Packet-based Anomaly Detection using n-gram Approach

Authors

  • Rai K Department of Computer Science and Applications, Panjab University, Sec-14, Chandigarh, India
  • Syamala Devi M Department of Computer Science and Applications, Panjab University, Sec-14, Chandigarh, India
  • Guleria A Computer Center, Panjab University, Sec-14, Chandigarh, India

DOI:

https://doi.org/10.26438/ijcse/v6i5.366372

Keywords:

Payload, anomaly detection, cosine similarity, n-gram, length-wise clustering

Abstract

Intrusion detection systems monitor computer system events to discover malicious activities in the network. There are two types of intrusion detection systems, namely, signature-based and anomaly-based. Anomaly detection can be either flow-based or packet-based. In the flow-based approach, the system looks at aggregated information of related packets in the form of flow. Packet-based detection system inspects the complete packet which consists of a header as well as payload data. In this paper, a packet-based improved anomaly detection technique is proposed. In the training module, the normal profiles of the network traffic are generated by modeling the payload of the network using n-gram approach by applying length-wise clustering of packets according to payload length. Length-wise clustering is done to reduce the number of models for normal profiles. Then the mean and standard deviation is calculated which are used in detection module. In detection module, the distance between normal profiles and newly arriving data in the network is computed using cosine similarity. The standard dataset DARPA’99 and the Panjab University collected data are used for testing the proposed technique. Anomaly detection of the proposed technique is done on port numbers 21, 23 and 80 and the results are compared with the various n-gram techniques and other techniques used in literature for payload anomaly detection. It is concluded that this improved technique can reduce space and provide better results on port 21 and port 23 than on port 80.

References

N. M. Jacob, and M. Y. Wanjala, “A Review of Intrusion Detection Systems”, International Journal of Computer Science and Information Technology Research, Vol. 5, Issue 4, pp. 1-5, 2017.

H. Alaidaros, M. Mahmuddin, and A. Mazari, “An Overview of Flow-based and Packet-based Intrusion Detection Performance in High Speed Networks”, Naif Arab University for Security Sciences, pp. 1–9, 2011.

K. Wang, J.S. Stolfo, “Anomalous Payload-based Network Intrusion Detection”, International Workshop on Recent Advances in Intrusion Detection, Springer, Berlin, Heidelberg, Vol. 3224, pp. 203-222, 2004.

S.A. Thorat, A. K. Khandelwal, B. Bruhadeshwar, and K. Kishore, “Payload Content based Network Anomaly Detection”, In the Proceedings of the 2008 International conference on the Applications of Digital Information and Web Technologies, IEEE, pp. 127-132, 2008.

S. Staniford, J.A. Hoagland, J.M. McAlerney, “PracticalAutomated Detection of Stealthy Portscans”, Journal of Computer Security, Vol.10, pp. 105-136, 2002.

C. Krugel, T. Toth, and E. Kirda, “Service Specific Anomaly Detection for Network Intrusion Detection”, In the Proceedings of the 2002 ACM symposium on Applied computing, pp. 201-208, 2002.

L. Zhang, and G.B. White, “Anomaly Detection forApplication Level Network Attacks Using Payload Keywords”, In the Proceedings of IEEE Symposium on Computational Intelligence in Security and Defense Applications, CISDA, pp.178-185, 2007.

R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee, “McPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection,” Elsevier Science Journal of Computer. Networks, Vol. 5, Issue. 6, pp. 864–881, 2009.

Z. Tan, A. Jamdagni, X. He, and P. Nanda, “Network Intrusion Detection based on LDA for Payload Feature Selection”, in Proc. of IEEE Globecom Workshops, pp. 1545–1549, 2010.

M. Kakavand, N. Mustapha, A. Mustapha, and M.T.Abdulla, “Effective Dimensionality Reduction ofPayload- Based Anomaly Detection in TMAD Model for HTTP Payload”, Transactions on Internet and Information Systems, Vol. 10, Issue. 8, pp. 3884-3910,2016.

G. Kim, S. Lee, and S. Kim, “A Novel Hybrid Intrusion Detection Method Integrating Anomaly Detection with Misuse Detection”, Expert Systems with Applications,Elsevier, Vol. 41, Issue 2, pp. 1690-1700, 2014.

E. Eskin, “Anomaly Detection over Noisy Data UsingLearned Probability Distributions”, in Proceedings ofThe International Conference on Machine Learning, pp.255-262, Czech Republic, Aug 2000.

K. Scarfone, and P. Mell, “Guide to Intrusion Detectionand Prevention Systems (IDPS)”, Technical report NISTSpecial Publication Vol. 800, Issue 94, Feb. 2007.

P. Rutravigneshwaran, “A Study of Intrusion Detection System using Efficient Data Mining Techniques”, International Journal Science Research in Network Security and Communication, Vol. 5, Issue 6, pp.5-8, December 2017.

M. Shivakumar, R. Subalakshmi , S. Shanthakumari and S.John Joseph, “Architecture for Network-Intrusion Detection and Response in open Networks using Analyzer Mobile Agents”, International Journal Science Research in Network Security and Communication, Vol. 1, Issue 4, pp. 1-7, Oct 2013.

Downloads

Published

2025-11-13
CITATION
DOI: 10.26438/ijcse/v6i5.366372
Published: 2025-11-13

How to Cite

[1]
K. Rai, M. Syamala Devi, and A. Guleria, “Packet-based Anomaly Detection using n-gram Approach”, Int. J. Comp. Sci. Eng., vol. 6, no. 5, pp. 366–372, Nov. 2025.

Issue

Vol. 6 No. 5 (2018): IJCSE May Edition

Section

Research Article

License

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors contributing to this journal agree to publish their articles under the Creative Commons Attribution 4.0 International License, allowing third parties to share their work (copy, distribute, transmit) and to adapt it, under the condition that the authors are given credit and that in the event of reuse or distribution, the terms of this license are made clear.