Enhanced DiNATrAX for Multi-protocol Anomaly Detection
摘要
Network anomaly detection remains a critical research area in cybersecurity, aiming to identify malicious or abnormal network behaviors that deviate from expected traffic patterns. To address the growing complexity of modern networks, we propose DiNATrAX, an anomaly detection framework composed of three functional blocks: data collection and preprocessing, Sector of Interest analysis, and an anomaly detection block. The model operates using an advanced form of digital signatures, generating unique DNAs to represent network activity over time. By comparing consecutive DNAs sequences, DiNATrAX computes abnormality distances to automatically identify potential anomalies. The framework was evaluated using the CTU-13 botnet dataset, specifically scenarios 9, 10, and 11. Earlier experiments showed that DiNATrAX effectively detected anomalies in scenarios 9 and 10, which involve TCP and UDP protocols, respectively, but had difficulty detecting attacks in scenario 11 based on the ICMP protocol. In this study, we re-evaluate DiNATrAX with improved ICMP handling and successfully identify ICMP-based attacks, demonstrating enhanced protocol coverage and detection capability. Overall, DiNATrAX provides a flexible and automatable approach to network anomaly detection, forming a strong foundation for adaptive and protocol-aware cybersecurity systems.