Daniel Rossell

May 2013
Network Anomaly Detection Using Adaptive Resonance Theory
Committee Members: Advisor: Christos Cassandras, SE/ECE; Ioannis Paschalidis, SE/ECE; David Starobinski, SE/ECE

Abstract: This thesis focuses on the problem of anomaly detection in computer networks. Anomalies are often malicious intrusion attempts that represent a serious threat to network security. Adaptive Resonance Theory (ART) is used as a classification scheme for identifying malicious network traffic.

ART was originally developed in the field of biology as a way to explain how the human eye categorizes visual patterns. For network intrusion detection, the core ART algorithm is implemented as a clustering algorithm that groups network traffic into clusters. A machine learning process allows the number of clusters to change over time to best conform to the data.

Network traffic is characterized by network flows, which represent a packet, or series of packets, between two distinct nodes on a network. These flows can contain a number of attributes, including IP addresses, ports, size, and duration. These attributes form a multi-dimensional vector that is used in the clustering process. Once data is clustered along the defined dimensions, anomalies are identified as a data points that do not match known good or nominal traffic.

The ART clustering algorithm is tested on a realistic network simulation that was generated using the network flow simulation tool FS. The clustering results for this simulation are presented. These results show very positive with the Receiver Operating Curve (ROC) characteristics for the ART network anomaly detection algorithm.