We present Payload Content based Network Anomaly Detection, we call as PCNAD. PCNAD is an improvement to PAYL system which is considered one of the complete systems for payload based anomaly detection. PAYL takes into consideration the entire payload for profile calculation and effectively for anomaly detection. Payload length is very high on port numbers like 21 and 80. Hence it is difficult to apply PAYL on high speed, high bandwidth networks. We use CPP (Content based Payload Partitioning) technique which divides the payload into different partitions depending on content of payload. PCNAD does payload based anomaly detection using a few CPP partitions. We demonstrate usefulness of the PCNAD on the 1999 DARPA IDS data set. We observed 97.06% accuracy on port 80 using only 62.64% packet payload length with small false positive rate. This is a significant improvement over PAYL approach which uses 100% of the packet payload for anomaly detection.
展开▼
