my idea
Based on motivations mentioned in the previous slide, I propose a new type of network intrusion detector:
- Monitors network traffic at the packet level
- Creates per-flow packet traces similar to system call traces (e.g. SYN -> SYNACK -> ACK; ACK -> DATA -> ACK)
- Uses various other metrics (e.g. % of total traffic that is SYN, ACK, RST; ratio of ACKs to data; packet size distribution; distribution of source and destination port numbers)
- Adaptively learns what is “normal” for both traces and other metrics; reports abnormalities