Open Access

An Adaptive Approach to Granular Real-Time Anomaly Detection

EURASIP Journal on Advances in Signal Processing20092009:589413

https://doi.org/10.1155/2009/589413

Received: 29 April 2008

Accepted: 23 December 2008

Published: 15 February 2009

Abstract

Anomaly-based intrusion detection systems have the ability to detect novel attacks, but when applied in real-time detection, they face the challenges of producing many false alarms and failing to match with the high speed of modern networks due to their computationally demanding algorithms. In this paper, we present Fates, an anomaly-based NIDS designed to alleviate the two challenges. Fates views the monitored network as a collection of individual hosts instead of as a single autonomous entity and uses dynamic, individual threshold for each monitored host, such that it can differentiate between characteristics of individual hosts and can independently assess their threat to the network. Each packet to and from a monitored host is analyzed with an adaptive and efficient charging scheme that considers the packet type, number of occurrences, source, and destination. The resulting charge is applied to the individual hosts threat assessment, providing pinpointed analysis of anomalous activities. We use various datasets to validate Fates ability to distinguish scanning behavior from benign traffic in real time.

Publisher note

To access the full article, please see PDF.

Authors’ Affiliations

(1)
Department of Computer Science and Engineering, University of South Carolina

Copyright

© C.-T. Huang and J. Janies. 2009

This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.