An ARP-based Anomaly Detection Algorithm Using Hidden Markov Model in Enterprise Networks

Author

Yasami, Y. ; Farahmand, M. ; Zargari, V.

Author_Institution

Tamin Co., Tehran

fYear

2007

fDate

25-31 Aug. 2007

Firstpage

69

Lastpage

69

Abstract

Network anomaly detection is an active research area. Behavior recognition of traffic is a process by which the ongoing observed behavior of a host is tracked and compared by a given model. Various methods for behavior recognition exist. But incorporation of Hidden Markov Models (HMM´s) for anomaly detection (ARP anomaly detection, especially) is a novel method. This paper aims at classifying the network ARP traffic as an abnormal or normal using a special HMM. The paper´s main objective is to build a statistical anomaly detection system, a predictive model capable of discrimination between normal and abnormal behavior of network ARP traffic. The proposed method is unique in this aspect that by applying a modified HMM presents a host-based ARP anomaly detection algorithm with very high accuracy. We applied the method in a real campus network and observed a precision of above 90%.

Keywords

business communication; hidden Markov models; telecommunication traffic; ARP; anomaly detection algorithm; enterprise networks; hidden Markov model; statistical anomaly detection system; Access protocols; Backplanes; Complex networks; Detection algorithms; Hidden Markov models; IP networks; Packet switching; Switches; Telecommunication traffic; Traffic control; Address Resolution Protocol (ARP); Anomaly Detection; Hidden Markov Model (HMM).;

fLanguage

English

Publisher

ieee

Conference_Titel

Systems and Networks Communications, 2007. ICSNC 2007. Second International Conference on

Conference_Location

Cap Esterel

Print_ISBN

0-7695-2938-0

Electronic_ISBN

978-0-7695-2938-7

Type

conf

DOI

10.1109/ICSNC.2007.15

Filename

4300041