Abstracting Packet Header Information for Intrusion Detection in High-Speed Networks

Abstract

Increase in network traffic coupled with increasing adoption of end-to-end encryption of network packets are two major factors threatening the potency, or even the relevance, of packet-based intrusion detection techniques. Also, end-to-end encryption makes it nearly impossible for network and host-based intrusion detection system to analyze traffic for potential threats and intrusion, hence, the need for an alternative approach. Flow-based intrusion detection system has been proposed as an alternative to a packet-based intrusion detection system as it relies on information embedded in packet header and various statistical analyses of network flow for detecting intrusion. This paper proposes packet header information abstraction model for intrusion detection on the UNSW-NB15 intrusion dataset. Four existing classification algorithms which include: Classification and Regression Tree (CART), Naïve Bayes (NB), K-Nearest Neighbour (KNN), and Support Vector Machine (SVM) are used to evaluate the degree of representativeness of the proposed model using accuracy, sensitivity and specificity evaluation metrics. An average accuracy of 97.95% was recorded across the four models with the minimum accuracy of 97.76 on SVM and best accuracy of 98.05% on CART while Sensitivity of 1.0 on both CART and NB shows that the model performs well in correctly identifying attacks in the network. The average specificity of 0.98 is also an indication of low false positive. Results obtained show that the proposed abstraction model achieves high accuracy, sensitivity and specificity. The model can be used as filter on a high-speed network whereby packets flagged as an attack can be subjected to further analysis.Keywords—Data Abstraction, Data Mining,Flow-based, Intrusion detection, Network Security