1. Comparative Evaluation of Header vs. Payload based Network Anomaly Detectors.
- Author
-
Cheema, Faisal M., Akram, Adeel, and Iqbal, Zeshan
- Subjects
- *
COMPUTER networks , *BROADBAND communication systems , *COMPUTER security , *COMPUTER crime prevention , *ELECTRONIC data processing - Abstract
With the immense growth of services offered by Internet, the requirement of broadband connectivity has increased significantly in past few years. Organizations and individuals are relying heavily on the internet for their daily communication needs. Consequently, networks have become more prone to different types of network attacks. Intrusion Detection Systems (IDS) offer a method to protect networks against many such attacks. Numerous IDS have been proposed in literature, which employ different techniques to identify attack patterns as well as abrupt changes in network traffic flows. Anomaly detection is a type of Intrusion Detection corresponding to a suite of techniques that can be used to identify novel or "zero-day" attacks against computers and network infrastructure. Different Anomaly-based Intrusion Detection Systems (ADS) work on different principles e.g., a few take into account the packet headers only, where as others operate on payload as well as packet headers. In this paper we evaluate six different ADS; three of them work on packet header only, while remaining three works on both header and payload. We aim to provide a conclusive comparison of these ADS (header only or both header and payload) in terms of accuracy, complexity and detection delay to highlight factors that must be considered while designing IDS in future. The comparison is performed using two real-world labeled datasets to enable cross-reference for future research in this field. In the end of this paper we will conclude that anomaly detectors which work on both header and payload perform better than those ADS which consider only header for intrusion detection. [ABSTRACT FROM AUTHOR]
- Published
- 2009