(An) efficient intrusion detection method for large-scale backbone network

Abstract

To ensure network reliability and maintain network performance, an anomaly detection which detects abnormal behaviors in network traffic and manages them is needed. But current network-based IDSs mostly focus on end-to-end behavior and are barely capable of real-time traffic analysis on large-scale backbone networks at the ISP level. A simple method which focuses on a traffic property is adequate for real-time anomaly detection in Gigabits backbone network. In this paper, we propose a traffic volume-based anomaly detection methodology using a statistical approach. We claim that the anomaly detection which observes the traffic flows having same destination port can find anomalies earlier and more precisely than the method using merged traffic since anomalies may be hidden in a large amount of merged traffic. The proposed scheme uses concept of a traffic volume ratio per port which considers abnormal increases in the traffic volume at the port compared with the total traffic volume. Experimental results on real network data demonstrate that our algorithm performs well in detecting extreme changes of the traffic volume.