We describe a simple and efficient network intrusion detection algorithm that detects novel attacks by flagging anomalous field values in packet headers at the data link, network, and transport layers. In the 1999 DARPA off-line intrusion detection evaluation test set (Lippmann et. al. 2000), we detect 76% of probes and 48% of denial of service attacks (at 10 false alarms per day). When this system is merged with the 18 systems in the original evaluation, the average detection rate for attacks of all types increases from 61% to 65%. We investigate the effect on performance when attack free training data is not available.
Mahoney, M.V., Chan, P.K. (2001). Detecting novel attacks by identifying anomalous network packet headers (CS-2001-2). Melbourne, FL. Florida Institute of Technolgy