Anomaly-based intrusion detection is a research area in Computer Security, wherein computer and network attacks are differentiated from normal computer interactions. Anomaly-based intrusion detection systems detect attacks by analyzing either computer or network data and flagging abnormalities as intrusions. The abnormalities are detected by analyzing certain parameters that are present in the data. Our approach analyzes certain network parameters, which characterize either a connection or a network service on a monitored host or a network service on a monitored network. This categorization of parameters helps detect varied classes of attacks including denial-of-service, port scan and buffer overflow attacks.
Anomaly-based systems use various analysis techniques to detect parameter anomalies. A new approach based on Bayesian Networks technique for analyzing and detecting anomalies is presented here. The advantage of Bayesian Networks lies in their ability to adaptively learn normal values of parameters without much training, which makes it suitable for real-time analysis. Bayesian Network can be used to combine current evidence and previous knowledge to obtain the probability of anomaly. This property helps in detecting previously seen attacks faster, since the previous knowledge provides strong evidence of an attack. The same property helps reduce the number of false positives, since considerable evidence needs to accumulate for the Bayesian Network to report high probability of anomaly.