Attack Commonalities: Extracting New Features for Network Intrusion Detection  
Author Maryam M. Najafabadi


Co-Author(s) Taghi M. Khoshgoftaar; Charles Wheelus


Abstract In recent years, machine learning methods have started to be used for the network intrusion detection. In this paper, we introduce new features for network intrusion detection which can be used in the machine learning-based approaches. Our motivation is that while network attacks vary widely, they share some commonalities. Many attacks, by their nature, are repetitive and exhibit behavior different from normal traffic. We examine the commonalities between different attacks to define discriminative features for the detection of attacks. Among these is self-similarity between attack packets as well as periodicity and repetition characteristics seen in the attack traffic. In this paper we study the common characteristics between two types of attacks, DNS Amplification attack and RUDY attack, in order to define our features. We collect Netflow traffic from a real operational ISP network. We introduce a concept called “session” derived from Netflow which incorporates both sides of a network communication in definition of a network instance. Features are extracted for each session. We apply the newly defined features for detection of these two types of attacks by using two versions of decision tree algorithm. Our results suggest that the new features work well for the detection of the attacks in the network.


Keywords Intrusion Detection, Machine Learning, Session Network Data, RUDY, DNS Amplification, Feature Extraction
    Article #:  2146
Proceedings of the 21st ISSAT International Conference on Reliability and Quality in Design
August 6-8, 2015 - Philadelphia, Pennsylvia, U.S.A.