Fates: A Granular Approach to Real-Time Anomaly Detection

Anomaly-based intrusion detection systems have the ability of detecting novel attacks, but in real-time detection, they face the challenges of producing many false alarms and failing to contend with the high speed of modern networks due to their computationally demanding algorithms. In this paper, we present Fates, an anomaly-based NIDS designed to alleviate the two challenges. Fates views the monitored network as a collection of individual hosts instead of as a single autonomous entity and uses dynamic, individual threshold for each monitored host, such that it can differentiate between characteristics of individual hosts and independently assess their threat to the network. Each packet to and from a monitored host is analyzed with an adaptive and efficient charging scheme that considers the packet's type, number of occurrences, source, and destination. The resulting charge is applied to the individual hosts' threat assessment, providing pinpointed analysis of anomalous activities. We use various datasets to validate Fates's ability to distinguish scanning behavior from benign traffic in real time.