A new approach to network traffic anomaly detection

Intrusion detection system (IDS) is a device or software that monitors the events or activities in the network or computer systems and analyzes them for possible security policy violations. When any sign of suspicious activity has been found, the system will alarm the system or report the incident to the network administrator for further analysis.;Anomaly detection is one of the main methods of designing intrusion detection systems (IDS). It is assumed that the malicious behavior is anomalous; therefore, violations of security policies could be detected from abnormal patterns of usage. Anomaly-based detection establishes a performance baseline based on normal network traffic evaluations. This baseline will be used to identify the state of current network traffic activity. It is considered normal when network traffic evaluation falls within baseline parameters. If the current network traffic is outside baseline parameters, the "abnormal activity" alert occurs and the alarm is triggered in the system.;Several methods have been studied for designing anomaly detection. In this research, we present a new approach for network traffic anomaly detection based on a denoising algorithm. The approach is to examine the statistics of the network traffic in the normal condition and consider it as noise. When the suspected attacks take place, the traffic pattern changes according to amount or volume, and those changes in pattern will be considered "regions of interest" determined by the energy distribution analysis. We investigate documented denoising algorithms applied to network traffic data so as to detect anomalies in regions of interest in the traffic data. A new anomaly detection algorithm based on denoising algorithms was developed. To improve the performance of the algorithm, a combination of statistical method, and cumulative sum (CUSUM) and denoising methods were used.