Title :
An Architecture for Inline Anomaly Detection
Author :
Krueger, Tammo ; Gehl, Christian ; Rieck, Konrad ; Laskov, Pavel
Author_Institution :
Fraunhofer Inst. FIRST, Berlin
Abstract :
In this paper we propose an intrusion prevention system (IPS) which operates inline and is capable to detect unknown attacks using anomaly detection methods. Incorporated in the framework of a packet filter each incoming packet is analyzed and -- according to an internal connection state and a computed anomaly score -- either delivered to the production system, redirected to a special hardened system or logged to a network sink for later analysis. Runtime measurements of an actual implementation prove that the performance overhead of the system is sufficient for inline processing. Accuracy measurements on real network data yield improvements especially in the number of false positives, which are reduced by a factor of five compared to a plain anomaly detector.
Keywords :
computer network management; security of data; telecommunication security; inline anomaly detection; intrusion prevention system; packet filter; Computer architecture; Computer networks; Data analysis; Decision making; Event detection; Filters; Intelligent networks; Intrusion detection; Production systems; Protection; anomaly detection; intrusion detection;
Conference_Titel :
Computer Network Defense, 2008. EC2ND 2008. European Conference on
Conference_Location :
Dublin
Print_ISBN :
978-0-7695-3479-4
DOI :
10.1109/EC2ND.2008.8
