Local outlier factor use for the network flow anomaly detection

Internet users and computer networks constantly suffer from increasing number of cyberattacks. During the process of seeking how to reduce the risk and possible consequences of the attacks, it is very important to identify the attacks at the initial stage of their realization. For this purpose, the anomaly detection systems, a subset of intrusion detection systems, can be applied. The main advantage of anomaly-based systems is the ability to detect unknown attacks. We propose a novel approach to detect the network flow anomalies. The method relies on aggregated network flow metrics and is based on local outlier factor algorithm, which evaluates each event's uniqueness on the basis of distance from the k-nearest neighbours. In our research, 15 different groups of features (a total of 74 features) were suggested to detect anomalous network flows. According to experimental results, the best groups of features were identified with the highest values of precision, recall and F-measure. Copyright (C) 2015 John Wiley & Sons, Ltd.