Detecting anomalous network traffic using evidence theory

Abstract

The ability to detect an anomalous network traffic – even if it is slightly different than a normal one – becomes an important aspect of early detection of cyber attacks. Processes of monitoring and analyzing network data should not only provide accurate classifications of network status, but also detect early symptoms of unusual activities in a network. This would lead to a better understanding of suspicious actions, and enable triggering of prevention actions. In this paper, we propose a system that uses multiple classifiers together with elements of evidence theory to identify anomalous network traffic and detect any deviation from a normal network behaviour. The obtained classification results are equipped with confidence levels. The individual classifiers are constructed with different Machine Learning techniques based on data collected with a developed network monitoring software. The data includes multiple features providing a comprehensive view of network traffic. The results of evaluation of a system implementing the proposed approach are discussed.