Normal profile updating method for enhanced packet header anomaly detection

Abstract

There is a significant need for various Intrusion Detection Systems (IDS) methods for packet behavior anomaly detection, due to the consistent exposure of packets to frequent intrusion threats. Thus, Packet Header Anomaly Detection (PHAD) considered as one of many significant approaches that is used for detecting threats on network packet. However, this approach still suffers from high generation of false alarm rate. This paper investigates a Normal Profile Updating Method (NPUM) for enhancing the PHAD based IDS model. This method updates normal profile of anomaly IDS using further processing of both the normal and abnormal data identified by anomaly detector. Simulation experiments and DARPA intrusion detection evaluation data sets are used for testing the proposed method. Results show that the proposed method can reduce the false positive alarms and improve the performance in terms of accuracy of detection. The major contributions of this research include the design of an enhanced PHAD-based IDS. This would contribute toward the enhanced IDSs to strengthen network security.