Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top

2017 | Book

Introduction Read chapter Read first chapter

Network Traffic Anomaly Detection and Prevention

Concepts, Techniques, and Tools

Authors: Monowar H. Bhuyan, Prof. Dhruba K. Bhattacharyya, Prof. Jugal K. Kalita

Publisher: Springer International Publishing

Book Series : Computer Communications and Networks

Part of: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Login to get access
insite
SEARCH

About this book

This indispensable text/reference presents a comprehensive overview on the detection and prevention of anomalies in computer network traffic, from coverage of the fundamental theoretical concepts to in-depth analysis of systems and methods. Readers will benefit from invaluable practical guidance on how to design an intrusion detection technique and incorporate it into a system, as well as on how to analyze and correlate alerts without prior information.

Topics and features: introduces the essentials of traffic management in high speed networks, detailing types of anomalies, network vulnerabilities, and a taxonomy of network attacks; describes a systematic approach to generating large network intrusion datasets, and reviews existing synthetic, benchmark, and real-life datasets; provides a detailed study of network anomaly detection techniques and systems under six different categories: statistical, classification, knowledge-base, cluster and outlier detection, soft computing, and combination learners; examines alert management and anomaly prevention techniques, including alert preprocessing, alert correlation, and alert post-processing; presents a hands-on approach to developing network traffic monitoring and analysis tools, together with a survey of existing tools; discusses various evaluation criteria and metrics, covering issues of accuracy, performance, completeness, timeliness, reliability, and quality; reviews open issues and challenges in network traffic anomaly detection and prevention.

This informative work is ideal for graduate and advanced undergraduate students interested in network security and privacy, intrusion detection systems, and data mining in security. Researchers and practitioners specializing in network security will also find the book to be a useful reference.

Table of Contents

Frontmatter
Chapter 1. Introduction
Abstract
With advances in network technologies, the variety and volume, Internet services that are provided by commercial, nonprofit or governmental organizations undergo constant growth, causing commensurate and often exposure expansion in network traffic.
Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita
Chapter 2. Networks and Network Traffic Anomalies
Abstract
Before discussing the actual detection and prevention of network traffic anomalies, we must introduce fundamental concepts on networks, network traffic, and traffic measurement. Therefore, this chapter is comprised of two parts. The first part discusses components of networks, topologies, and layered architectures followed by protocols used, metrics to quantify network performance, and ideas in network traffic management. It also introduces how we represent normal and attack traffic. The second part of this chapter discusses network anomalies, causes of anomalies, and sources of anomalies followed by a taxonomy of network attacks, a note on precursors to network anomalies, and other aspects of network traffic anomalies.
Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita
Chapter 3. A Systematic Hands-On Approach to Generate Real-Life Intrusion Datasets
Abstract
To evaluate a network anomaly detection or prevention, it is essential to test using benchmark network traffic datasets. This chapter aims to provide a systematic hands-on approach to generate real-life intrusion dataset. It is organized in three major sections. Section 3.1 provides the basic concepts. Section 3.2 introduces several benchmark and real-life datasets. Finally, Sect. 3.3 provides a systematic approach toward generation of an unbiased real-life intrusion datasets. We establish the importance of intrusion datasets in the development and validation of a detection mechanism or a system, identify a set of requirements for effective dataset generation, and discuss several attack scenarios.
Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita
Chapter 4. Network Traffic Anomaly Detection Techniques and Systems
Abstract
To develop a network traffic anomaly detection technique and system, it is indeed necessary to know the basic properties of network-wide traffic. This chapter starts with a discussion of the basic properties of network-wide traffic with an example. This chapter is organized into six major sections to describe different network anomaly detection techniques and systems. They are statistical techniques and systems, classification-based techniques and systems, clustering and outlier-based techniques and systems, soft computing-based techniques and systems, knowledge-based techniques and systems, and techniques and systems based on combination learners. Finally, it presents the strengths and weaknesses of each category of detection techniques and systems with a detailed comparison.
Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita
Chapter 5. Alert Management and Anomaly Prevention Techniques
Abstract
As an ANIDS (anomaly-based network intrusion detection system) or IDS (intrusion detection system) monitors network-wide traffic, it generates warning messages (i.e., alerts) that indicate attack or suspicious or legitimate events. Due to widespread deployment of IDSs, they may generate an overwhelming number of alerts with true alerts mixed with false alerts. So, management of such alerts is indeed necessary to get to the origin of an attack, so that survival measures may be taken at the earliest. This chapter focuses on alert management and network anomaly prevention techniques. Alert management contains several components, viz., alert clustering, alert merging, alert frequency, alert link, alert association, intention recognition, and alert correlation. However, network traffic anomaly prevention techniques include basic concepts of ANIPS (anomaly-based network intrusion prevention system), attack coverage, features of ANIPS, and selection of the right ANIPS for deployment. Finally, the chapter presents the pros and cons of both alert management and anomaly-based network intrusion prevention techniques.
Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita
Chapter 6. Practical Tools for Attackers and Defenders
Abstract
A tool is usually developed for a specific purpose with respect to a specific task. For example, nmap is a security scanning tool to discover open host or network services. Network security tools provide methods to network attackers as well as network defenders to identify vulnerabilities and open network services. This chapter is composed of three major parts, discussing practical tools for both network attackers and defenders. In the first part, we discuss tools an attacker may use to launch an attack in real-time environment. In the second part, tools for network defenders to protect enterprise networks are covered. Such tools are used by network defenders to minimize occurrences of precursors of attacks. In the last part, we discuss an approach to develop a real-time network traffic monitoring and analysis tool. We include code for launching of attack, sniffing of traffic, and visualization them to distinguish attacks. The developed tool can detect attacks and mitigate the same in real time within a short time interval. Network attackers intentionally try to identify loopholes and open services and also gain related information for launching a successful attack.
Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita
Chapter 7. Evaluation Criteria
Abstract
Performance evaluation is a major part of any network traffic anomaly detection technique or system. Without proper evaluation, it is difficult to make the case that a detection mechanism can be deployed in a real-time environment. An evaluation of a method or a system in terms of accuracy or quality provides a snapshot of its performance in time. As time passes, new vulnerabilities may evolve, and current evaluations may become irrelevant. The evaluation of an intrusion detection system (IDS) involves activities such as collection of attack traces, construction of a proper IDS evaluation environment, and adoption of solid evaluation methodologies. In this chapter, we introduce commonly used performance evaluation measures for IDS evaluation. The main measures include accuracy, performance, completeness, timeliness, reliability, quality, and AUC area. It is beneficial to identify the advantages and disadvantages of different detection methods or systems.
Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita
Chapter 8. Open Issues, Challenges, and Conclusion
Abstract
It is hoped that this book increases awareness of the reader of threats that have come into existence recently and techniques, systems, and tools for detecting such threats. Any antivirus or defense software can only detect the threats if and only if the defender software understands how attackers get entry into a system and what tools they use to compromise a network or system. This chapter is focused on the open issues and challenges faced by the ANIDS research community.
Monowar H. Bhuyan, Dhruba K. Bhattacharyya, Jugal K. Kalita
Backmatter
Metadata
Title
Network Traffic Anomaly Detection and Prevention
Authors
Monowar H. Bhuyan
Prof. Dhruba K. Bhattacharyya
Prof. Jugal K. Kalita
Copyright Year
2017
Electronic ISBN
978-3-319-65188-0
Print ISBN
978-3-319-65186-6
DOI
https://doi.org/10.1007/978-3-319-65188-0

Premium Partner

    Image Credits