Advertisement

Detecting Anomalous Network Traffic with Self-organizing Maps

  • Manikantan Ramadas
  • Shawn Ostermann
  • Brett Tjaden
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2820)

Abstract

Integrated Network-Based Ohio University Network Detective Service (INBOUNDS) is a network based intrusion detection system being developed at Ohio University. The Anomalous Network-Traffic Detection with Self Organizing Maps (ANDSOM) module for INBOUNDS detects anomalous network traffic based on the Self-Organizing Map algorithm. Each network connection is characterized by six parameters and specified as a six-dimensional vector. The ANDSOM module creates a Self-Organizing Map (SOM) having a two-dimensional lattice of neurons for each network service. During the training phase, normal network traffic is fed to the ANDSOM module, and the neurons in the SOM are trained to capture its characteristic patterns. During real-time operation, a network connection is fed to its respective SOM, and a “winner” is selected by finding the neuron that is closest in distance to it. The network connection is then classified as an intrusion if this distance is more than a pre-set threshold.

Keywords

Intrusion Detection Anomaly Detection Self-Organizing Maps 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
  3. 3.
    Snort - The Open Source Network Intrusion Detection System, http://www.snort.org
  4. 4.
  5. 5.
  6. 6.
    VU#196945 ISC BIND 8 Buffer Overflow in TSIG Handling Code, http://www.kb.cert.org/vuls/id/196945
  7. 7.
    Porras, P.A., Valdes, A.: Live Traffic Analysis of TCP/IP Gateways. In: Proceedings of the ISOC Symposium on Network and Distributed Systems Security (1998)Google Scholar
  8. 8.
    Berners-Lee, T., Fielding, R., Frystyk, H.: Hypertext Transfer Protocol – HTTP/1.0, RFC 1945 (May 1996)Google Scholar
  9. 9.
  10. 10.
    Cannady, J., Mahaffey, J.: The Application of Artificial Intelligence to Misuse Detection. In: Proceedings of the First Recent Advances in Intrusion Detection (RAID) Conference (1998)Google Scholar
  11. 11.
    Internet Software Consortium. Bind, http://www.isc.org/products/BIND
  12. 12.
    Internet Software Consortium. Internet Domain Survey (January 2003), http://www.isc.org/ds/WWW-200301/index.html
  13. 13.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners- Lee, T.: Hypertext Transfer Protocol – HTTP/1.1, RFC 2616 (June 1999)Google Scholar
  14. 14.
    Hollmen, J.: Principal Component Analysis, http://www.cis.hut.fi/~jhollmen/dippa/node29.html
  15. 15.
    Jirapummin, C., Wattanapongsakorn, N., Kanthamanon, P.: Hybrid Neural Networks for Intrusion Detection System (2002)Google Scholar
  16. 16.
    Tan, K., Collie, B.: Detection and Classification of TCP/IP Network Services. In: Proceedings of the 13th Annual Computer Security Applications Conference (1997)Google Scholar
  17. 17.
    Lichodzijewski, P., Nur Zincir-Heywood, A., Heywood, M.I.: Dynamic Intrusion Detection Using Self-Organizing Maps. In: The 14th Annual Canadian Information Technology Security Symposium, CITSS (2002)Google Scholar
  18. 18.
    Lichodzijewski, P., Nur Zincir-Heywood, A., Heywood, M.I.: Host-based Intrusion Detection Using Self-Organizing Maps. In: The IEEE World Congress on Computational Intelligence, International Joint Conference on Neural Networks, IJCNN 2002 (2002)Google Scholar
  19. 19.
    Shawn Ostermann. Tcptrace - TCP Connection Analysis Tool, http://www.tcptrace.org
  20. 20.
    Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the National Information Security Conference, pp. 353–365 (October 1997)Google Scholar
  21. 21.
    Mockapetris, P.: Domain Names - Concepts and Facilities, RFC 1034 (November 1987)Google Scholar
  22. 22.
    Ramadas. M.: Detecting Anomalous Network Traffic with Self-Organizing Maps. Master’s thesis, Ohio University (March 2003), http://irg.cs.ohiou.edu/~mramadas/documents/MS-Thesis/thesis.pdf
  23. 23.
    Rhodes, B.C., Mahaffey, J.A., Cannady, J.D.: Multiple Self- Organizing Maps for Intrusion Detection. In: Proceedings of the 23rd National Information Systems Security Conference (2000)Google Scholar
  24. 24.
    The Sendmail Consortium. Sendmail, http://www.sendmail.org
  25. 25.
    Kohonen, T.: Self Organizing Maps, 3rd edn. Springer, Heidelberg (2001)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Manikantan Ramadas
    • 1
  • Shawn Ostermann
    • 1
  • Brett Tjaden
    • 2
  1. 1.Ohio University 
  2. 2.James Madison University 

Personalised recommendations