Noise-Resistant Payload Anomaly Detection for Network Intrusion Detection Systems

Anomaly-based intrusion detection systems are an essential part of a global security solution and effectively complement signature-based detection schemes. Its strength in detecting previously unknown and never seen attacks make it attractive, but it is more prone to higher false positives. In this paper, we present a simple payload based intrusion detection scheme that is resilient to contaminated traffic that may unintentionally be used during training. Our results show that, by adjusting the two tuning parameters used in our approach, the ability to detect attacks while maintaining low false positives is not hindered, even when 10% of the training traffic consists of attacks. Test results also show that our approach is not sensitive to changes in the parameters, and a wide range of values can be used to yield high per-packet detection rates (over 99.5%) while keeping false positives low (below 0.3%).