Abstract

Hostile network traffic is often "different" from benign traffic in ways that can be distinguished without knowing the nature of the attack. We describe a two stage anomaly detection system for identifying suspicious traffic. First, we filter traffic to pass only the packets of most interest, e.g. the first few packets of incoming server requests. Second, we model the most common protocols (IP, TCP, telnet, FTP, SMTP, HTTP) at the packet byte level to flag events (byte values) that have not been observed for a long time. This simple system detects 132 of 185 attacks in the 1999 DARPA IDS evaluation data set [5] with 100 false alarms, after training on one week of attack-free traffic.