BEHAVIOURAL-BASED NETWORK ANOMALY DETECTION BASED ON USER AND GROUP PROFILING

摘要

A baseline can be defined using specific attributes of the network traffic.Using the established baseline,deviation can then be measured to detect anomaly on the network. The accuracyof the baseline is the mostimportant criterion of any effective network anomaly detection technique. In alocal area network (LAN)environment, the attributes change very frequently by many change agents; forexample, new entities, such asusers, application, and network-enabled devices, added to and removed from theLAN environment. Theinvention provides an improved method of establishing a baseline for networkanomaly detection based onuser's behaviour profiling. A user behaviour profiling is a distinct networkusage pattern pertaining to a specificindividual user operating on the LAN environment. No two users profiling wouldbe the same. A group of usersthat have similar network usage attributes can be extrapolated using datamining technique to establish a groupprofiling baseline to detect network usage anomaly. By combining user andgroup profiling, a network anomalydetection system can measure subtle shift in network usage and as a resultseparate good user's networkusage behaviour from the bad one. Using the said technique, a lower rate offalse positives of network anomalycan be created that is suitable to operate in a highly dynamic LANenvironment.