You are here: Home Contents V11 N1 V11N1_Kim.html
Personal tools

Network Paylod Anomaly Detection Using Layered Statistical Dispersion



Full text

Journal of Information System Security
Volume 11, Number 1 (2015)
Pages 2957
ISSN 1551-0123
Sun-il Kim — University of Alabama in Huntsville, USA
Nnamdi Nwanze — iDEA Hub, Nigeria
William Edmonds — University of Alabama in Huntsville, USA
Information Institute Publishing, Washington DC, USA




In this paper, we present a network intrusion detection scheme that relies on simple statistical spread calculation over the different byte-values in the packet payloads to detect anomalies. As is typical for anomaly-based intrusion detection, normal traffic is required for training the system, however our solution tolerates the use of training traffic that may not be completely free of anomalies or attacks. Our results show that high per-packet detection rates and low false positive rates can be maintained, even when the system is trained with contaminated traffic. We also present performance studies of both the training and detection stages. We first illustrate that training can be done with a small subset of the byte values, which may result in computation and storage benefits in embedded platforms. We then present a cost-efficient, parallel implementation, using graphics processing units (GPU) for training and tuning the intrusion detection system. Finally, we discuss the latency and throughput results from both an embedded implementation and a desktop/server implementation.




Network Intrusion Detection Scheme, Per-packet Detection Rates, Graphics Processing Units, Firewalls




Bouzida, Y., Cuppens, F., Cuppens-Boulahia, N., & Gombault, S. (n.d.). Efficient intrusion detection using principal component analysis. (3me Confrence sur la Securit et Architectures Reseaux (SAR2004), La Londe, France, June, 2004)

Cheema, F. M., Akram, A., & Iqbal, Z. (2009). Comparative evaluation of header vs. payload based network anomaly detectors. World Congress on Engineering, 1.

Eskin, E., Arnold, A., Prerau, M., Portnor, L., & Stolfo, S. (n.d.). A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In Data mining for security app., Kluwer, 2002.

Fan, W. K. G. (2012, July). An adaptive anomaly detection of web-based attacks. In Computer science education (ICCSE), 2012 7th international conference on (p. 690-694). doi: 10.1109/ICCSE.2012.6295168

Hansen, L. K., Larsen, J., rup Nielsen, F., Nielsen, A., Strother, S. C., Rostrup, E. Paulson, O. B. (1999). Generalizable patterns in neuroimaging: How many principal components? NeuroImage, 9, 534–544.

Ippoliti, D., & Zhou, X. (2012). A self-tuning self-optimizing approach for automated network anomaly detection systems. In Proceedings of the 9th international conference on autonomic computing.

Jolliffe, I. T. (1986). Principal Component Analysis. New York: Springer.

Krügel, C., Toth, T., & Kirda, E. (n.d.). Service specific anomaly detection for network intrusion detection. In Proceedings of the 2002 ACM symposium on applied computing (pp. 201–208).

Labib, K., & Vemuri, V. (2006). An application of principal component analysis to the detection and visualization of computer network attacks. Annales Des Tlcommunications, 61 (1-2), 218-234.

Maggi, F., Robertson, W., Kruegel, C., & Vigna, G. (2009). Protecting a moving target: Addressing web application concept drift. In Proceedings of the 12th international symposium on recent advances in intrusion detection (pp. 21–40).

Mahoney, M. V. (n.d.). Network traffic anomaly detection based on packet bytes. In Proceedings of the 2003 ACM symposium on applied computing (pp. 346–350).

Mazel, J., Casas, P., Labit, Y., & Owezarski, P. (2011). Sub-space clustering, inter-clustering results association & anomaly correlation for unsupervised network anomaly detection. In Proceedings of the 7th international conference on network and services management.

Nwanze, N., & Summerville, D. (n.d.). Detection of anomalous network packets using lightweight stateless payload inspection. (IEEE LCN Workshop on Network Security (WNS) 2008.)

Onuta, I., & Ghorbani, A. (n.d.). Svision: A novel visual network-anomaly identification technique. (Computers and Security, vol. 26, Issue 3, pp 201-212, May 2007.)

Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., & Lee, W. (2009, April). Mcpad: A multiple classifier system for accurate payload-based anomaly detection. Comput. Netw., 53 (6), 864–881.

Rache, G., Walls, T. A., Magis, D., Riopel, M., & Blais, J.-G. (2013). Non-graphical solutions for cattells scree test. European Journal of Research Methods for the Behavioral and Social Sciences, 9(1), 23–29.

Richardson, R. (2011). (2010/2011 CSI Computer Crime and Security Survey, Computer Security Institute).

Roesch, M. (1999). Snort - lightweight intrusion detection for networks. In Proceedings of the 13th USENIX conference on system administration.

Song, Y., Locasto, M. E., Stavrou, A., Keromytis, A. D., & Stolfo, S. J. (2007). On the infeasibility of modeling polymorphic shellcode. In Proceedings of the 14th ACM conference on computer and communications security (pp. 541–551).

Suricata. (2015). (

Taylor, C., & Alves-Foss, J. (2001). Nate: Network analysis of anomalous traffic events, a low-cost approach. In Proceedings of the 2001 ACN workshop on new security paradigms (pp. 89–96).

Wang, K., Parekh, J. J., & Stolfo, S. J. (2006). Anagram: A content anomaly detector resistant to mimicry attack. In Proceedings of the 9th international symposium on recent advances in intrusion detection (raid) (pp. 226–248).

Wang, K., & Stolfo, S. (2004). Anomalous payload-based network intrusion detection. In Recent advances in intrusion detection (Vol. 3224, p. 203-222).

Wu, W., DeMar, P., Holmgren, D., & Singh, A. (2011). G-netmon: A GPU-accelerated network performance monitoring system. In Proceedings of the 2011 symposium on application accelerators in high-performance computing (pp. 76–79).

Zolotukhin, M., Hamalainen, T., Kokkonen, T., & Siltanen, J. (2014, Aug). Analysis of http requests for anomaly detection of web attacks. In Dependable, autonomic and secure computing (dasc), 2014 IEEE 12th international conference on (p. 406-411). doi: 10.1109/DASC.2014.79.