Analyzing TCP Traffic Patterns Using Self Organizing Maps

  • Stefano Zanero
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3617)


The continuous evolution of the attacks against computer networks has given renewed strength to research on anomaly based Intrusion Detection Systems, capable of automatically detecting anomalous deviations in the behavior of a computer system. While data mining and learning techniques have been successfully applied in host-based intrusion detection, network-based applications are more difficult, for a variety of reasons, the first being the curse of dimensionality. We have proposed a novel architecture which implements a network-based anomaly detection system using unsupervised learning algorithms. In this paper we describe how the pattern recognition features of a Self Organizing Map algorithm can be used for Intrusion Detection purposes on the payload of TCP network packets.


Intrusion Detection Anomaly Detection Intrusion Detection System Network Intrusion Detection Packet Payload 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, J. P. Anderson Co., Ft. Washington, Pennsylvania (1980)Google Scholar
  2. 2.
    Zanero, S., Savaresi, S.: Unsupervised learning techniques for an intrusion detection system. In: Proc. of the 14th Symp. on Applied Computing, ACM SAC 2004 (2004)Google Scholar
  3. 3.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Kohonen, T.: Self-Organizing Maps, 3rd edn. Springer, Berlin (2001)zbMATHGoogle Scholar
  5. 5.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical Report T2R-0Y6, Secure Networks, Calgary, Canada (1998)Google Scholar
  6. 6.
    Mahoney, M., Chan, P.: Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001-2, Florida Institute of Technology (2001)Google Scholar
  7. 7.
    Yeung, D.Y., Chow, C.: Parzen-window network intrusion detectors. In: Proc. of the 16th Int’l Conf. on Pattern Recognition, vol. 4, pp. 385–388 (2002)Google Scholar
  8. 8.
    Labib, K., Vemuri, R.: NSOM: A real-time network-based intrusion detection system using self-organizing maps. Technical report, Dept. of Applied Science, University of California, Davis (2002)Google Scholar
  9. 9.
    Mahoney, M.V., Chan, P.K.: Learning rules for anomaly detection of hostile network traffic. In: Proc. of the 3rd IEEE Int’l Conf. on Data Mining, p. 601 (2003)Google Scholar
  10. 10.
    Hartigan, J.A.: Clustering Algorithms. Wiley, Chichester (1975)zbMATHGoogle Scholar
  11. 11.
    Tan, K., Collie, B.: Detection and classification of TCP/IP network services. In: Proc. of the Computer Security Applications Conf., pp. 99–107 (1997)Google Scholar
  12. 12.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: RAID Symposium (2004)Google Scholar
  13. 13.
    Cox, T.F., Cox, M.A.A.: Multidimensional Scaling. Monographs on Statistics and Applied Probability. Chapman & Hall, Boca Raton (1995)Google Scholar
  14. 14.
    Jolliffe, I.T.: Principal Component Analysis. Springer, Heidelberg (1986)Google Scholar
  15. 15.
    Zanero, S.: Improving self organizing map performance for network intrusion detection. In: SDM 2005 Workshop on “Clustering High Dimensional Data and its Applications” (2004) (submitted for publication)Google Scholar
  16. 16.
    McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. on Information and System Security 3, 262–294 (2000)CrossRefGoogle Scholar
  17. 17.
    Yamanishi, K., Ichi Takeuchi, J., Williams, G.J., Milne, P.: On-line unsupervised outlier detection using finite mixtures with discounting learning algorithms. In: Proc. of the 6th ACM SIGKDD Int’l Conf. on Knowledge Discovery and Data Mining, pp. 320–324 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Stefano Zanero
    • 1
  1. 1.D.E.I.-Politecnico di MilanoMilanoItaly

Personalised recommendations