Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

UMER Muhammad Fahad, SHER Muhammad, Yaxin Bi

Research output: Contribution to journalArticle

Abstract

Flow-basedintrusiondetectionsystemsanalyzeIPflowrecordstodetectattacksagainst computer networks. IP flow records contain aggregated packet header information; therefore, the amount of data processed by the intrusion detection system is reduced. In addition, since no pay- load is analyzed, the end-to-end encryption does not affect the deployment of intermediate intru- sion detection system. In this paper, we evaluate one-class classification techniques for detection of malicious flows at an initial stage of a multi-stage flow-based intrusion detection system. The initial stage uses minimal flow attributes and only decide if the IP flow is normal or malicious. Since there is only one class of interest (malicious) at the initial stage, we use one-class classifi- cation for detection of malicious flows. In this paper, we review available one-class classification techniques and evaluate them on a flow-based dataset to determine their performance for detec- tion of malicious flows. Our results show that one-class classification techniques using boundary methods give best results in detection of malicious IP flows.
LanguageEnglish
Pages70-86
JournalBaltic Journal of Modern Computing
Volume5
Issue number1
DOIs
Publication statusPublished - 23 Mar 2017

Fingerprint

Intrusion detection
Computer networks
Cryptography

Keywords

  • Intrusion detection
  • IP flows
  • One-class classification

Cite this

@article{eedc78fc297443a98bc0f3533229eb06,
title = "Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection",
abstract = "Flow-basedintrusiondetectionsystemsanalyzeIPflowrecordstodetectattacksagainst computer networks. IP flow records contain aggregated packet header information; therefore, the amount of data processed by the intrusion detection system is reduced. In addition, since no pay- load is analyzed, the end-to-end encryption does not affect the deployment of intermediate intru- sion detection system. In this paper, we evaluate one-class classification techniques for detection of malicious flows at an initial stage of a multi-stage flow-based intrusion detection system. The initial stage uses minimal flow attributes and only decide if the IP flow is normal or malicious. Since there is only one class of interest (malicious) at the initial stage, we use one-class classifi- cation for detection of malicious flows. In this paper, we review available one-class classification techniques and evaluate them on a flow-based dataset to determine their performance for detec- tion of malicious flows. Our results show that one-class classification techniques using boundary methods give best results in detection of malicious IP flows.",
keywords = "Intrusion detection, IP flows, One-class classification",
author = "{Muhammad Fahad}, UMER and SHER Muhammad and Yaxin Bi",
year = "2017",
month = "3",
day = "23",
doi = "10.22364/bjmc.2017.5.1.05",
language = "English",
volume = "5",
pages = "70--86",
journal = "Baltic Journal of Modern Computing",
issn = "2255-8942",
number = "1",

}

Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection. / Muhammad Fahad, UMER; Muhammad, SHER; Bi, Yaxin.

In: Baltic Journal of Modern Computing, Vol. 5, No. 1, 23.03.2017, p. 70-86.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

AU - Muhammad Fahad, UMER

AU - Muhammad, SHER

AU - Bi, Yaxin

PY - 2017/3/23

Y1 - 2017/3/23

N2 - Flow-basedintrusiondetectionsystemsanalyzeIPflowrecordstodetectattacksagainst computer networks. IP flow records contain aggregated packet header information; therefore, the amount of data processed by the intrusion detection system is reduced. In addition, since no pay- load is analyzed, the end-to-end encryption does not affect the deployment of intermediate intru- sion detection system. In this paper, we evaluate one-class classification techniques for detection of malicious flows at an initial stage of a multi-stage flow-based intrusion detection system. The initial stage uses minimal flow attributes and only decide if the IP flow is normal or malicious. Since there is only one class of interest (malicious) at the initial stage, we use one-class classifi- cation for detection of malicious flows. In this paper, we review available one-class classification techniques and evaluate them on a flow-based dataset to determine their performance for detec- tion of malicious flows. Our results show that one-class classification techniques using boundary methods give best results in detection of malicious IP flows.

AB - Flow-basedintrusiondetectionsystemsanalyzeIPflowrecordstodetectattacksagainst computer networks. IP flow records contain aggregated packet header information; therefore, the amount of data processed by the intrusion detection system is reduced. In addition, since no pay- load is analyzed, the end-to-end encryption does not affect the deployment of intermediate intru- sion detection system. In this paper, we evaluate one-class classification techniques for detection of malicious flows at an initial stage of a multi-stage flow-based intrusion detection system. The initial stage uses minimal flow attributes and only decide if the IP flow is normal or malicious. Since there is only one class of interest (malicious) at the initial stage, we use one-class classifi- cation for detection of malicious flows. In this paper, we review available one-class classification techniques and evaluate them on a flow-based dataset to determine their performance for detec- tion of malicious flows. Our results show that one-class classification techniques using boundary methods give best results in detection of malicious IP flows.

KW - Intrusion detection

KW - IP flows

KW - One-class classification

U2 - 10.22364/bjmc.2017.5.1.05

DO - 10.22364/bjmc.2017.5.1.05

M3 - Article

VL - 5

SP - 70

EP - 86

JO - Baltic Journal of Modern Computing

T2 - Baltic Journal of Modern Computing

JF - Baltic Journal of Modern Computing

SN - 2255-8942

IS - 1

ER -