Due to the widespread proliferation of computer networks, attacks on computer systems are increasing day by day. Preventive measures can stop these attacks to some extent, but they are not very effective due to various reasons. This leads to the development of intrusion detection as a second line of defense. Intrusion detection systems try to identify attacks or intrusions by analyzing network data (network-based systems) or operating system and application logs (host-based systems), possibly in real-time. These systems either search for patterns of well known attacks in the data (misuse detection) or try to find abnormalities in the data by first constructing the normal profile of the system under observation and then detecting deviations from this profile (anomaly detection). Anomaly detection is important due to the inability of misuse detection techniques in detecting unknown attacks.
In this thesis, we describe the design and implementation of an anomaly detection scheme for Sachet - A distributed, realtime, network-based intrusion detection system developed by us. In this scheme, the normal profile is constructed using learning techniques and stream handling techniques, from features extracted for each connection in the network traffic. Stream handling techniques are employed because the problem of constructing normal profile from feature vectors falls in the data stream class of problems. Several learning and stream handling techniques were tested on a benchmark data set and the best performing techniques were implemented in Sachet. The final system was tested on a benchmark dataset containing over 58 types of attacks.
Back to the list of MTech theses
J V R Murthy can be reached at