ACTIDS: An Active Strategy For Detecting And Localizing Network Attacks

TL;DR

This paper introduces ACTIDS, an active network intrusion detection system that uses periodic probes to detect subtle and zero-day attacks affecting network QoS more effectively than passive methods.

Contribution

It proposes a novel active probing approach for NIDS that improves detection of subtle and zero-day attacks while maintaining low false positives.

Findings

Active probing enhances attack detection accuracy.

The system effectively detects zero-day attacks.

False positive rate remains low despite Byzantine faults.

Abstract

In this work we investigate a new approach for detecting attacks which aim to degrade the network's Quality of Service (QoS). To this end, a new network-based intrusion detection system (NIDS) is proposed. Most contemporary NIDSs take a passive approach by solely monitoring the network's production traffic. This paper explores a complementary approach in which distributed agents actively send out periodic probes. The probes are continuously monitored to detect anomalous behavior of the network. The proposed approach takes away much of the variability of the network's production traffic that makes it so difficult to classify. This enables the NIDS to detect more subtle attacks which would not be detected using the passive approach alone. Furthermore, the active probing approach allows the NIDS to be effectively trained using only examples of the network's normal states, hence enabling an effective detection of zero-day attacks. Using realistic experiments, we show that an NIDS which also leverages the active approach is considerably more effective in detecting attacks which aim to degrade the network's QoS when compared to an NIDS which relies solely on the passive approach. Lastly, we show that the false positives rate remains very low even in the face of Byzantine faults.