Network Anomaly Detection: Flow-based or Packet-based Approach?

TL;DR

This paper compares flow-based and packet-based network anomaly detection approaches, analyzing their differences and suitability to guide network administrators in choosing the appropriate method for security and continuity.

Contribution

It provides an in-depth analysis of the main differences between flow-based and packet-based anomaly detection approaches, clarifying when and why each is preferable.

Findings

Flow-based detection relies on network flow information for analysis.

Packet-based detection analyzes raw data packets directly.

The paper offers guidance on selecting the appropriate approach based on context.

Abstract

One of the most critical tasks for network administrator is to ensure system uptime and availability. For the network security, anomaly detection systems, along with firewalls and intrusion prevention systems are the must-have tools. So far in the field of network anomaly detection, people are working on two different approaches. One is flow-based; usually rely on network elements to make so-called flow information available for analysis. The second approach is packet-based; which directly analyzes the data packet information for the detection of anomalies. This paper describes the main differences between the two approaches through an in-depth analysis. We try to answer the question of when and why an approach is better than the other. The answer is critical for network administrators to make their choices in deploying a defending system, securing the network and ensuring business continuity.