Anomaly detection system based on analysis of packet header and payload histograms

Now a day´s computer networks are very popular, so network attacks are inevitable. As a consequence, any complete security package includes a network Intrusion Detection System (nIDS). This work focuses on nIDSs which work by scanning the network traffic. We have combined classifiers based on packet header information with classifiers based on payload distribution to increase detection rates in non-flood attacks. We have divided packet processing into two parts as header information processing and payload processing. In header information processing we select features from packet header and create model for normal behavior with histograms, then find out the deviation from created models and classify the network traffic. In payload processing we create models of normal payload by generating histograms of payload ASCII distribution and find deviation from created models and classify traffic. Our work differs from previous anomaly based detection techniques by creating histograms for both network header features and for payload of packet, so that our detection system identifies both flooding attacks and non flooding attacks efficiently.