LI Yang,FANG Bin-Xing,GUO Li,CHEN You

DOI: https://doi.org/10.1360/jos182595

2007-01-01

Journal of Software

Abstract:Network anomaly detection has been an active and difficult research topic in the field of intrusion detection for many years. Up to now, high false alarm rate, requirement of high quality data for modeling the normal patterns and the deterioration of detection rate because of some noisy data in the training set still make it not perform as well as expected in practice. This paper presents a novel network anomaly detection method based on improved TCM-KNN (transductive confidence machines for K-nearest neighbors) machine learning algorithm, which can effectively detect anomalies using normal data for training. A series of experiments on well known KDD Cup 1999 dataset demonstrate that it has lower false positive rate, especially higher confidence under the condition of ensuring high detection rate than the traditional anomaly detection methods. In addition, even provided with training dataset contaminated by noisy data, the proposed method still holds good detection performance. Furthermore, it can be optimized without obvious loss of detection performance by adopting small dataset for training and employing feature selection aiming at avoiding the curse of dimensionality.

LI Yang,FANG Bin-xing,GUO Li,TIAN Zhi-hong,ZHANG Yong-zheng,JIANG Wei

DOI: https://doi.org/10.1145/1229285.1229292

2007-01-01

Abstract:Intrusion detection is a critical component of secure information systems. Network anomaly detection has been an active and difficult research topic in the field of Intrusion Detection for many years. However, it still has some problems unresolved. They include high false alarm rate, difficulties in obtaining exactly clean data for the modeling of normal patterns and the deterioration of detection rate because of some "noisy" data in the training set. In this paper, we propose a novel network anomaly detection method based on improved TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) machine learning algorithm. A series of experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positive rate, low false positive rate and high confidence than the state-of-the-art anomaly detection methods. In addition, even interfered by "noisy" data (unclean data), the proposed method is robust and effective. Moreover, it still retains good detection performance after employing feature selection aiming at avoiding the "curse of dimensionality".

Xiejun Ni,Daojing He,Farooq Ahmad

DOI: https://doi.org/10.21015/vtse.v9i2.403

2016-01-01

VFAST Transactions on Software Engineering

Abstract:Revised July 2015 ABSTRACT. Network anomaly detection is an effective way to detect intrusions which defends our computer systems or network from attackers on the Internet. In this paper, we introduce the current research works in network anomaly detection and consider several pratical solutions for this issue. Different from signature-based method, data mining techniques can automatically extract normal pattern from a large set of network data and distinguish them from each other. However, those data mining techniques, such as classification, clustering, association rules and feature selection, can not be applied into this problem directly due to the characteristic of network data and technique themselves. We analyze those unfitness and propose some adaptation to detect anomaly timely and accurately.

Weiwei Chen,Fangang Kong,Feng Mei,Guiqin Yuan,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity.2017.56

2017-01-01

Abstract:Network Anomaly Detection plays an important part in network security. Among the state-of-the-art approaches, unsupervised anomaly detection is effective when dealing with unlabelled data. However, these approaches also suffer from high false positive rate. We observed that different methods have their own defects and advantages. Inspired by this observation, we provide a new ensemble clustering(NEC) method to detect novel anomalies. In our system,we can get higher detection rate and lower false positive rate compared with existed apporaches as verified over NSL-KDD 2009 dataset.

赵欣,叶茂,朱莺嘤,郑凯元

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.05.027

2010-01-01

Abstract:Network intrusion detection is an important aspect of information security.Many good results in this aspect have been obtained in recent years.Most of them face the problem of low detection rate.The network connection's attributes which have the character of obvious distinction between normal and abnormal are often chosen by experts to judge whether the new network connections are normal.This method has some randomness which affects the detection rate.A method which aims to choose attributes based on the inherent law of normal network connections is proposed.The attributes can be chosen such that the high dimensional data can be transformed to one dimension automatically.The method of sequence data mining is used to find the rules of normal network connections.The new network connections can be detected by these rules.An experiment has been done on the datum of KDD99.The result indicates that the method of this paper has high detection rate.

Jiang Zhong,Xiongbing Deng,Luosheng Wen,Yong Feng

DOI: https://doi.org/10.1109/aici.2009.450

2009-01-01

Abstract:Data mining techniques have been successfully applied in intrusion detection because they can detect both misuse and anomaly. One of the unsupervised ways to define anomalies is by saying that anomalies are not concentrated, which depend on the density of data set. In this paper, the anomalies can be specified by choosing a reference measure μ which determines a density and a level value r. In order to reveal the relationship between the distribution of connection feature data sets and the reference measure μ, we proposed a new method to design RBF classifier based on multiple granularities immune network, and apply this algorithm to estimate density level set for the data set, through which the anomaly network connections have been detected. Experimental results on the real network data set showed that the new method is competitive with others in that the false alarm rate is kept low without many missed detections.

H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

Liang HE,Yongcheng WANG,Yun LI,Yanjie CHU,Chao SHEN

DOI: https://doi.org/10.3778/j.issn.1002-8331.1811-0026

2019-01-01

Abstract:In the fields of network maintenance and operation, it attracts much attention how to detect and prompt the net-work anomalies in time. Anomalous events are less in dataset than the normal ones, leading to the fact that it is difficult to use the two-class classifications for anomaly detection because of the imbalance of data labeled as normal or anomalous. Meanwhile, anomalous events are in various patterns and there is little prior information about the anomaly that the users are concerned with, therefore, it is necessary to model the normal data and use them for anomaly detection by comparing the received data with the normal model. Based on Lindeberg-Feller central limit theorem, a hypothesis test is designed to detect whether the data to be tested is anomalous or not, according to the refusing area calculated by the confidential parameter. Finally, the theorem of this algorithm is simulated and the performance is also tested both on the common and the actual datasets. When the users take the correlation features of the anomalous events as the algorithm input, the recall ratio reaches 90%.

Kaize Ding,Qinghai Zhou,Hanghang Tong,Huan Liu

DOI: https://doi.org/10.48550/arXiv.2102.11165

2021-02-23

Abstract:Network anomaly detection aims to find network elements (e.g., nodes, edges, subgraphs) with significantly different behaviors from the vast majority. It has a profound impact in a variety of applications ranging from finance, healthcare to social network analysis. Due to the unbearable labeling cost, existing methods are predominately developed in an unsupervised manner. Nonetheless, the anomalies they identify may turn out to be data noises or uninteresting data instances due to the lack of prior knowledge on the anomalies of interest. Hence, it is critical to investigate and develop few-shot learning for network anomaly detection. In real-world scenarios, few labeled anomalies are also easy to be accessed on similar networks from the same domain as of the target network, while most of the existing works omit to leverage them and merely focus on a single network. Taking advantage of this potential, in this work, we tackle the problem of few-shot network anomaly detection by (1) proposing a new family of graph neural networks -- Graph Deviation Networks (GDN) that can leverage a small number of labeled anomalies for enforcing statistically significant deviations between abnormal and normal nodes on a network; and (2) equipping the proposed GDN with a new cross-network meta-learning algorithm to realize few-shot network anomaly detection by transferring meta-knowledge from multiple auxiliary networks. Extensive evaluations demonstrate the efficacy of the proposed approach on few-shot or even one-shot network anomaly detection.

Machine Learning

YANG Yu-zhou,ZHANG Feng-li,WANG Yong

DOI: https://doi.org/10.3969/j.issn.1002-137x.2012.04.012

2012-01-01

Computer Science

Abstract:Network anomaly detection has become one of the focus research topics in the field of intrusion detection.However,issues on accurate selection of key date in training set,the long selection time,and the high rate of detection misstatement are still unresolved.Regarding to those problems,to integrate K-MEANS and Branch and Bound Algorithm,and to build up a network anomaly detection model on it can significantly improve the accuracy of key data selection,and reduce time consumption as well.A series of experiments on well known KDD Cup 1999 dataset demonstrate that the model can achieve a high detection accuracy and efficiently constrain the false alarms caused by detection.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Renyu Liu,Qingsheng Zhu

DOI: https://doi.org/10.1109/ijcnn.2018.8489336

2018-01-01

Abstract:As a kind of network security protection technology, intrusion detection technology has become one of the hot topics in the field of network security. In order to solve the problem that the methods of network anomaly detection have a high requirement on the purity of the normal data-set, and that the existing methods based on outlier detection need to set an anomaly threshold manually. Combining with the idea of Natural Neighborhood Graph, a network anomaly detection method (NAD-NNG) is proposed. In order to eliminate noise points or mislabel points and reduce the time complexity of anomalies detection, the algorithm uses the Natural Neighborhood Graph to cluster the normal data-set. Also, the algorithm can adaptively obtain a percentage value β for setting the anomaly threshold. Experiments on KDDCUP99 show that compared with the other two algorithms, the proposed method can achieve a higher detection rate based on a tolerable false alarm rate.

Fangyuan Cheng,Xiaofeng Qiu

DOI: https://doi.org/10.1109/icnidc.2016.7974527

2016-01-01

Abstract:In this paper, an anomaly detection method based on frequent sub-graph mining and association analysis is introduced to ensure the security of the SDN. With this method, the network behavior data in SDN are represented as a graph, abnormal sub-graphs of which are readily detectable. And patterns of the detected abnormal behaviors are able to be identified. Furthermore, an ensemble method based on Bagging algorithm is proposed to improve the detection accuracy. Experiment with global flow table data based on SDN indicated that this approach was capable of detecting anomalies in SDN. Moreover, to illustrate the effectiveness of this method in other aspects, comparisons with KDD99 data set were conducted. And the results verified its excellent ability in reducing false alarms and the effect of the ensemble method on improving the detection accuracy.

Wei Xiaotao,Huang Houkuan,Tian Shengfeng

2007-01-01

Abstract:A semi-supervised clustering algorithm based on the traditional k-means algorithm is proposed for network anomaly detection. We improve the original algorithm mainly in three aspects. First, the number of clusters is automatically decided by merging and splitting of clusters. Second, a small portion of labeled samples are employed to supervise the clustering process in the merging and splitting stage. Also, we modify the algorithm to directly process the symbolic attribute values. Experimental result on the KDD 99 intrusion detection datasets shows that our algorithm has high detection rate while maintaining a low false positive rate.

Tong Sun,Yan Liu,Jing Chen

DOI: https://doi.org/10.1109/compcomm.2017.8322580

2017-01-01

Abstract:Detecting abnormal behavior during network evolution is an important and challenging data analysis task at present, it is named as dynamic network anomaly detection in this paper. The network abnormal behavior differs from that of normal behavior, the probability of occurrence stays relatively low but may cause serious damages once happened. This paper takes the topological structure of the network as the research object and identifies the network anomaly through the change of network structure. Based on Cox-stuart test, we put forward a new type of method to detect dynamic anomaly. This method refers to an alarm of monitoring the trend change of the network structure parameters. Finally, an experiment was carried out in the real dynamic network-Enron Email Network, which verified that the dynamic network anomaly detection method proposed in this paper can effectively detect the network anomaly behavior.

Yang Li,Tian-Bo Lu,Li Guo,Zhi-Hong Tian,Lin Qi

DOI: https://doi.org/10.1109/glocom.2009.5425547

2009-01-01

Abstract:Network anomaly detection is a classically difficult research topic in intrusion detection. However, existing research has been solely focused on the detection algorithm. An important issue that has not been well studied so far is the selection of normal training data for network anomaly detection algorithm, which is highly related to the detection performance and computational complexity. Based on our previous proposed TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) anomaly detection method, which can detect anomalies with high detection rate and low false positive rate, we develop an instance selection mechanism for TCM-KNN based on EFCM (Extended Fuzzy C-Means) clustering algorithm in this paper, aiming at limiting the size of training dataset, thus reducing the computational cost of TCM-KNN and boosting its detection performance. We report the experimental results over real network traffic. The results demonstrate the instance selection method presented in this paper is effective for TCM-KNN and thus optimizing it as an effectively lightweight network anomaly detection scheme.

Jiang Zhong,Xiongbing Deng,Luosheng Wen,Yong Feng

DOI: https://doi.org/10.1109/icicta.2009.324

2009-01-01

Abstract:In this paper, an novel unsupervised intrusion detection method is presented, in which the anomalies was specified by choosing a reference measure mu which determines a density and a level value rho. in order to reveal the relationship between the distribution of connection feature data sets and the reference measure mu, we proposed a new method to design SVM classifier based on RBF core, and apply this algorithm to estimate density level set for the data set, through which the anomaly network connections have been detected. Experimental results on the real network data set showed that the new method is competitive with others in that the false alarm rate is kept low without many missed detections.

Rongqiao Fan,Qiyuan Fan,Xue Li,Puming Wang,Jing Xu,Xin Jin,Shaowen Yao,Peng Liu

DOI: https://doi.org/10.1016/j.ins.2024.121210

IF: 8.1

2024-01-01

Information Sciences

Abstract:Network traffic anomaly detection is a crucial task for today's network monitoring and maintenance. However, with the rapid growth of network data volume, the data structure has become more and more complex, showing multi-modal characteristics, which makes traffic anomaly detection face a great challenge. The earlier proposed anomaly detection methods have the following deficiencies, i) Most of them are static or dynamic detection methods that only grow along the temporal modality. ii) Lower detection rate or higher computational cost. To address these deficiencies, this article proposes a traffic anomaly detection framework based on multi-modal incremental tensor decomposition, which has the following three highlights, i) Constructing traffic data as a tensor model to fully mine the correlation between data, and the proposed framework is applicable to the situation where traffic data grows dynamically along multiple modes. ii) Using the multi-modal incremental tensor decomposition method to process dynamically growing data without decomposing all the data, greatly reducing computational cost and improving data quality. iii) Using the XGBoost classification algorithm for anomaly detection to improve detection accuracy. Finally, the results of experiments on two real network traffic datasets NSL-KDD and CICDDOS 2019 show that the proposed framework can achieve a high detection rate of 99.21%, and has the characteristics of good scalability and fast detection speed.

Baojiang Cui,Shanshan He,Haifeng Jin

DOI: https://doi.org/10.1109/imis.2015.43

2015-01-01

Abstract:the large number of internet traffic has highlighted the importance of traffic detection. Anomaly detection is playing an increasingly important role in network security. Feature matching, statistics rules and data mining are widely used in traditional anomaly detection systems, but they have numerous disadvantages, such as low accuracy, over consumption of processing resources. For the complexities of irregular situation, we propose a new model for anomaly traffic detection in this paper. This study combine feature matching module, statistics rules module and data mining module under fully considering the advantages and disadvantages of these three detection methods. Moreover, a multi-layer detection scheme was introduced to enhance system accuracy and reduce the complexity at the same time. Data mining module is the core of the model, Naive Bayes, decision tree and clustering algorithms are used in this module. The results of this system are produced by integrating the detection results of multi detection modules and proved that it has more accuracy than separate module.