Jionghua Jin,Xuejun Zhu

2006-01-01

Abstract:The intrusion detection in computer networks is a complex research problem, which requires the understanding of computer networks and the mechanism of intrusions, the configuration of sensors and the collected data, the selection of the relevant attributes, and the monitor algorithms for online detection. It is critical to develop general methods for data dimension reduction, effective monitoring algorithms for intrusion detection, and means for their performance improvement. This dissertation is motivated by the timely need to develop statistics-based machine learning methods for effective detection of computer network anomalies. Three fundamental research issues related to data dimension reduction, control charts design and performance improvement have been addressed accordingly. The major research activities and corresponding contributions are summarized as follows: (1) Filter and Wrapper models are integrated to extract a small number of the informative attributes for computer network intrusion detection. A two-phase analyses method is proposed for the integration of Filter and Wrapper models. The proposed method has successfully reduced the original 41 attributes to 12 informative attributes while increasing the accuracy of the model. The comparison of the results in each phase shows the effectiveness of the proposed method. (2) Supervised kernel based control charts for anomaly intrusion detection. We propose to construct control charts in a feature space. The first contribution is the use of multi-objective Genetic Algorithm in the parameter pre-selection for SVM based control charts. The second contribution is the performance evaluation of supervised kernel based control charts. (3) Unsupervised kernel based control charts for anomaly intrusion detection. Two types of unsupervised kernel based control charts are investigated: Kernel PCA control charts and Support Vector Clustering based control charts. The applications of SVC based control charts on computer networks audit data are also discussed to demonstrate the effectiveness of the proposed method. Although the developed methodologies in this dissertation are demonstrated in the computer network intrusion detection applications, the methodologies are also expected to be applied to other complex system monitoring, where the database consists of a large dimensional data with non-Gaussian distribution.

Xueqin Liu,Lei Xie,Uwe Kruger,Tim Littler,Shuqing Wang

DOI: https://doi.org/10.1002/aic.11526

IF: 4.167

2008-01-01

AIChE Journal

Abstract:The monitoring of multivariate systems that exhibit non-Gaussian behavior is addressed. Existing work advocates the use of independent component analysis (ICA) to extract the underlying non-Gaussian data structure. Since some of the source signals may be Gaussian, the use of principal component analysis (PCA) is proposed to capture the Gaussian and non-Gaussian source signals. A subsequent application of ICA then allows the extraction of non-Gaussian components from the retained principal components (PCs). A further contribution is the utilization of a support vector data description to determine a confidence limit for the non-Gaussian components. Finally, a statistical test is developed for determining how many non-Gaussian components are encapsulated within the retained PCs, and associated monitoring statistics are defined. The utility of the proposed scheme is demonstrated by a simulation example, and the analysis of recorded data from an industrial melter. (C) 2008 American Institute of Chemical Engineers.

Guang Li,Jie Wang,Jing Liang,Caitong Yue

DOI: https://doi.org/10.3390/sym10040113

2018-01-01

Abstract:Since data stream anomaly detection algorithms based on sliding windows are sensitive to the abnormal deviation of individual interference data, this paper presents a sliding nest window chart anomaly detection based on the data stream (SNWCAD-DS) by employing the concept of the sliding window and control chart. By nesting a small sliding window in a large sliding window and analyzing the deviation distance between the small window and the large sliding window, the algorithm increases the out-of-bounds detection ratio and classifies the conceptual drift data stream online. The designed algorithm is simulated on the industrial data stream of drilling engineering. The proposed algorithm SNWCAD is compared with Automatic Outlier Detection for Data Streams (A-ODDS) and Distance-Based Outline Detection for Data Stream (DBOD-DS). The experimental results show that the new algorithm can obtain higher detection accuracy than the compared algorithms. Furthermore, it can shield the influence of individual interference data and satisfy actual engineering needs.

Sijie Liu,Nan Zhou,Zekun Bai,Yafeng Wu

DOI: https://doi.org/10.1109/auteee60196.2023.10407274

2023-01-01

Abstract:Monitoring is essential for managing and maintaining industrial equipment by identifying abnormal areas in multivariate time series. This work presents CNN-VAEAT, a new technique for identifying anomalies in multivariate time series data from complex systems. The approach uses an upgraded Variational Autoencoder (VAE) algorithm with CNNs to reconstruct the data and calculate an anomaly score. To select anomaly detection threshold, an adaptive threshold approach based on extreme value distribution theory is used. The approach reconstructs a normal multivariate time series model using a convolutional variational autoencoder. It then derives the system’s multivariate time series state index from the new signal. Finally, it uses the extended extreme value distribution theory to discover anomalous conditions early. Studies on the SCADA data set of real wind turbine faults show that the CNN-VAE-AT algorithm outperforms existing wind turbine fault omen detection techniques.

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

Xianbo Zhang,Jing Zhang,Chao Wang,Feng Lin,Zezhou Li

DOI: https://doi.org/10.1109/icsp54964.2022.9778305

2022-01-01

Abstract:Anomaly detection of multivariate time series has been an active research topic for decades owing to the broad application of time series in various fields including e-commerce, smart city, robotic systems, etc. Accurate detection is therefore of great importance to the operational stability of a system or corporation. In this paper, we propose a new model composed of convolutional neural networks and a modified attention mechanism. Snapshot pictures of multivariate time series are adopted as the input for convolutional process. Convolutional blocks are responsible for spatial information extraction. And the modified attention mechanism can well assign weights to input segments since this mechanism emphasizes important sequences while depressing irrelevant segments. The comparison work with multiple baselines is carried out on datasets collected from the public archive and real world. Experimental results of multiple evaluation metrics prove that our model not only obtains higher accuracy but also gains a better recall rate.

Jingxuan Pang,Xiaokun Pu,Chunguang Li

DOI: https://doi.org/10.1109/tii.2022.3145834

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Anomaly detection plays an important role in industry, especially in ensuring system safety and product quality. Due to the unavailability of anomalous data in many practical cases, anomaly detection is usually solved by one-class classification (OCC) methods using only normal data. As a classical OCC method, one-class support vector machine (OCSVM) is a popular discriminative approach for anomaly detection, which detects abnormal data points by establishing a decision boundary in the kernel space. However, the performance of OCSVM heavily relies on kernel parameters, whose selection is not trivial for anomaly detection problems. Moreover, for some uneven and complex data distributions, different data regions may have quite different densities and shapes, making it difficult for OCSVM to obtain good boundaries in all regions using a global kernel parameter. To address the above two issues, in this article, we propose a hybrid algorithm incorporating vector quantization and OCSVM (VQ-OCSVM). Specifically, vector quantization is used to extract distribution information of normal data, and the results are used to construct an explicit mapping function to map data into a high-dimensional feature space. Then, OCSVM is performed in the feature space to build a classifier. By introducing the explicit mapping into OCSVM, the proposed method can effectively bypass the kernel parameter selection problem of the classical OCSVM method. Furthermore, the constructed mapping carries the data distribution information, and the VQ-OCSVM model can be regarded as an integration of generative learning and discriminative learning. The complementary properties of these two paradigms make the proposed VQ-OCSVM algorithm have better generalization capacity for complex data distribution. Both qualitative and quantitative experimental results demonstrate the effectiveness and advantages of the proposed method.

,Chunhua Gu,xueqin zhang

DOI: https://doi.org/10.1109/ICMLC.2007.4370710

2007-01-01

Abstract:Network Anomaly Detection is a critical task to ensure network security. With increasing network traffic, detecting network anomaly would require solving a large-scale pattern classification problem that often contains millions of training vectors. Each training vector may represent a particular signature of network traffic pattern and some of them may be linked to security breaching activities that need to be detected and eradicated. In this paper, a popular statistical learning algorithm known as the Support Vector Machine (SVM) was consider to solve the network anomaly detection problem. However, it is well known that SVM would require excessively long computing time and exceedingly large amount of memory when number of training vectors becomes huge. Hence, direct application of the standard SVM algorithm to solve large-scale network anomaly detection problems is impractical. In this paper, based on computational geometry theory, a new algorithm called convex-hull SVM (CH-SVM) was proposed, which can yield the same solution as original SVM while using significantly less training data, and hence less computing time. Then experiments were done on KDD'99 intrusion detection dataset to compare the performance of the proposed algorithm to a standard SVM and observed reduced training time and improved classification accuracy.

Poovich Phaladiganon,Seoung Bum Kim,Victoria C. P. Chen,Wei Jiang

DOI: https://doi.org/10.1016/j.eswa.2012.12.020

IF: 8.5

2013-01-01

Expert Systems with Applications

Abstract:Multivariate control charts have been widely used in many industries to monitor and diagnose processes characterized by a large number of quality characteristics. Usually, these characteristics are highly correlated with each other. The direct use of conventional multivariate control charts for situations with highly correlated characteristics may lead to increased rates of false alarms. Principal component analysis (PCA) control charts have been widely used to address problems posed by such high correlations by transforming the set of correlated variables to an uncorrelated set of variables and then identifying the PCs with highest contribution which then allows one to reduce dimensionality. However, an assumption that the data are normally distributed underlies the construction of the control limits of traditional PCA control charts. This assumption has limited the use of PCA control charts in nonnormal situations found in many modern systems. This study presents the development of nonparametric PCA control charts that do not require any distributional assumptions for their construction. We propose to use nonparametric techniques, kernel density estimation, and bootstrapping to establish the control limits of these charts. A simulation study was conducted to evaluate the performance of the proposed charts and compare them with traditional PCA control charts. The comparative performance in terms of average run length showed that the proposed nonparametric PCA control charts performed better than the parametric PCA control charts in nonnormal situations.

Dequan Zheng,Fenghuan Li,Tiejun Zhao

DOI: https://doi.org/10.1016/j.eswa.2016.03.029

IF: 8.5

2016-01-01

Expert Systems with Applications

Abstract:Anomaly detection in time series has become a widespread problem in the areas such as intrusion detection and industrial process monitoring. Major challenges in anomaly detection systems include unknown data distribution, control limit determination, multiple parameters, training data and fuzziness of 'anomaly'. Motivated by these considerations, a novel model is developed, whose salient feature is a synergistic combination of statistical and fuzzy set-based techniques. We view anomaly detection problem as a certain statistical hypothesis testing. Meanwhile, 'anomaly' itself includes fuzziness, therefore, can be described with fuzzy sets, which bring a facet of robustness to the overall scheme. Intensive fuzzification is engaged and plays an important role in the successive step of hypothesis testing. Because of intensive fuzzification, the proposed algorithm is distribution-free and self-adaptive, which solves the limitation of control limit and multiple parameters. The framework is realized in an unsupervised mode, leading to great portability and scalability. The performance is assessed in terms of ROC curve on university of California Riverside repository. A series of experiments show that the proposed approach can significantly increase the AUC, while the false alarm rate is improved. In particular, it is capable of detecting anomalies at the earliest possible time. (C) 2016 Elsevier Ltd. All rights reserved.

Le Zhang,Wei Cheng,Ji Xing,Xuefeng Chen,Zelin Nie,Shuo Zhang,Junying Hong,Zhao Xu

DOI: https://doi.org/10.1109/tim.2023.3323989

IF: 5.6

2023-10-28

IEEE Transactions on Instrumentation and Measurement

Abstract:Unsupervised anomaly detection (AD) methods, either reconstruction based or prediction based, determine anomalies based on residuals. Occasional mutations in a single variable can cause the residuals to exceed the limits. Indeed, such mutations are not variations in the operating mechanism of the system. Thus, system-level anomalies are challenging to characterize. Complex networks (or "graphs") are well adapted for modeling and characterizing the laws of evolution of complex systems. However, most industrial scenarios are without graphs. Hence, a self-supervised variational graph autoencoders (SS-VGAE) method is proposed. First, the multisource sensor dynamic graph is constructed through detrended cross-correlation analysis (DCCA). Second, target and self-supervised learning tasks are designed. The target task is to reconstruct the input graph structure to minimize the reconstruction loss. The self-supervised task is to learn the optimal center of the hypersphere in the latent space such that the mean features are gathered toward the center as much as possible. Multitask joint optimization allows high- and low-dimensional space features to be considered simultaneously, thereby improving the reliability of anomaly scores. Then, the distribution of anomaly scores is calculated and integrated into a system health indicator (HI). The system HI is more applicable to assist decision making. Finally, the superiority of the proposed method, namely, better detection accuracy and robustness, is demonstrated by nuclear personal computer transient analyzer (PCTRAN) simulation data and Skoltech anomaly benchmark (SKAB) data. Last but not least, systematic anomalies are found to make the correlation between the variables stronger.

engineering, electrical & electronic,instruments & instrumentation

Shuguang He,Wei Jiang,Houtao Deng

DOI: https://doi.org/10.1007/s10479-016-2186-4

2016-01-01

Abstract:Traditional control charts assume a baseline parametric model, against which new observations are compared in order to identify significant departures from the baseline model. To monitor a process without a baseline model, real-time contrasts (RTC) control charts were recently proposed to monitor classification errors when seperarting new observations from limited phase I data using a binary classifier. In contrast to the RTC framework, the distance between an in-control dataset and a dataset of new observations can also be used to measure the shift of the process. In this paper, we propose a distance-based multivariate process control chart using support vector machines (SVM), referred to as D-SVM chart. The SVM classifier provides a continuous score or distance from the boundary for each observation and allows smaller sample sizes than the previously random forest based RTC charts. An extensive experimental study shows that the RTC charts with the SVM scores are more efficient than those with the random forest for detecting changes in high-dimensional processes and/or non-normal processes. A real-life example from a mobile phone assembly process is also considered.

Basem AL-Madani,Ahmad Shawahna,Mohammad Qureshi

DOI: https://doi.org/10.48550/arXiv.1911.05692

2019-11-02

Abstract:Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Systems and Control

Huazan Liu,Zhenzhou Ji,Chong Li,Kaikai Li

DOI: https://doi.org/10.1109/ICCEA58433.2023.10135289

2023-01-01

Abstract:As the development of the Internet of Things, industrial control network security issues have become more prominent. Anomaly detection technology is an important detection technology for ensuring the network security of industrial control systems, which can issue alarms and block responses before the system is compromised. However, most models currently suffer from problems such as low detection rate, high false positive rate, and inability to locate the anomalies. To address these issues, this paper proposes a multidimensional feature and spectral residual-based industrial control time series anomaly detection method (SRMCAD) to improve the accuracy of anomaly detection while reducing the false positive rate. First, this paper applies the spectral residual method to multidimensional time series anomaly detection in the industrial control domain, and uses the residual data obtained by spectral residual processing instead of the original data as input to the model. Secondly, to address the problem of imprecise device attack localization and high false positive rate in existing industrial control anomaly detection models, this paper designs and implements an industrial control anomaly detection model based on an encoding-decoding architecture, incorporating the idea of system state modeling and using the Mahalanobis distance as the loss function. Experimental results show that SRMCAD has significant advantages over current advanced methods.

Shuai Zhang,Yumin Liu,Uk Jung

DOI: https://doi.org/10.1080/01605682.2018.1489352

IF: 3.6

2018-09-20

Journal of the Operational Research Society

Abstract:Monitoring the manufacturing process becomes a challenging task with a huge number of variables in traditional multivariate statistical process control (MSPC) methods. However, the rich information is often loaded with some rare suspicious variables, which should be screened out and monitored. Even though some control charts based on variable selection algorithms were proven effective for dealing with such issues, charting algorithms for the sparse mean shift with some spatially correlated features are scarce. This article proposes an advanced MSPC chart based on fused penalty-based variable selection algorithm. First, a fused penalised likelihood is developed for selecting the suspicious variables. Then, a charting statistic is employed to detect potential shifts among the variables monitored. Simulation experiments demonstrate that the proposed scheme can detect abnormal observation efficiently and provide root causes reasonably. It is shown that the fused penalty can capture the spatial information and improve the robustness of a variables selection algorithm for spatially correlated process.

management,operations research & management science

Chao Wei,Qing He

DOI: https://doi.org/10.1109/access.2024.3357077

IF: 3.9

2024-02-03

IEEE Access

Abstract:In recent years, detecting anomalies in networks has attracted much attention in the literature. Researchers have developed various statistical process control (SPC) techniques to monitor the communication level within the networks. It is quite common to see the nodes belonging to some densely connected communities or subgroups and the nodes within a community communicate with each other more frequently than with nodes from other communities. However, we can find scarce SPC techniques that consider the multiple community labels and heterogeneity of nodes simultaneously. It is necessary to overcome this drawback to improve the change detection efficiency. This article establishes a new mixed-membership stochastic block model to characterize the multiple community labels and heterogeneity of nodes simultaneously. Then a new control chart is developed based on generalized likelihood ratio test (GLRT). The proposed control chart can be easily implemented in practice and avoids constant parameter estimation in Phase II monitoring. Numerous simulation studies and a real example show the advantages of proposed chart over existing ones.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jun Ma,Guanzhong Dai,Zhong Xu

DOI: https://doi.org/10.1109/icppw.2009.6

2009-01-01

Abstract:We present a new network anomaly detection system using dissimilarity-based one-class support vector machine(DSVMC). we transform the raw data into a dissimilarity space using Dissimilarity Representations (DR). DR describe objects by their dissimilarities to a set of target class. DSVMC are constructed on these DR. We propose a framework of anomaly detection using DSVMC. A new strategy of prototype selection has been proposed to obtain better DR. We not only offer a better approach in strategy to describe to distribution of large training dataset but also reduce the computational cost of prototype selection largely. In order to deploy the ADS in real-time detection application, we use Kernel Primary Component Analysis (KPCA) to reduce the dimension of transformed data. Evaluation has been made among traditional one-class classifiers, the dissimilarity-based one class SVM classifier without optimization of DR (WSVMC) and our DSVMC on KDD-CUP'99 dataset. The results show that DSVMC can achieve high detection rate than WSVMC and more robust performance than traditional one-class classifiers.

Beixin Xia,Zheng Jian,Lei Liu,Long Li

DOI: https://doi.org/10.1177/1687814018810625

IF: 2.1

2018-01-01

Advances in Mechanical Engineering

Abstract:Conventional multivariate cumulative sum control charts are more sensitive to small shifts than T 2 control charts, but they cannot get the knowledge of manufacturing process through the learning of in-control data due to the characteristics of their own structures. To address this issue, a modified multivariate cumulative sum control chart based on support vector data description for multivariate statistical process control is proposed in this article, which is named D - MCUSUM control chart. The proposed control chart will have both advantages of the multivariate cumulative sum control charts and the support vector data description algorithm, namely, high sensitivities to small shifts and learning abilities. The recommended values of some key parameters are also given for a better application. Based on these, a bivariate simulation experiment is conducted to evaluate the performance of the D - MCUSUM control chart. A real industrial case illustrates the application of the proposed control chart. The results also show that the D - MCUSUM control chart is more sensitive to small shifts than other traditional control charts (e.g. T 2 and multivariate cumulative sum) and a D control chart based on support vector data description.

Yu Zheng,Huan Yee Koh,Ming Jin,Lianhua Chi,Haishuai Wang,Khoa T. Phan,Yi-Ping Phoebe Chen,Shirui Pan,Wei Xiang

2024-01-11

Abstract:The detection of anomalies in multivariate time series data is crucial for various practical applications, including smart power grids, traffic flow forecasting, and industrial process control. However, real-world time series data is usually not well-structured, posting significant challenges to existing approaches: (1) The existence of missing values in multivariate time series data along variable and time dimensions hinders the effective modeling of interwoven spatial and temporal dependencies, resulting in important patterns being overlooked during model training; (2) Anomaly scoring with irregularly-sampled observations is less explored, making it difficult to use existing detectors for multivariate series without fully-observed values. In this work, we introduce a novel framework called GST-Pro, which utilizes a graph spatiotemporal process and anomaly scorer to tackle the aforementioned challenges in detecting anomalies on irregularly-sampled multivariate time series. Our approach comprises two main components. First, we propose a graph spatiotemporal process based on neural controlled differential equations. This process enables effective modeling of multivariate time series from both spatial and temporal perspectives, even when the data contains missing values. Second, we present a novel distribution-based anomaly scoring mechanism that alleviates the reliance on complete uniform observations. By analyzing the predictions of the graph spatiotemporal process, our approach allows anomalies to be easily detected. Our experimental results show that the GST-Pro method can effectively detect anomalies in time series data and outperforms state-of-the-art methods, regardless of whether there are missing values present in the data. Our code is available:

Machine Learning,Artificial Intelligence

Ying-Ti Tsai,Chung-Ho Wang,Yung-Chia Chang,Lee-Ing Tong

DOI: https://doi.org/10.1049/2024/3948341

2024-07-27

IET Information Security

Abstract:Artificial intelligence algorithms and big data analysis methods are commonly employed in network intrusion detection systems. However, challenges such as unbalanced data and unknown network intrusion modes can influence the effectiveness of these methods. Moreover, the information personnel of most enterprises lack specialized knowledge of information security. Thus, a simple and effective model for detecting abnormal behaviors may be more practical for information personnel than attempting to identify network intrusion modes. This study develops a network intrusion detection model by integrating weighted principal component analysis into an exponentially weighted moving average control chart. The proposed method assists information personnel in easily determining whether a network intrusion event has occurred. The effectiveness of the proposed method was validated using simulated examples.

computer science, information systems, theory & methods