Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

Jun Ma,GuanZhong Dai

DOI: https://doi.org/10.1109/ISDA.2008.129

2008-01-01

Abstract:Anomaly detection in computer networks tries to detect traffic deviation from the normal model. Traditionally, feature-based one-class classifiers are the main components of anomaly detection systems. The performance of this anomaly detection system largely depends on the result of the feature selection. Dissimilarity representations describe an object by its dissimilarities to a set of target class. The dissimilarity-based one-class classifiers (DBOCCs) are constructed on dissimilarity representations. Redundancy and relativity of the features cast little influence on the performance of DBOCCs. This paper proposes anomaly detection using DBOCCs with unsupervised learning approach. Several combinations of DBOCCs scheme have also been used. The experimental results on KDDCUP'99 dataset shows that DBOCCs can achieve high detection rate and low false positive without large degeneration in performance as traditional feature-based classifiers suffered when different feature subsets have been used.

,Chunhua Gu,xueqin zhang

DOI: https://doi.org/10.1109/ICMLC.2007.4370710

2007-01-01

Abstract:Network Anomaly Detection is a critical task to ensure network security. With increasing network traffic, detecting network anomaly would require solving a large-scale pattern classification problem that often contains millions of training vectors. Each training vector may represent a particular signature of network traffic pattern and some of them may be linked to security breaching activities that need to be detected and eradicated. In this paper, a popular statistical learning algorithm known as the Support Vector Machine (SVM) was consider to solve the network anomaly detection problem. However, it is well known that SVM would require excessively long computing time and exceedingly large amount of memory when number of training vectors becomes huge. Hence, direct application of the standard SVM algorithm to solve large-scale network anomaly detection problems is impractical. In this paper, based on computational geometry theory, a new algorithm called convex-hull SVM (CH-SVM) was proposed, which can yield the same solution as original SVM while using significantly less training data, and hence less computing time. Then experiments were done on KDD'99 intrusion detection dataset to compare the performance of the proposed algorithm to a standard SVM and observed reduced training time and improved classification accuracy.

Yuan Zhang,Qinghai Yang,Sangarapillai Lambotharan,Konstantinos Kyriakopoulos,Ibrahim Ghafir,Basil AsSadhan

DOI: https://doi.org/10.1109/wcsp.2019.8927907

2019-01-01

Abstract:With the rapid development of new technologies and applications of Internet, much attention has been paid to the detection of anomalies in cyberspace traffic. A series of intrusion detection techniques based on machine learning have been developed. Support vector machine (SVM), as an essential approach, has been paid close attention in this filed. Nevertheless, the existing SVM-based techniques with the training features can not efficiently detect short duration intrusions and attacks in the traffic. To tackle this issue, we propose an anomaly-based SVM detection scheme by extracting and optimizing the training features. It trains the SVM with Kullback-Leibler (KL) divergence and cross-correlation calculated by the control and data planes traffic. Following this way, the novel training method can effectively enhance the detection accuracy. And the performance of the presented scheme is validated and evaluated based on a recent realistic Internet traffic dataset. Finally, relevant results indicate that the developed method establishes the relationship between Transmission Control Protocol (TCP) traffic and intrusions. It can efficiently detect short duration intrusions and attacks in the network traffic.

Jingxuan Pang,Xiaokun Pu,Chunguang Li

DOI: https://doi.org/10.1109/tii.2022.3145834

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Anomaly detection plays an important role in industry, especially in ensuring system safety and product quality. Due to the unavailability of anomalous data in many practical cases, anomaly detection is usually solved by one-class classification (OCC) methods using only normal data. As a classical OCC method, one-class support vector machine (OCSVM) is a popular discriminative approach for anomaly detection, which detects abnormal data points by establishing a decision boundary in the kernel space. However, the performance of OCSVM heavily relies on kernel parameters, whose selection is not trivial for anomaly detection problems. Moreover, for some uneven and complex data distributions, different data regions may have quite different densities and shapes, making it difficult for OCSVM to obtain good boundaries in all regions using a global kernel parameter. To address the above two issues, in this article, we propose a hybrid algorithm incorporating vector quantization and OCSVM (VQ-OCSVM). Specifically, vector quantization is used to extract distribution information of normal data, and the results are used to construct an explicit mapping function to map data into a high-dimensional feature space. Then, OCSVM is performed in the feature space to build a classifier. By introducing the explicit mapping into OCSVM, the proposed method can effectively bypass the kernel parameter selection problem of the classical OCSVM method. Furthermore, the constructed mapping carries the data distribution information, and the VQ-OCSVM model can be regarded as an integration of generative learning and discriminative learning. The complementary properties of these two paradigms make the proposed VQ-OCSVM algorithm have better generalization capacity for complex data distribution. Both qualitative and quantitative experimental results demonstrate the effectiveness and advantages of the proposed method.

王飞,徐本连,钱玉文,戴跃伟,王执铨

DOI: https://doi.org/10.16182/j.cnki.joss.2012.04.037

2012-01-01

Abstract:In view of the disadvantage,of an anomaly detection which can not provide more useful information about the unknown intrusions,an anomaly detection model based on hybrid SVM/SOM was proposed.At first,support vector machine（SVM） was used to detect anomalous connections,and then the detected anomalies were as input of the clustering module to get more information.The clustering module consisted of self-organizing map（SOM） algorithm and information acquisition algorithm.Through the method of acquire information about the detected anomalies,more valuable information about the unknown intrusions could be obtained.Finally,the kddcup99 data sets were used for simulation.The experimental results show that the detection model has a better detection efficiency and low false alarm rate,and the model for getting information of unknown intrusions is valid.

Fei Wang,Yuwen Qian,Yuewei Dai,Zhiquan Wang

DOI: https://doi.org/10.1109/CMC.2010.9

2010-01-01

Abstract:For solving the problem of less information getting about unknown intrusions in anomaly detection, a model based on hybrid SVM/SOM is proposed. Firstly, C-SVM is used to find out the anomalous connections, and then, a packet filtering scheme is used to remove the known intrusions, which is performed by one-class SVM, after that, the identified unknown intrusions are projected onto the output grid by SOM. Finally, the experimental results, which use kddcup99 dataset, show high detection rate with low false rate and can get more information about the unknown intrusion.

杨敏,张焕国,傅建明,罗敏

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.03.014

2005-01-01

Abstract:This paper proposes a new anomaly intrusion detection method based on support vector data description(SVDD ). According to this method, intrusion detection is regarded as one-class classification problem. A support vector description model is built for normal data, and then known and unknown attacks can be detected using this model. This method falls into the category of unsupervised anomaly detection techniques as it can train the model with unlabeled and noisy data. Results from preliminary experiments with the KDD CUP'99 network data indicate that the method has satisfying performance.

Qian Ma,Cong Sun,Baojiang Cui

DOI: https://doi.org/10.1016/j.cose.2021.102215

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:New vulnerabilities and ever-evolving network attacks pose great threats to today’s cyberspace security. Anomaly detection in network traffic is a promising and effective technique to enhance network security. In addition to traditional statistical analysis and rule-based detection techniques, machine learning models are introduced for intelligent detection of abnormal traffic data. In this paper, a novel model named SVM-C is proposed for the anomaly detection in network traffic. The URLs in the network traffic log are transformed into feature vectors via statistical laws and linear projection. The obtained feature vectors are fed into a support vector machine (SVM) classifier and classified as normal or abnormal. Based on the idea of SVM and clustering, we construct an optimization model to train the parameters of the feature extraction method and traffic classifier. Numerical tests indicate that the proposed model outperforms the state of the arts on all the tested datasets.

KL Li,HK Huang,SF Tian,W Xu

DOI: https://doi.org/10.1109/icmlc.2003.1260106

2003-01-01

Abstract:With the tremendous growth of the Internet, information system security has become an issue of serious global concern due to the rapid connection and accessibility. Developing effective methods for intrusion detection, therefore, is an urgent task for assuring computer & information system security. Since most attacks and misuses can be recognized through the examination of system audit log files and pattern analysis therein, an approach for intrusion detection can be built on them. First we have made deep analysis on attacks and misuses patterns in log files; and then proposed an approach using support vector machines for anomaly detection. It is a one-class SVM based approach, trained with abstracted user audit logs data from 1999 DARPA.

YX Wang,J Wong,A Miner

DOI: https://doi.org/10.1109/iaw.2004.1437839

2004-01-01

Abstract:Kernel methods are widely used in statistical learning for many fields, such as protein classification and image processing. We recently extend kernel methods to intrusion detection domain by introducing a new family of kernels suitable for intrusion detection. These kernels, combined with an unsupervised learning method - one-class Support Vector Machine, are used for anomaly detection. Our experiments show that the new anomaly detection methods are able to achieve better accuracy rates than the conventional anomaly detectors.

GAO Hai-hua,YANG Hui-hua,WANG Xing-yu

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.03.019

2006-01-01

Abstract:Feature selection and feature extraction are two kinds of dimensionality reduction techniques to boost classifiers' performance.Very little work on feature extraction is taken in the field of network anomaly detection.This paper applies principal component analysis(PCA) and kernel prncipal component analysis(KPCA) to network intrusion feature extraction.The extracted features are employed by SVM for classification.PCA linearly transforms the original inputs into new uncorrelated features while KPCA is an nonlinear generalization of the linear PCA using the kernal method.The MIT's KDD Cup 99 dataset is used to evaluate these feature extraction methods,and classification performances achieved by SVM with PCA and KPCA feature extraction are compared with those obtained by principal component regression(PCR) and kernel principal component regression(KPCR) classification methods and by SVM without(application) of feature extraction.The results clearly demonstrate that feature extraction can greatly reduce the dimensionality of feature space witout degrading the claaifiers' performance.Among these methods,the best performance is achieved by SVM using only the first four principal components extracted by(KPCA.)

Qian Ma,Cong Sun,Baojiang Cui

DOI: https://doi.org/10.1155/2021/2170788

IF: 1.968

2021-11-20

Security and Communication Networks

Abstract:New vulnerabilities and ever-evolving network attacks pose great threats to today’s cyberspace security. Anomaly detection in network traffic is a promising and effective technique to enhance network security. In addition to traditional statistical analysis and rule-based detection techniques, machine learning models are introduced for intelligent detection of abnormal traffic data. In this paper, a novel model named SVM-C is proposed for the anomaly detection in network traffic. The URLs in the network traffic log are transformed into feature vectors via statistical laws and linear projection. The obtained feature vectors are fed into a support vector machine (SVM) classifier and classified as normal or abnormal. Based on the idea of SVM and clustering, we construct an optimization model to train the parameters of the feature extraction method and traffic classifier. Numerical tests indicate that the proposed model outperforms the state of the arts on all the tested datasets.

computer science, information systems,telecommunications

Qian Huang,Zhen Wang,Tao Wei,Yu Chen

2006-01-01

Abstract:This paper presents an algorithm for intrusion detection, based on one-class support vector machine (SVM) and online training of SVM. The algorithm formulates intrusion detection as a one-class classification problem. The model-building part of the algorithm works even when the training data is noisy, and therefore compared with regular SVM algorithms, it imposes fewer requirements on the training set and has a higher detection rate. For the testing data containing new types of attack, the algorithm can add such data to the training set and update the training result real-time. It tests the algorithm on KDD CUP' 99 benchmark data set for intrusion detection and the result shows that the algorithm is able to shorten the training time, and in the same time, obtain a high detection rate.

Wenqi Chen,Zhiliang Wang,Liyuan Chang,Kai Wang,Ying Zhong,Dongqi Han,Chenxin Duan,Xia Yin,Jiahai Yang,Xingang Shi

DOI: https://doi.org/10.1016/j.comnet.2024.110423

IF: 5.493

2024-01-01

Computer Networks

Abstract:The last decade has seen increasing application of machine learning to various tasks, including network anomaly detection. But anomaly detection methods using a single machine learning algorithm often fail to perform well, since network traffic can have complex and changeable patterns. Therefore, many solutions based on ensemble learning have been proposed to address this problem. However, previous studies have a essential drawback that they overlook the similarity between the weak classifiers, which may degrade the detection ability of the model. What's more, prior work use offline and supervised algorithms, which means a large amount of memory and reliable labels are necessary during the training period. In this paper, we propose ADSIM, an online, unsupervised, and similarity-aware network anomaly detection algorithm based on ensemble learning. In the training phase, ADSIM incrementally maintains a distance matrix to record the similarity between the classifiers and uses hierarchy clustering to group similar classifiers. In the detecting phase, each cluster will be assigned a weight based on the consistency of the classifier outputs within it. We evaluate ADSIM on two datasets, MAWILab and CIC-IDS-2017, and the results show that ADSIM can accurately detect various anomalies and outperforms state-of-the-art ensemble learning methods.

Yan Qiao,Kui Wu,Peng Jin

DOI: https://doi.org/10.1109/TKDE.2021.3077046

IF: 9.235

2021-05-03

IEEE Transactions on Knowledge and Data Engineering

Abstract:This paper addresses the problem of anomaly detection for high-dimensional sensing data. The one-class support vector machine (OCSVM) is one of the most popular unsupervised methods for anomaly detection. When data are high dimensional and large scale, however, the efficiency of OCSVM-based methods in anomaly detection suffers. Although dimensionality-reduction tools, such as deep belief networks, can be applied to compress the high-dimensional data to alleviate the problem, the accuracy and timely detection are still hard to improve due to the inherent features of OCSVM. In this paper, we propose a new form of OCSVM model based on the structure of the compressed data and the characteristics of OCSVM. Based on the new model, we design both optimal and approximate methods for model training and testing. We evaluate the performance of our methods with extensive experiments on four real-world datasets. The experimental results demonstrate that our new methods, both optimal and approximate ones, not only significantly outperform the state-of-the-art in accuracy and efficiency, but also achieve the good performance without the need of manual parameter tuning. In addition, our approximate training and testing mechanism can reduce the computing time by three orders of magnitude with a negligible loss in accuracy.

Computer Science

LI Yang,FANG Bin-xing,GUO Li,TIAN Zhi-hong,ZHANG Yong-zheng,JIANG Wei

DOI: https://doi.org/10.1145/1229285.1229292

2007-01-01

Abstract:Intrusion detection is a critical component of secure information systems. Network anomaly detection has been an active and difficult research topic in the field of Intrusion Detection for many years. However, it still has some problems unresolved. They include high false alarm rate, difficulties in obtaining exactly clean data for the modeling of normal patterns and the deterioration of detection rate because of some "noisy" data in the training set. In this paper, we propose a novel network anomaly detection method based on improved TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) machine learning algorithm. A series of experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positive rate, low false positive rate and high confidence than the state-of-the-art anomaly detection methods. In addition, even interfered by "noisy" data (unclean data), the proposed method is robust and effective. Moreover, it still retains good detection performance after employing feature selection aiming at avoiding the "curse of dimensionality".

Fei Wang,Yuwen Qian,Yuewei Dai,ZhiQuan Wang

2010-01-01

Journal of Information and Computational Science

Abstract:In view of low-level information acquisition of anomaly detection, an anomaly detection model for information acquisition is proposed. First, Support Vector Machine (SVM) is applied to detect abnormal network connections; second, a packet filtering scheme is used for classification and matching, which is performed by an ensemble of one-class SVM(OC-SVM) classifier, after that, unknown intrusions are obtained and as input of clustering part, from which the anomalous connections are classified further and get their valid information. Lastly, the experiments are done based on kddcup99 dataset. Its result indicates that the proposed model can get more information about the anomalous connections effectively with relative high detection rate with low false rate. Copyright © 2010 Binary Information Press.

Kaikun Dong,Jiao Shi,Li Guo,Fang Yuan

DOI: https://doi.org/10.1088/1742-6596/1629/1/012017

2020-01-01

Journal of Physics Conference Series

Abstract:Abstract In order to identify the four types of attacks in the KDD99 data set, an anomaly detection model based on supporting vector machines is proposed. The model uses supporting vector machines to train five classifiers and detects the attacks by integrating the classification results of the five classifiers. Aiming at the problem that the detection model has a low recall rate when detecting some categories, a feature extraction method based on abnormal proportion analysis is proposed to extract effective feature combinations for each classifier, and a sampling technique is used to preprocess the training set of each classifier. Experimental results show that the improved anomaly detection model can not only improve the performance of each classifier, but also improve the comprehensive discrimination performance of the five classifiers.

Tao Ma,Yang Yu,Fen Wang,Qiang Zhang,Xiaoyun Chen

DOI: https://doi.org/10.1007/978-981-10-3187-8_13

2017-01-01

Abstract:This paper proposes a novel approach called KDSVM, which utilized the k-mean techniques and advantage of feature learning with deep neural network (DNN) model and strong classifier of support vector machines (SVM) , to detection intrusion networks. KDSVM is composed of two stages. In the first step, the dataset is divided into k subset based on every sample distance by the cluster centers of k-means approach, and in the second step, testing dataset is distanced by the same cluster center and fed into the DNN model with SVM model for intrusion detection. The experimental results show that the KDSVM not only performs better than SVM, BPNN, DBN-SVM (Salama et al., Soft computing in industrial applications, 2011 [21]) and Bayes tree models in terms of detection accuracy and abnormal types of attacks found. It also provides an effective tool for the study and analysis of intrusion detection in the large network.