Due to the rapidly evolving nature of network attacks, a considerable paradigm shift has taken place with focus now on Network-based Anomaly Detection Systems (NADSs) that can detect zero-day attacks. At this time, it is important to evaluate existing anomaly detectors to determine and learn from their strengths and weaknesses. Thus we aim to evaluate the performance of eight prominent network-based anomaly detectors under malicious portscan attacks. These NADSs are evaluated on three criteria: accuracy (ROC curves), scalability (with respect to varying normal and attack traffic rates, and deployment points) and detection delay. Based on our experiments, we identify promising guidelines to improve the accuracy and scalability of existing and future anomaly detectors. We show that the proposed guidelines provide considerable and consistent accuracy improvements for all evaluated NADSs.
TopIntroduction
With an increasing penetration of broadband Internet connectivity and an exponential growth in the worldwide IT infrastructure, individuals and organizations now rely heavily on the Internet for their communication and business needs. While such readily-available network connectivity facilitates operational efficiency and networking, systems connected to the Internet are inherently vulnerable to network attacks. These attacks have been growing in their number and sophistication over the last few years (Symantec, 2002-2008). Malware, botnets, spam, phishing, and denial of service attacks have become continuous and imminent threats for today’s networks and hosts (Symantec, 2002-2008; McAfee, 2005). Financial losses due to these attacks are in the orders of billions of dollars. In addition to the short-term revenue losses for businesses and enterprises, network attacks also compromise information confidentiality/integrity and cause disruption of service, thus resulting in a long-term loss of credibility.
Since the CodeRed worm of 2001, malware attacks have emerged as one of the most prevalent and potent threats to network and host security. Many network-based anomaly detection systems (NADSs) have been proposed in the past few years to detect novel network attacks (Williamson, 2002 – Cisco NetFlow). Since malicious portscans are the vehicle used by malware and other automated tools to locate and compromise vulnerable hosts, some of these anomaly detectors are designed specifically for portscan detection (Williamson, 2002 - Ganger, 2002), (Zou, 2003), while other detectors are more general-purpose and detect any anomalous traffic trend (Mahoney, 2001 - Soule, 2005), (Gu, 2005). Most of the network-based anomaly detectors, model and leverage deep-rooted statistical properties of benign traffic to detect anomalous behavior. A variety of theoretical frameworks–including stochastic, machine learning, information-theoretic and signal processing frameworks–have been used to develop robust models of normal behavior and/or to detect/flag deviations from that model.
The main challenge of NADSs is to define a robust model of normal traffic behavior. In particular, an accurate model needs to cater for changes in normal traffic behavior over time. Such changes in normal traffic behavior lead to potentially low detection rates and high false alarm rates of NADSs. In view of the vast existing literature on network anomaly detection, it is important to evaluate existing NADSs. While a comprehensive performance evaluation facilitates study of various aspects of contemporary anomaly detectors, more importantly they should reveal the strengths and shortcomings of existing NADSs and consequently lead to promising design guidelines that can be used to improve the accuracy of NADSs.