Concept-drift based identification of suspicious activity at specific IP addresses using machine learning

Abstract

Network Intrusion detection systems(IDS), especially those that monitor Denial of Service(DoS) attack, aim at monitoring the network traffic continuously in order to identify suspicious activity possibly initiated at one or more nodes at specific IP addresses. Traditional anomaly detection based IDS methods rely on preset bounds on the magnitude of network traffic based on statistical measures and hence are not programmable based on the changes in the network traffic dynamics. The authors proposed a methodology for monitoring the changes in the network traffic received from individual source nodes based on concept drift in order to identify suspicious activity at specific nodes. The framework applies machine learning techniques to capture the normal traffic patterns of various source nodes and accordingly defines lower and upper bounds dynamically for each node. Based on the temporal analysis in successive time windows, it is able to discriminate an abrupt change from a gradual change in the magnitude of traffic received in a time window from a node to identify suspicious activity at the corresponding IP address. The effectiveness of the methodology is tested on real world data.