english german

innovative Anomaly and Intrusion-Detection


Figure 1 shows an overview of the proposed total concept of the intended approach. There are already existing sensors of the internet analyzing systems to generate flow data, which are under iAID also expanded to include a hardware-supported version for broadband networks. These IAS flows are a statistical representation of the network packet header information of each packet, which was replaced as a TCP or UDP communication.

Figure 1: general survey of IAS flow data process

For the evaluation of the collected meta data in different formats (such as IAS flow or NetFlow), the detection engine framework can be extended to new procedures. These procedures are able to detect abnormal network flows based on network statistics. The stages of this detection process are shown schematically in Figure 2. These flows are classified first in a clustering process into different groups (clusters). This arrange could be conducted with the help of employed protocols on application layer. It is necessary to increase the accuracy of the abnormality detection. Would this not be done, the differences would statistically significantly outweigh between protocols than the differences between flows of same protocols. Clusters should already be arranged in three classes by the user, too:

Figure 2: anomaly detection of IAS flow data

Anomalous flow data from neutral and malicious clusters are passed to an intelligent filter. This filter will passed all flows enriched with additional information to a user. If a flow will be identified as non-dangerous, in the future similar flows are also non-dangerous. This requires different methods and similarity measures which are evaluated for this. Necessary additional information to enable a decision, and a suitable representation has to be found. Additional information may be generally known or updated information about the ports should be found, for example. If dangerous flows will be discovered in the processing of alerts the system, they can also be explicitly selected to train the filter. In addition, the information can be extended to descriptions, which include countermeasures. From that a warning (alarm) can be generated. This warning must be subsequently processed by a security expert.

The following scientific key issues arising from the proposed process:

iAID logo Top