Abstract:

The content characteristics of datasets have strong effect on the detection accuracy of network anomaly intrusion detection systems. The influences impacted on byte frequency distribution based models by the differences between content characteristics of the training packets are analyzed, revealing that those differences would lead the models calculating the average frequency of grouped packets to a higher false alarm rate. Based on this, a modified model named single packet frequency distribution is proposed, which uses the frequency distribution data of the unitary packet to form normal profiles instead of using their average values, and controlls the size of that normal set by clustering techniques. Experiments are  carried out respectively on the simulation dataset and the DARPA99 real network dataset. The results indicate that the great difference between packet contents in deed makes the average byte frequency value based models generating more false alarms, whereas the single packet frequency distribution model is not affected by that, and it gets higher detection accuracy, generating an equal detection rate with the lower false alarm rate. The average value based model even becomes invalid at the worst case. The single packet frequency distribution model can be considered having good adaptability to those network services with rich dynamic contents.

Key words: NIDS;byte frequency distribution;payload anomaly detection;simulation dataset