Accuracy Improving Guidelines for Network-based Anomaly Detection Systems

Since the seminal 1998/1999 DARPA evaluations of intrusion detection systems, network attacks have evolved considerably. In particular, after the CodeRed worm of 2001, the volume and sophistication of selfpropagating malicious code threats have been increasing at an alarming rate. Many anomaly detectors have been proposed, especially in the past few years, to combat these new and emerging network attacks. Due to the rapidly evolving nature of network attacks, a considerable paradigm shift has taken place with focus now on Network-based Anomaly Detection Systems (NADSs) that can detect zero-day attacks. Contemporary NADS borrow concepts from a variety of theoretical fields (e.g., Information theory, stochastic and machine learning, signal processing, etc.) to model benign traffic. In this work, we survey and taxonomize recent NADSs with an aim to learn from their strengths and weaknesses. To this end, we propose a multidimensional taxonomy which allows a systematic classification of NADSs. At this time, it is also important to evaluate existing anomaly detectors to determine and learn from their strengths and shortcomings. Thus as part of this research work, we also evaluate the performance of eight prominent network-based anomaly detectors under malicious portscan attacks. These NADSs are evaluated on three criteria: accuracy (ROC curves), scalability (with respect to varying normal and attack traffic rates, and deployment points) and detection delay. These criteria are evaluated using two independently collected datasets with complementary strengths. We see that a few of the anomaly detectors provide high accuracy on one of the two datasets, but are unable to scale their accuracy across the datasets. Based on our experiments and the proposed taxonomy, we identify promising guidelines to improve the accuracy and scalability of existing and future anomaly detectors, which is one of the main contributions of this work. We show that the proposed guidelines provide considerable and consistent accuracy improvements for all evaluated NADSs. To my mom and dad, for their love and support