Zahra Jadidi. 2016. Flow-based Anomaly Detection in High-Speed Networks
.Thesis (PhD Doctorate), Griffith University, Brisbane.
With the advent of online services, the Internet has become extremely busy and demanding faster access. The increased dependency on the Internet obliges Internet service providers to make it reliable and secure. In this regard, researchers are tirelessly working on a number of technologies in order to ensure the continued viability of the Internet. Intrusion detection is one of the fields that enables secure operation of the Internet. An intrusion detection system (IDS) attempts to discover malicious activities in a network. However, with the increasing network throughput, IDSs should be able to analyse high volumes of traffic in real-time. Flow-based analysis is one of the methods capable of handling high-volume traffic. This method reduces the input traffic of IDSs because it analyses only packet headers. Flow-based anomaly detection can increase the reliability of the Internet, provided this method is functional at an early stage and complemented by packet-based IDSs at later stages.
Employing artificial intelligence (AI) methods in IDSs provides the capability to detect attacks with better accuracy. Compared with typical IDSs, AI-based systems are more inclined towards detecting unknown attacks. This thesis proposes an artificial neural network (ANN) based flow anomaly detector optimised with metaheuristic algorithms. The proposed method is evaluated using a number of flow-based datasets generated. An ANN-based flow anomaly detection enables a high detection rate; hence, this thesis investigates this system more thoroughly. The ANN-based system is a supervised method which needs labelled datasets; however, labelling of a large amount of data found in high-speed networks is difficult. Semi-supervised methods are the combination of supervised and unsupervised methods, which can work with both labelled and unlabelled data. A semi-supervised method can provide a high detection rate even when there is a small proportion of labelled data; therefore, the application of this method in flow-based anomaly detection is considered.