Baseline Profile Stability for Network Anomaly Detection

Network attacks are commonplace in the Internet. One of the defense mechanisms against the network attacks is using a baseline profile established during normal operation to detect the traffic that deviates from the baseline profile. However, this approach works only if there is a stable base profile representing the legitimate network traffic. Although there has been some preliminary research, the details of profiling, such as the profile format, its size and the traffic stability by site or time, have not been widely available. In this study, we analyze actual traffic traces from two Internet traffic archives and verify the traffic stability by various aspects. The analysis shows that there are significant differences in the traffic patterns among different sites. In addition, there are some differences between different time of day or different days, even within a site, suggesting that different profiles are needed for different times. The result of this study can be used practically to anomaly-based IDS for determining the stability of the traffic for a particular site, and the number of required traffic profiles based on the traffic patterns