Anomaly behavior detection using flexible packet filtering and support vector machine algorithms

Many of the present network visitors’ analysis have the capability to capture extraordinary forms of traffics. The main method is related to processing and filtering data packets using different types of packet filtering on network system and, more specifically, capturing and filtering data packets transmitted on high speed communications links for errors and attackers’ detection and signal integrity analysis. Many anomaly detection experiments have been conducted in order to investigate the performance of network traffics filtering methods that analyzing bandwidth, speed, errors and attackers. These experiments are performed and examined under different network environments such as methods in Traffic Analysis and Monitoring (TAaM) and Entropy and Support Vector Machine (EaSVM). Both methods used DARPA 98- 99 dataset and Lincoln Labs data. However, these methods are limited to analyze the entire traffic as one entity, which makes them unable to quantify network anomalies. Furthermore, Network traffic prediction algorithms based on SVM such as EaSVM have commented about the fundamental difficulties in achieving an accurate declaration that defines anomaly which suppose to solve the problem of the high rate of false positive alarm and finding excellent ways that guarantees to clear up pending issues of the network traffic normality such as the alluvial data noise of the TAaM method. Filtering traffics and detecting anomalies in real time environments using single machine is the motivation behind this research. A unique method that combines the Flexible Packet Filtering (FPF) with Support Vector Machine (SVM) algorithm is proposed to classify the behavior of the network traffics. The methodology is to use the maximize margin of SVM algorithm to alert for the presence of attack, and the proposed flexible packet filtering, which is a combination of both static and dynamic packet filtering was the method that has been followed to filter network traffics based on anomaly behavior. The User Profile Filter (UPF) was proposed to aid the SVM algorithm to classify the captured traffics into normal and abnormal behavior. The Network Traffic Analysis is the tool that allows users to monitor and view the network traffics details. The proposed FPFaSVM method and TAaM depending on the network traffic analyzer to capture and analyze the network traffics, and a special technique that detects anomalies while monitoring network traffics have been proposed by both methods using DARPA 99 dataset and real environments. The Entropy and SVM (EaSVM) is relying on DARPA 99 dataset for analyzing the captured traffics based on anomalies and the use of SVM is to classify the entropy values of the data traffic into normal and abnormal behavior for more accurate results. FPF of SVM have merged the analyzed results of flexible packet filtering with support vector machine algorithm to get better classification of the captured network traffics and to detect anomalies. The proposed packet filtering (FPF) will isolate the captured traffics based on their source using traffic source separation ‘TSS’ strategy, during the separating operation the traffic signature will be examined with the stored signatures of the system database using Traffic Signature Matching (TSM). The experiment results shows that by using a User Profile Filter (UPF) that will be based on SVM and examining the traffic signature, the total of error received from the traffic classifier has been reduced to 0.5%, and the traffic capturing speed has been increased by 10% as well as the total bandwidth captured per minute in comparing with TAaM and EaSVM.

Preview Text FSKTM 2016 12 IR.pdf Download (1MB) | Preview

Actions (login required)

View Item