An Empirical Investigation of Packet Header-Only Network Traffic Anomaly Detection and Classification
Abstract
Network traffic attack detection at the packet level is complicated by subtle factors surrounding dataset collection and utilization as well as evaluation methods that lead to results that are unreliable for real-world applications. We empirically investigate various machine learning techniques for identifying anomalous/malicious network traffic using only individual packet-level transport layer and network layer header fields (i.e., Transmission Control Protocol/Internet Protocol [TCP/IP]). While much of the work in network traffic anomaly detection uses flow-level metadata as features or deep packet inspection to leverage packet payload contents as features, our investigation solely used individual packet headers as features. We characterize and compare the anomaly detection performance of both supervised and unsupervised learning models using these header features and explore the use of different scoring methods. Our research sheds light on the complexities in using available datasets and common evaluation techniques: publicly available datasets with packet captures that do not match provided flow statistics, intricacies in attributing malice at the packet level, and the absence of real-world considerations for how anomaly detection methods are used in practice.
Document Details
- Document Type
- Technical Report
- Publication Date
- Feb 01, 2023
- Accession Number
- AD1194755
Entities
People
- Daniel E. Krych
- Jason E. Ellis
- Michael J. De Lucia
- Stephen Raio
Organizations
- United States Army Research Laboratory