Network anomaly detection based on probabilistic analysis

In this paper, we propose a method to detect network intrusions using anomaly detection technique based on probabilistic analysis. Victim's computers under attack show various symptoms such as degradation of TCP throughput, increase in CPU usage, increased round trip time, frequent disconnection to the Web sites, etc. These symptoms can be used as components to construct the k-dimensional feature space of multivariate normal distribution, in which case an anomaly detection method can be applied for the detection of the attack on the distribution. These features are generally highly correlated. Thus we choose only a few of these features for the anomaly detection in multivariate normal distribution. We use Mahalanobis distance to detect the anomalies for each data, normal, and abnormal. Anomalies are identified when their square root of Mahalanobis distance exceeds certain threshold. A detailed description of the threshold setting and the various experiments are discussed in simulation results.