Online Anomaly Analysis And Self Protection Against Network Attacks

Abstract

The objective of this research is to develop a theoretical framework and a general methodology for anomaly analysis and protection against network attacks to achieve (a) online monitoring, and analysis of network attacks; (b) automatically identifying critical vulnerable resources; and (c) proactive self-protection of network systems and their applications from a wide range of network attacks.The proposed methodology uses a unified framework to deploy online monitoring and analysis software modules that collect online measurement attributes and analyze the abnormal behavior of networks and their services. In addition, it evaluates the impact of component attacks on the overall operation of network systems and their services. This analysis also helps us determine the most critical components in the network that can lead to massive network outage or performance degradation.Based on Information Theory, we evaluate all network measurement attributes at each level of protocol to identify the features that can be measured efficiently in real time and can be used to detect abnormal behavior. A single feature (measurement attribute) is not sufficient in accurately detecting network attacks. To remedy this problem, we developed an efficient Genetic algorithm to compute a linear classification function of several features with different weights. We validated our approach on DARPA KDD99 benchmark dataset and the results showed higher accuracy in detecting DoS and Probe attacks and a significant improvement in the detection rates for the most difficult to detect attacks (e.g., U2R and R2L). For example, for DoS and Probe attacks, we have achieved 99.93% and 99.91% detection rate with a false alarm of 1.55%, respectively. For U2R and R2L attacks, our approach can achieve a 92.5% detection rate with false alarm of 0.7587%, and a 92.47% detection rate with false alarm of 8.35%, respectively.Quality of Protection (QoP) based routing protocol is developed to automatically adjust network traffic priorities according to the feedback of anomaly metrics. QoP can be integrated with any existing Quality of Service (QoS) protocols that will give high priority to normal traffic and low priority to abnormal traffic in order to minimize the impact of network attacks on various network services.