A New Network Anomaly Detection Technique Based on Per-Flow and Per-Service Statistics

  • Yuji Waizumi
  • Daisuke Kudo
  • Nei Kato
  • Yoshiaki Nemoto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3802)


In the present network security management, improvements in the performances of Intrusion Detection Systems(IDSs) are strongly desired. In this paper, we propose a network anomaly detection technique which can learn a state of network traffic based on per-flow and per-service statistics. These statistics consist of service request frequency, characteristics of a flow and code histogram of payloads. In this technique, we achieve an effective definition of the network state by observing the network traffic according to service. Moreover, we conduct a set of experiments to evaluate the performance of the proposed scheme and compare with those of other techniques.


Intrusion Detection Anomaly Detection Intrusion Detection System Anomaly Score Network Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, D., Lunt, T.F., Javits, H., Tamaru, A., Valdes, A.: Detecting unusual program behavior using the statistical component of the Nextgeneration Intrusion Detection Expert System(NIDES). Computer Science Laboratory SRI-CSL 95-06 ( May 1995)Google Scholar
  2. 2.
  3. 3.
  4. 4.
    DARPA off-line intrusion detection evaluation test set (1999),
  5. 5.
    Mahoney, M.V., Chan, P.K.: Detecting Novel Attacks by Identifying AnomalousNetwork Packet Headers. Florida Institute of Technology Technical Report CS-2001-2 (2001)Google Scholar
  6. 6.
    Mahoney, M.: Network Traffic Anomaly Detection Based on Packet Bytes. Proc. ACM-SAC, 346–350 (2003)Google Scholar
  7. 7.
    Mahoney, M.V., Chan, P.K.: Learning Nonstationary Models of Normal Network Traffic for Detarcting Novel Attacks. In: SIGKDD 2002, Edmonton, Alberta, Canada, July 23-26 (2002)Google Scholar
  8. 8.
    Neumann, P., Porras, P.: Experience with EMERALD to DATE. In: Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, April 1999, pp. 73–80 (1999),
  9. 9.
    Vigna, G., Eckmann, S.T., Kemmerer, R.A.: The STAT Tool Suite. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX). IEEE Press, Los Alamitos (2000)Google Scholar
  10. 10.
    Sekar, R., Uppuluri, P.: Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications. In: Proceedings 8th Usenix Security Symposium, Washington, D.C. (Augest 1999),
  11. 11.
    Jajodia, S., Barbara, D., Speegle, B., Wu, N.: Audit Data Analysis and Mining (ADAM) (April 2000), Project described in,
  12. 12.
    Tyson, M., Berry, P., Williams, N., Moran, D., Blei, D.: DERBI: Diagnosis, Explanation and Recovery from computer Break-Ins (April 2000), project described in,

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Yuji Waizumi
    • 1
  • Daisuke Kudo
    • 2
  • Nei Kato
    • 1
  • Yoshiaki Nemoto
    • 1
  1. 1.Graduate School of Information Sciences(GSIS)Tohoku UniversitySendai, MiyagiJapan

Personalised recommendations