An Architecture for Inline Anomaly Detection

Tammo Krueger, Christian Gehl, Konrad Rieck, Pavel Laskov
2008 2008 European Conference on Computer Network Defense  
In this paper we propose an intrusion prevention system (IPS) which operates inline and is capable to detect unknown attacks using anomaly detection methods. Incorporated in the framework of a packet filter each incoming packet is analyzed and -according to an internal connection state and a computed anomaly score -either delivered to the production system, redirected to a special hardened system or logged to a network sink for later analysis. Runtime measurements of an actual implementation
more » ... ve that the performance overhead of the system is sufficient for inline processing. Accuracy measurements on real network data yield improvements especially in the number of false positives, which are reduced by a factor of five compared to a plain anomaly detector. * Pavel Laskov is also affiliated with University Tübingen, Wilhelm-Schickard-
doi:10.1109/ec2nd.2008.8 fatcat:dduuwys7prgi3hvxgh6z3t3frq