Anomalous packet identification for network intrusion detection

A packet-level anomaly detection system for network intrusion detection in high-bandwidth network environments is described. The approach is intended for hardware implementation and could be included in the network interface, switch or firewall. Efficient implementation in software on a network host is also possible. Network traffic is characterized using a novel technique that maps packet-level payloads onto a set of counters using bit-pattern hash functions, which were chosen for their implementation efficiency in both hardware and software. Machine learning is accomplished by mapping unlabelled training data onto a set of two-dimensional grids and forming a set of bitmaps that identify anomalous and normal regions. These bitmaps are used as the classifiers for real-time detection. The proposed method is extremely efficient in both the offline machine learning and real-time detection components and has the potential to provide accurate detection performance due to the ability of the bitmaps to capture nearly arbitrary shaped regions in the feature space. Results of a preliminary study are presented that demonstrate the effectiveness of the technique.