Netspot: a simple Intrusion Detection System with statistical learning
Alban Siffer, Amossys, Univ. Rennes, CNRS, IRISA
Persistent Threats (APT) since only pre-registered and well-characterized attacks can be catched. Some recent systems use unsupervised ML algorithms, but theres ulting tools are overly complex: many ML components are stacked with various tuning parameters, usually making theresults hard to interpret. And finally, a strong ML/DM expertise is required to set up these systems on real networks.We present netspot, a very simple network intrusion detection system (NIDS) powered by SPOT, a recent streaming statistical anomaly detector. This statistical test uses Extreme Value Theory, which is a powerful method for detecting anomalies.Unlike all the previous works, it is not an end-to-end solution aimed to detect all cyber-attacks with packet resolution. It israther a module providing a behavioral information which canbe integrated in a more general monitoring system. Netspot is simple: it has few (simple) parameters, it adapts along time to the monitored network and it is as fast as current rule-based methods. But most importantly, it is able to detect real-world cyber-attacks, making it a credible practical anomaly-based NIDS.