Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Yi Li,Zhangbing Zhou,Shuiguang Deng,Xiao Sun,Xiao Xue,Sami Yangui,Walid Gaaloul

DOI: https://doi.org/10.1109/icws62655.2024.00077

2024-01-01

Abstract:Anomaly detection is a long-standing research topic to support the prompt remedy of potential risks for dependency-aware tasks, where Graph Neural Networks (GNNs) models have been adopted to differentiate anomalies from normal patterns. Generally, GNN models utilize time series data to construct graph structures for capturing task dependencies between Internet of Things (IoT) devices, such that deviations from predicted behaviours are assumed as anomalies. Current forecasting-based anomaly detection methods can hardly detect anomalies, which are uncovered by historical sensory data, but are explicitly specified by domain knowledge. To solve this issue, this paper proposes a Knowledge-enhanced graph attention-based Anomaly Detection (KeAD) method. Specifically, a knowledge-enhanced graph structure is constructed by incorporating domain-specific knowledge to represent spatio-temporal dependencies between IoT devices. Thereafter, a knowledge-enhanced graph attention-based forecasting network is developed to predict future behaviours of IoT devices. Anomalies are detected by analyzing deviations from these predicted behaviours, taking domain-specific knowledge into account. Extensive experiments are conducted based on publicly-available datasets, and evaluation results demonstrate that our KeAD outperform the state-of-the-art techniques in terms of the accuracy of anomaly detection.

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

颜若愚,郑庆华,牛国林

DOI: https://doi.org/10.3321/j.issn:0253-987x.2009.12.001

2009-01-01

Abstract:A network traffic anomaly detection method based on adaptive filter is proposed to detect all kinds of network traffic attacks.Multiple network traffic indicators are predicted by recursive least square and the allowable statistical range based on the prediction errors are used to detect anomaly.Detection results are finally normalized.The method has the following traits: no training from any historical data,reducing the number of alarms,remarkably,and highlighting the severity of alarms.Testing results on DARPA intrusion detection data sets show that the proposed method is more suitable to detect denial of service attacks,and has a higher detection rate,faster speed and lower alarm rate than similar existing methods with same dimension of weight vectors.

Yachao Yuan,Yu Huang,Yali Yuan,Jin Wang

2024-10-30

Abstract:The proliferation of the Internet of Things (IoT) has heightened the vulnerability to cyber threats, making it imperative to develop Anomaly Detection Systems (ADSs) capable of adapting to emerging or novel attacks. Prior research has predominantly concentrated on offline unsupervised learning techniques to protect ADSs, which are impractical for real-world applications. Furthermore, these studies often rely heavily on the assumption of known legitimate behaviors and fall short of meeting the interpretability requirements in security contexts, thereby hindering their practical adoption. In response, this paper introduces Adaptive NAD, a comprehensive framework aimed at enhancing and interpreting online unsupervised anomaly detection within security domains. We propose an interpretable two-layer anomaly detection approach that generates dependable, high-confidence pseudo-labels. Subsequently, we incorporate an online learning mechanism that updates Adaptive NAD using an innovative threshold adjustment method to accommodate new threats. Experimental findings reveal that Adaptive NAD surpasses state-of-the-art solutions by achieving improvements of over 5.4% and 23.0% in SPAUC on the CIC-Darknet2020 and CIC-DoHBrw-2020 datasets, respectively. The code for Adaptive NAD is publicly available at <a class="link-external link-https" href="https://github.com/MyLearnCodeSpace/Adaptive-NAD" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Signal Processing

Yali Yuan,Sripriya Srikant Adhatarao,Mingkai Lin,Yachao Yuan,Zheli Liu,Xiaoming Fu

DOI: https://doi.org/10.1109/infocom41043.2020.9155487

2020-07-01

Abstract:Large private and government networks are often subjected to attacks like data extrusion and service disruption. Existing anomaly detection systems use offline supervised learning and employ experts for labeling. Hence they cannot detect anomalies in real-time. Even though unsupervised algorithms are increasingly used nowadays, they cannot readily adapt to newer threats. Moreover, many such systems also suffer from high cost of storage and require extensive computational resources. In this paper, we propose ADA: Adaptive Deep Log Anomaly Detector, an unsupervised online deep neural network framework that leverages LSTM networks and regularly adapts to newer log patterns to ensure accurate anomaly detection. In ADA, an adaptive model selection strategy is designed to choose pareto-optimal configurations and thereby utilize resources efficiently. Further, a dynamic threshold algorithm is proposed to dictate the optimal threshold based on recently detected events to improve the detection accuracy. We also use the predictions to guide storage of abnormal data and effectively reduce the overall storage cost. We compare ADA with state-of-the-art approaches through leveraging the Los Alamos National Laboratory cyber security dataset and show that ADA accurately detects anomalies with high F1-score ~95% and it is 97 times faster than existing approaches and incurs very low storage cost.

Zecheng Li,Shengyuan Chen,Hongshu Dai,Dunyuan Xu,Cheng-Kang Chu,Bin Xiao

DOI: https://doi.org/10.1109/tr.2022.3204349

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Abnormal traffic detection is the core component of the network intrusion detection system. Although semisupervised methods can detect zero-day attack traffic, previous work suffers from high false alarms because the trained model is simply based on normal traffic. In this article, we propose an accurate abnormal traffic detection method using pseudoanomaly, consisting of an efficient feature extraction framework and a novel denoise autoencoder-generative adversarial network (DAE-GAN) model. The feature extraction framework adopts an innovative packet window scheme to extract spatial and temporal features from traffic flows. The DAE-GAN model has multiple DAEs to achieve efficient data augmentation and generate high-quality pseudoanomalies. The pseudoanomalies are obtained by adding noise on normal traffic and enhanced by adversarial learning in DAE-GAN. Our semisupervised detection method, exploiting both normal data and generated pseudoanomalies, achieves a precision of 98.6 on the NSL-KDD dataset and 98.5 on the UNSW-NB15 dataset. Compared with the state-of-the-art, the detection precision and recall under different user behaviors are significantly improved. The evaluation on four attack datasets shows that our method has a high flow-wise precision of over 99 and a high recall of 60.6.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Xiao-Dong Zang,Jian Gong,Xiao-Yan Hu

DOI: https://doi.org/10.1109/access.2019.2914303

IF: 3.9

2019-01-01

IEEE Access

Abstract:Anomaly detection is the first step with a challenging task of securing a communication network, as the anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting different anomalies, such as volume based (e.g., DDoS or Flash crowd) and spatial based (e.g., network scan), that arise simultaneously in the wild but also of attributing the anomalous point to a single-anomaly event causing it. Besides, we also tackle the problem of low-detection accuracy caused by the phenomenon of traffic drift. To this end, a novel adaptive profile-based anomaly detection scheme is proposed. More specifically, a more comprehensive metrics set is defined from the dimensions of temporal, spatial, category, and intensity to compose IP traffic behavior characteristic spectrum for fine-grained traffic characterization. Then, the digital signature matrix obtained by using the ant colony optimization (ACO) algorithm is applied to construct the baseline profile of the normal traffic behavior. Anomalous points are identified and analyzed by using confidence bands and a generic clustering technique, respectively. Finally, a lightweight updating strategy is applied to reduce the number of false positives. Real-world data of China Education Research Network backbone and synthetic data are collected to verify our proposal. The experimental results demonstrate that our approach provides a fine-grained behavior description ability and has significantly increased the detection accuracy compared with other similar alternatives.

XIAO San,YANG Yahui,SHEN Qingni

DOI: https://doi.org/10.3778/j.issn.1002-8331.1208-0286

2013-01-01

Abstract:Since online abnormal detection for backbone network with large flow currently is a research hotspot in network security field,an online network abnormal detection method is proposed to handle big data stream properly.The method processes big data stream into micro-clusters with density-based cluster method,and then micro-clusters absorb data stream directly to enhance the performance.The method regularly executes outlier detection process to find intrusion.The method does not require offline training process and can find any arbitrary clusters.It also supports big data stream and can balance between detection precision and resources with great performance.In the experiment,the prototype system finishes analysis task in 20 s over MIT Lincoln Laboratory LLS_DDOS_1.0 data,with 82% TPR and 6% FPR,which is equivalent to K-means.

Zhichao Hu,Xiangzhan Yu,Likun Liu,Yu Zhang,Haining Yu

DOI: https://doi.org/10.1186/s13677-024-00682-0

2024-01-01

Abstract:In the current era of information technology, blockchain is widely used in various fields, and the monitoring of the security and status of the blockchain system is of great concern. Online anomaly detection for the real-time stream data plays vital role in monitoring strategy to find abnormal events and status of blockchain system. However, as the high requirements of real-time and online scenario, online anomaly detection faces many problems such as limited training data, distribution drift, and limited update frequency. In this paper, we propose an adaptive stream outlier detection method (ASOD) to overcome the limitations. It first designs a K-nearest neighbor Gaussian mixture model (KNN-GMM) and utilizes online learning strategy. So, it is suitable for online scenarios and does not rely on large training data. The K-nearest neighbor optimization limits the influence of new data locally rather than globally, thus improving the stability. Then, ASOD applies the mechanism of dynamic maintenance of Gaussian components and the strategy of dynamic context control to achieve self-adaptation to the distribution drift. And finally, ASOD adopts a dimensionless distance metric based on Mahalanobis distance and proposes an automatic threshold method to accomplish anomaly detection. In addition, the KNN-GMM provides the life cycle and the anomaly index for continuous tracking and analysis, which facilities the cause analysis and further interpretation and traceability. From the experimental results, it can be seen that ASOD achieves near-optimal F1 and recall on the NAB dataset with an improvement of 6% and 20.3% over the average, compared to baselines with sufficient training data. ASOD has the lowest F1 variance among the five best methods, indicating that it is effective and stable for online anomaly detection on stream data.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Shiyong Dai,Yufei Zhao,Jinhua Huang,Xuxian Wang,Guifei Zhao,Lei Zhang,Ming Xie,Ziyue Guo

DOI: https://doi.org/10.1109/access.2023.3306243

IF: 3.9

2023-01-01

IEEE Access

Abstract:Network traffic anomaly detection methods can detect traffic that is significantly different from normal traffic by analyzing network traffic, and are seen as an effective means to detect unknown new attacks because they do not rely on static feature codes. However, most of the current network traffic anomaly detection methods have low accuracy and high false alarm rate. In this paper, an OS-ELM (Online Sequential Extreme Learning Machine) network traffic anomaly detection method is proposed. First, we use SMOTE to balance the data samples to improve the classification detection performance. In order to reduce the high dimensionality between data features and eliminate the redundancy, the Stacked Denoising Autoencoder (SDAE) network is adopt to reduce the dimension of the feature vectors. Finally, we test the real network traffic and analyze the effect of model structure and external noise on the detection performance, and the experimental results verify the correctness of our scheme. Compared with other detection methods based on data reconstruction, the proposed method has higher detection accuracy and better detection performance.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhongyang Wang,Yijie Wang,Hongzuo Xu,Yongjun Wang

DOI: https://doi.org/10.1109/icpads53394.2021.00043

2021-01-01

Abstract:Mixed-type data with both categorical and numerical features are ubiquitous in network security, but the existing methods are minimal to deal with them. Existing methods usually process mixed-type data through feature conversion, whereas their performance is downgraded by information loss and noise caused by the transformation. Meanwhile, existing methods usually superimpose domain knowledge and machine learning in which fixed thresholds are used. It cannot dynamically adjust the anomaly threshold to the actual scenario, resulting in inaccurate anomalies obtained, which results in poor performance. To address these issues, this paper proposes a novel Anomaly Detection method based on Reinforcement Learning, termed ADRL, which uses reinforcement learning to dynamically search for thresholds and accurately obtain anomaly candidate sets, fusing domain knowledge and machine learning fully and promoting each other. Specifically, ADRL uses prior domain knowledge to label known anomalies and uses entropy and deep autoencoder in the categorical and numerical feature spaces, respectively, to obtain anomaly scores combining with known anomaly information, which are integrated to get the overall anomaly scores via a dynamic integration strategy. To obtain accurate anomaly candidate sets, ADRL uses reinforcement learning to search for the best threshold. Detailedly, it initializes the anomaly threshold to get the initial anomaly candidate set and carries on the frequent rule mining to the anomaly candidate set to form the new knowledge. Then, ADRL uses the obtained knowledge to adjust the anomaly score and get the score modification rate. According to the modification rate, different threshold modification strategies are executed, and the best threshold, that is, the threshold under the maximum modification rate, is finally obtained, and the modified anomaly scores are obtained. The scores are used to re-carry out machine learning to improve the algorithm's accuracy for anomalous data. Repeat the above process until the method is stable. We experiment on ten real network traffic datasets. Experiments show ADRL averagely improves ROC-AUC and PR-AUC than eight state-of-the-art competitors by 89.6% and 286.0%, respectively.

Zhenping Shi,Jie Li,Chentao Wu,Jinyuan Li

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00335

2019-01-01

Abstract:With the explosion of network traffic volume, high efficient and large-scale network traffic anomaly detection methods becomes necessary. However, existing methods often fail to take into account both the detection delay and the detection accuracy. We propose a novel method, focusing on period-wise detection. We use Long Short-Term Memory (LSTM) to establish abnormal traffic detection model. Besides, We use some big data processing frameworks for online network traffic collection and preprocessing. Performance evaluation shows that our online anomaly detection model outperforms other anomaly detection methods based on traditional anomaly detection methodologies.

Renyu Liu,Qingsheng Zhu

DOI: https://doi.org/10.1109/ijcnn.2018.8489336

2018-01-01

Abstract:As a kind of network security protection technology, intrusion detection technology has become one of the hot topics in the field of network security. In order to solve the problem that the methods of network anomaly detection have a high requirement on the purity of the normal data-set, and that the existing methods based on outlier detection need to set an anomaly threshold manually. Combining with the idea of Natural Neighborhood Graph, a network anomaly detection method (NAD-NNG) is proposed. In order to eliminate noise points or mislabel points and reduce the time complexity of anomalies detection, the algorithm uses the Natural Neighborhood Graph to cluster the normal data-set. Also, the algorithm can adaptively obtain a percentage value β for setting the anomaly threshold. Experiments on KDDCUP99 show that compared with the other two algorithms, the proposed method can achieve a higher detection rate based on a tolerable false alarm rate.

Yutao Hu,Xin Huang,Xiaoyan Luo

DOI: https://doi.org/10.1007/978-3-030-88007-1_26

2021-01-01

Abstract:Anomaly detection in video is a challenging task with great application value. Most existing approaches formulate anomaly detection as a reconstruction/prediction problem established on the encoderdecoder structure. However, they suffer from the poor generalization performance when the model is directly applied to an unseen scene. To solve this problem, in this paper, we propose an Adaptive Anomaly Detection Network (AADNet) to realize few-shot scene-adaptive anomaly detection. Our core idea is to learn an adaptive model, which can identify abnormal events without fine-tuning when transferred to a new scene. To this end, in AADNet, a Segments Similarity Measurement (SSM) module is utilized to calculate the cosine distance of different input video segments, based on which the normal segments will be gathered. Meanwhile, to further exploit the information of normal events, we design a novel Relational Scene Awareness (RSA) module to capture the pixelto-pixel relationship between different segments. By combining the SSM module with RSA, the proposed AADNet becomes much more generative. Extensive experiments on four datasets demonstrate our method can adapt to a new scene effectively without fine-tuning and achieve the state-of-the-art performance.

Yong Feng,Jiang Zhong,Zhong-Yang Xiong,Chun-Xiao Ye,Kai-Gui Wu

DOI: https://doi.org/10.1007/978-3-540-72393-6_113

2007-01-01

Abstract:An approach to network anomaly detection is investigated, based on dynamic self-organizing maps (DSOM) and ant colony optimization (ACO) clustering. The basic idea of the method is to produce the cluster by DSOM and ACO. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM and ACO clustering can settle these problems effectively. The experiment results show that our approach can detect unknown intrusions efficiently in the real network connections.

Zhi-Quan Qin,Hong-Zuo Xu,Xing-Kong Ma,Yong-Jun Wang

DOI: https://doi.org/10.1155/2022/3595304

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Network behavior anomaly detection is an effective approach to discover unknown attacks, where generating high-efficacy network behavior representation is one of the most crucial parts. Nowadays, complicated network environments and advancing attack techniques make it more challenging. Existing methods cannot yield satisfied representations that express the semantics of network behaviors comprehensively. To tackle this problem, we propose XNBAD, a novel unsupervised network behavior anomaly detection framework, in this work. It integrates the timely high-order host states under the dynamic interaction context with the conversation patterns between hosts for behavior representation. High-order states can better summarize latent interaction patterns, but they are hard to be obtained directly. Therefore, XNBAD utilizes a graph neural network (GNN) to automatically generate high-order features from series of extracted base ones. We evaluated the detection performance of XNBAD in a publicly available benchmark dataset ISCX-2012. To report detailed and precise experimental results, we carefully refined the dataset before evaluation. The results show that XNBAD discovered various attack behaviors more effectively, and it significantly outperformed the existing representative methods by at least 3.8% relative improvement in terms of the overall weighted AUC.

LI Yang,FANG Bin-xing,GUO Li,TIAN Zhi-hong,ZHANG Yong-zheng,JIANG Wei

DOI: https://doi.org/10.1145/1229285.1229292

2007-01-01

Abstract:Intrusion detection is a critical component of secure information systems. Network anomaly detection has been an active and difficult research topic in the field of Intrusion Detection for many years. However, it still has some problems unresolved. They include high false alarm rate, difficulties in obtaining exactly clean data for the modeling of normal patterns and the deterioration of detection rate because of some "noisy" data in the training set. In this paper, we propose a novel network anomaly detection method based on improved TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) machine learning algorithm. A series of experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positive rate, low false positive rate and high confidence than the state-of-the-art anomaly detection methods. In addition, even interfered by "noisy" data (unclean data), the proposed method is robust and effective. Moreover, it still retains good detection performance after employing feature selection aiming at avoiding the "curse of dimensionality".

CAI Long-zheng,YU Sheng-sheng,ZHOU Jing-li,WANG Xiao-feng

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.10.014

2006-01-01

Abstract:This paper proposed a network connection based anomaly detection approach with unlabeled training data (ADUTD). It can be considered as an enhancement to traditional anomaly detection methods by building detection models from noisy training data. ADUTD exploits the property that if there are intrusions hidden in training data, they are likely to consist of some kinds of attribute values with low frequency of occurrence. Both fields of packets' header and application layer data are used as attributes for building models and detecting intrusions. Furthermore, network traffic is divided into different parts according to their service types, and models are built for each part so as to enhance the ability of detecting attacks. Empirical experiments with DARPA 1999 IDS evaluation data set show that with unlabeled noisy training data, ADUTD has compared performance with previous schemes trained with clean or labeled data. When both trained with clean data, ADUTD has higher detection rate then previous schemes.