Anomalies Classification Approach for Network-based Intrusion Detection System

Anomaly based intrusion detection system (A-IDS) is considered to be a better option than signature based system since it does not require prior knowledge of attack signature before it can be used to detect an intrusion. However managing alarms generated by this system is more difficult than signature-based intrusion detection systems (SIDSs). This is due to the fact that S-IDS generates rich information along with the reported alarms whereas AIDS may just identify the connection stream that is detected as malicious. A-IDS raises an alarm every time it detect an activity that deviates from the baseline model of the normal behaviour. Therefore, the cause of the anomaly itself is unknown to the intrusion detection system. This brings in a substantial challenge problem in managing IDS alarms and recognizing false positive from true alarms. Therefore, determining the class of an attack detected by anomaly-based detection systems is a significant task. This paper serves two folds; firstly, it presents a set of network traffic features that deemed to be the most relevant features in identifying wide range of network anomalies. Secondly, the paper presents an A-IDS alarm classifier based on machine learning technologies to automatically classify activities detected by a packet header-based anomaly detection system. Evaluation experiments showed that machine learning algorithms are capable of classifying malicious activities in an effective and efficient means.