The application of a low pass filter in anomaly network intrusion detection

Abstract

A common method of identifying attacks with anomaly network intrusion detection system (NIDS) is to detect significant deviations in network traffic compared to normal conditions. Such changes may include unexpected high traffic volume, caused by, for example, a denial of service (DoS) attack. However, recent research on traffic engineering has demonstrated that modern data network traffic exhibits high burstiness at a wide range of observation window sizes, i.e., self-similarity (V. Paxon et al., 1995, W.E. Leland et al., 1994), The self-similar traffic may challenge the traditional anomaly NIDS by making it unable to distinguish attacks from traffic bursts. In this paper, we investigate the employment of low pass filters in the anomaly NIDS to smooth the burstiness in network traffic measurements and thus reduce the false alarms. We studied the use of the MWA filter and the Savitzky-Golay filter. By analyzing the resulting network traffic measurements, we found out that the MWA filter significantly changed, while the Savitzky-Golay filter only moderately altered, the statistical properties of the network traffic measurements. To investigate the effectiveness of a low pass filter on anomaly NIDS, we applied the low pass filter to our anomaly NIDS, namely, the MIB anomaly intrusion detection (MAID) system. By employing these filters in MAID, we observed that the Savitzky-Golay filter outperforms the MWA filter. The results of the performance evaluation process also demonstrated that the low pass filter can significantly enhance the detection capacity of MAID, by reducing its false alarm rate.