
  • Yousef Fazea
    • 1
  1. 1.InterNetworks Research Laboratory, School of ComputingUniversiti Utara Malaysia UUMSintokMalaysia
  2. 2.Department of Computer Science and Information Technology, Faculty of ScienceIbb UniversityIbbYemen

Personalised recommendations