A Two-stage Flow-based Intrusion Detection Model ForNext-generation Networks

The next-generation network provides state-of-the-art access-independent services overconverged mobile and fixed networks. Security in the converged network environment isa major challenge. Traditional packet and protocol-based intrusion detection techniquescannot be used in next-generation networks due to slow throughput, low accuracy andtheir inability to inspect encrypted payload. An alternative solution for protection ofnext-generation networks is to use network flow records for detection of maliciousactivity in the network traffic. The network flow records are independent of accessnetworks and user applications. In this paper, we propose a two-stage flow-basedintrusion detection system for next-generation networks. The first stage uses anenhanced unsupervised one-class support vector machine which separates maliciousflows from normal network traffic. The second stage uses a self-organizing map whichautomatically groups malicious flows into different alert clusters. We validated theproposed approach on two flow-based datasets and obtained promising results.