Profiling Network Traffic Behavior for the Purpose of Anomaly-Based Intrusion Detection

In this paper, we propose methods for profiling normal network traffic, methods that could be employed for the purpose of creating a baseline that would be used in the detection of threshold based anomalies in network traffic. This profiling is based on five proposed features of network traffic, and to illustrate, testing was done using recent and large data sets, and relying on various tools to statistically analyze network traffic. Although we have no pretensions of completeness, our results indicate that this is a promising approach to differentiate between normal and abnormal network traffic behavior, and therefore a promising contribution to anomaly based intrusion detection.