Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Yuanzhang Li,Shangjun Yao,Ruyun Zhang,Chen Yang

DOI: https://doi.org/10.1002/int.22330

IF: 8.993

2020-11-10

International Journal of Intelligent Systems

Abstract:<p>Security monitoring and analysis can help users to timely perceive threats faced by the host, thereby protecting and backup data and improving the host's security status. In the research domain of host security analysis, many feasible solutions have been proposed. However, real‐time performance and accuracy still need improvement. This paper proposes a host security analysis method based on Dempster–Shafer (D‐S) evidence theory. It adopts three models of support vector regression, logistic regression, and K‐nearest neighbor regression, as sensors for multisource information fusion. Multiple sensors perform security analysis on the host, respectively, and use the analysis results as evidence of D‐S evidence theory. Experiments show that the proposed method provides effective security protection for the host in terms of absolute error, root mean square error, and the average absolute percentage error.</p>

computer science, artificial intelligence

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/CIS.2009.262

2009-01-01

Abstract:There are many researches which focus on the security of network-attached storages. The cryptology tools can protect the storages against non-authorized access, but turned out ineffective when malicious authenticated users attack inside. Also the intrusion detection methods are applied in the network-attached storages, such as, storage-based intrusion detection method and the intrusion detection method based on system calls. However, these methods couldn't obtain higher Detection Rates with lower False Positive Rates. This paper proposes a novel intrusion detection scheme to merge the two methods with multi-source information fusion technology. The fusion optimization strategy is provided to guarantee that the fusion scheme can make a more accuracy decision for the suspicious behaviors with more information gathered from different levels of the system. Also the intrusion detection modules in the new scheme can be "self-learning" and update the profiles by themselves. Experimental results demonstrate that the over capability of new fusion intrusion detection scheme increased by 15%. © 2009 IEEE.

Tao Qin,Zhaoli Liu,Pinghui Wang,Shancang Li,Xiaohong Guan,Lixin Gao

DOI: https://doi.org/10.1109/tifs.2019.2933731

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Anomaly detection is an important technique used to identify patterns of unusual network behavior and keep the network under control. Today, network attacks are increasing in terms of both their number and sophistication. To avoid causing significant traffic patterns and being detected by existing techniques, many new attacks tend to involve gradual adjustment of behaviors, which always generate incomplete sessions due to their running mechanisms. Accordingly, in this work, we employ the behavior symmetry degree to profile the anomalies and further identify unusual behaviors. We first proposed a symmetry degree to identify the incomplete sessions generated by unusual behaviors; we then employ a sketch to calculate the symmetry degree of internal hosts to improve the identification efficiency for online applications. To reduce the memory cost and probability of collision, we divide the IP addresses into four segments that can be used as keys of the hash functions in the sketch. Moreover, to further improve detection accuracy, a threshold selection method is proposed for dynamic traffic pattern analysis. The hash functions in the sketch are then designed using Chinese remainder theory, which can analytically trace the IP addresses associated with the anomalies. We tested the proposed techniques based on traffic data collected from the northwest center of CERNET (China Education and Research Network); the results show that the proposed methods can effectively detect anomalies in large-scale networks.

Keqi Liu,Yizhuo Guo,Anyi Zhang,Peng Xu

DOI: https://doi.org/10.1109/ICCC57788.2023.10233434

2023-08-10

Abstract:The integration of multiple sensors in industrial systems and subsequent anomaly detection based on the sensor-collected data has emerged as one of the most popular applications of the Internet of Things. Therefore, it is highly significant to conduct anomaly detection based on multi-source subsequence data. However, existing research either deals with anomaly detection for multi-source data fusion or anomaly detection for subsequences. In this paper, we propose a novel Anomaly Detection method based on multi-source subsequence multi-View data that overcomes the limitations of the existing methods. Specifically, we introduce an improved shape-based subsequence mapping method for the representation of multi-source subsequences, followed by a multi-view based feature fusion matrix construction method. Finally, we propose an anomaly scoring method based on property attribute fusion, which is the first of its kind to introduce a source importance factor that takes into account the importance of different data sources for adjusting the impact weight. Our experimental results demonstrate that the proposed method outperforms traditional anomaly detection methods.

Computer Science,Engineering

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

Shijoe Jose,D. Malathi,Bharath Reddy,Dorathi Jayaseeli

DOI: https://doi.org/10.1088/1742-6596/1000/1/012049

2018-04-01

Journal of Physics: Conference Series

Abstract:An intrusion detection system (IDS) is hardware, software or a combination of two, for monitoring network or system activities to detect malicious signs. In computer security, designing a robust intrusion detection system is one of the most fundamental and important problems. The primary function of system is detecting intrusion and gives alerts when user tries to intrusion on timely manner. In these techniques when IDS find out intrusion it will send alert massage to the system administrator. Anomaly detection is an important problem that has been researched within diverse research areas and application domains. This survey tries to provide a structured and comprehensive overview of the research on anomaly detection. From the existing anomaly detection techniques, each technique has relative strengths and weaknesses. The current state of the experiment practice in the field of anomaly-based intrusion detection is reviewed and survey recent studies in this. This survey provides a study of existing anomaly detection techniques, and how the techniques used in one area can be applied in another application domain.

Ying-Dar Lin,Ze-Yu Wang,Po-Ching Lin,Van-Linh Nguyen,Ren-Hung Hwang,Yuan-Cheng Lai

DOI: https://doi.org/10.1016/j.jisa.2022.103248

IF: 4.96

2022-08-01

Journal of Information Security and Applications

Abstract:This work compares the performance of different combinations of data sources for intrusion detection in depth. To learn and distinguish between normal and malicious behavior, we use machine learning algorithms and train three typical models on three kinds of datasets: system logs, packet flows and host statistics. Unlike other studies, our study captures and monitors the behavior from multiple data sources in order to catch security attacks. Our aim is to figure out how to build the most effective dataset for machine learning with a combination of multiple sources. However, since there are no such datasets which have been generated from multiple sources for given attacks, we show how to build and generate a dataset with three data sources. We then compare the F1 score of the detection by applying machine learning algorithms for various combinations of the data sources. Our evaluation results show that the dataset of host statistics results in better performance (0.91) than traffic flows (0.63) and system logs (0.44) because it has the highest average F1-score in the three stages of attacks, while the other datasets may have poor F1-scores in some of the stages, particularly in the stage of impact. However, in the initial access stage of attacks, the dataset of logs performs the best (0.94), and the packet flows are suitable for detecting network DoS attacks (0.82). Furthermore, running this detection with all three data sources results in minor overheads of at most 2.1% CPU utilization. Finally, we analyze the important features of each model, such as the number of logs generated by apache-access, in.telnetd and postfix in the dataset of logs, SrcBytes and TotBytes in the dataset of flows, and MINFLT, VSTEXT and RSIZE in the dataset of statistics.

computer science, information systems

Liyang Wang,Yu Cheng,Hao Gong,Jiacheng Hu,Xirui Tang,Iris Li

2024-09-23

Abstract:The sophistication and diversity of contemporary cyberattacks have rendered the use of proxies, gateways, firewalls, and encrypted tunnels as a standalone defensive strategy inadequate. Consequently, the proactive identification of data anomalies has emerged as a prominent area of research within the field of data security. The majority of extant studies concentrate on sample equilibrium data, with the consequence that the detection effect is not optimal in the context of unbalanced data. In this study, the unsupervised learning method is employed to identify anomalies in dynamic data flows. Initially, multi-dimensional features are extracted from real-time data, and a clustering algorithm is utilised to analyse the patterns of the data. This enables the potential outliers to be automatically identified. By clustering similar data, the model is able to detect data behaviour that deviates significantly from normal traffic without the need for labelled data. The results of the experiments demonstrate that the proposed method exhibits high accuracy in the detection of anomalies across a range of scenarios. Notably, it demonstrates robust and adaptable performance, particularly in the context of unbalanced data.

Machine Learning,Artificial Intelligence,Cryptography and Security

Zhizhong Wu,Xuehai Zhou,Jun Xu

DOI: https://doi.org/10.4304/jnw.8.2.273-282

2013-01-01

Abstract:In this paper we present an information fusion based distributed anomaly detection system for Android mobile phones. The proposed framework realizes a clientserver architecture, the client continuously extracts various features and transfers to the server, and the server’s major task is to detect anomaly using state-of-art detection algorithms implemented as anomaly detectors. Multiple distributed servers simultaneously analyzing the feature vector using different detectors and information fusion is used to fuse the results of detectors. We also propose a cycle-based statistical approach for smartphone anomaly detection as the smartphone users usual follow regular patterns due to their periodical patterns of lives. Empirical results suggest that the proposed framework and novel anomaly detection algorithm are effective in detecting malware on Android devices.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Peng Xu,Qihong Gao,Zhongbao Zhang,Kai Zhao

DOI: https://doi.org/10.1016/j.eswa.2023.121675

IF: 8.5

2023-09-27

Expert Systems with Applications

Abstract:Anomaly detection is vital in complex distributed systems. However, existing methods did not take into full account the temporal and spatial characteristics of data from multiple sources in the system. That will lead to less accurate of anomaly detection. To address this limitation, in this paper we propose a multi-source data based anomaly detection method through temporal and spatial characteristics. Specifically, we first considered the spatial characteristics. We propose a Transformer encoder to parse log templates and output template vectors, then an attention-based CNN is introduced to obtain the spatial characteristics from traces. Next, we considered the temporal characteristics. We propose Bi-LSTM network to obtain the temporal characteristics of multi-source data of the distributed systems, followed by anomaly detection. Finally, extensive comparative experiments verify the effectiveness of our method, the F1-score reaches 0.859 and improves by 2.14% compared to state-of-the-art methods.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

牛国林,管晓宏,龙毅,秦涛

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.04.009

2009-01-01

Abstract:Based on tradeoffs analysis of abnormal behavior and detection methods,a multi-source traffic features analysis and abnormal detection method was proposed.The distribution characteristics of the flow size,IP addresses and ports were analyzed and found to be efficacious in traffic patterns analysis.The Renyi entropy was employed to fuse the multi-source information captured by different traffic features,and an abnormal behavior detection method was presented.Beacause of using the multi-source information,the models could detect many kinds of abnormal behaviors,which was an impossible mission for many other traditional abnormal detection methods.The experimental results based on actual network data show that the proposed abnormal detection methods are effective in detecting known and unknown attacks with high-accuracy detection rate and low complexity.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Guo Pu,Lijuan Wang,Jun Shen,Fang Dong

DOI: https://doi.org/10.26599/tst.2019.9010051

2021-04-01

Abstract:In recent years, machine learning-based cyber intrusion detection methods have gained increasing popularity. The number and complexity of new attacks continue to rise; therefore, effective and intelligent solutions are necessary. Unsupervised machine learning techniques are particularly appealing to intrusion detection systems since they can detect known and unknown types of attacks as well as zero-day attacks. In the current paper, we present an unsupervised anomaly detection method, which combines Sub-Space Clustering (SSC) and One Class Support Vector Machine (OCSVM) to detect attacks without any prior knowledge. The proposed approach is evaluated using the well-known NSL-KDD dataset. The experimental results demonstrate that our method performs better than some of the existing techniques.

computer science, information systems,engineering, electrical & electronic, software engineering

Gang He,Xiaochen Liu,Xiaochun Wu,Decheng Yu

DOI: https://doi.org/10.1109/ihmsc.2014.111

2014-01-01

Abstract:In recent years, with the rapid development of the Internet on a global scale and the prompt popularization of various App applications, the Internet is increasingly becoming an integral part of people's lives. Meanwhile various network problems caused by abnormal network behavior have become more prominent than any time before. Furthermore we also have a lot of personal information on the Internet, which will bring us significant losses if are gave away. For that, to find an effective method to detect the abnormal network behavior is becoming more and more important. This paper first introduces a new detection method based on compound session, and then shows the effectiveness of the proposed method. A further objective of this method is to identify the infected host.

Xiaoming Ye,Shaojie Qiao,Nan Han,Kun Yue,Tao Wu,Li Yang,Faliang Huang,Chang-an Yuan

DOI: https://doi.org/10.1016/j.knosys.2020.106734

2021-02-01

Abstract:<p>Network behavior analysis is an active and challenging research direction in anomalous network traffic detection. With rapidly-increasing popularity of online applications, network traffic volume has grown exponentially. In the meantime, network communication is becoming more complex. Consequently, new interaction patterns of network behaviors, named group activity, need to be investigated. Group activities can be generated by various hosts over the network and changes in group activities usually cannot be captured by traditional anomaly detection methods. Currently, the primary limitation of traditional flow-based methods for network traffic analysis is the lack of a mechanism that studies the social relationship in the interaction patterns between hosts. Besides, existing approaches fail to detect group activities. To overcome these limitations, the paper aims to detect anomalous hosts based on the profile of group activity evolution. We propose a mathematical method to quantify and detect anomalous group activities based on the stability of group activity evolution, which fully captures both the temporal and structural characteristics of network evolution. This anomaly detection algorithm is called GAP (Group Activity Profile), which is a powerful supplement and extension of the traditional method of network behavior analysis. The main contributions of this paper are: (1) the paper introduces a new perspective of the group activity based on network evolution and network behavior anomaly detection; (2) the algorithm is suitable for measuring the changes in group activity evolution and determining whether the current evolution relatively conforms to or deviates from the normal evolution; and (3) this work defines the baseline of the group activity evolution by applying historical characteristics that can significantly reduce the false positive rate, and detect anomalous hosts accurately. The results of experiments conducted on real datasets demonstrate that GAP is capable of detecting anomalous host more effectively than traditional methods. GAP is free of parameters and achieves high scalability, which can effectively identify group activities as well as accurately detect anomalous hosts over time.</p>

computer science, artificial intelligence

Xiaoxun Zhu,Songwei Weng,Yu Wang,Xiaoxia Gao,Zhen Yang,Jingyuan Cao,Lijiang Dong,Xiang Lin

DOI: https://doi.org/10.1088/1361-6501/ad889b

IF: 2.398

2024-10-20

Measurement Science and Technology

Abstract:Anomaly detection plays a crucial role in various fields, from industrial defect inspection to geological detection. However, traditional approaches often struggle with insufficient discriminability and an inability to generalize to unseen anomalies. These limitations stem from the practical difficulty in gathering a comprehensive set of anomalies and the tendency to overlook anomalous instances in favor of normal samples. To address these challenges, we propose a novel Dynamic Anomaly Detection Enhancement Framework, integrating three key innovations: (1) SaliencyAug: An adaptive saliency-guided augmentation method that generates realistic pseudo-samples to enhance learning of rare anomalies, improving model generalization. (2) DynAB: A dynamic attention block that achieves effective multi-level feature fusion while minimizing redundant information, enhancing detection accuracy. (3) DualOM: A dual-head optimization module which employs separate heads for normal and anomalous sample learning, creating more explicit and discriminative decision boundaries. Extensive experiments across multiple real-world datasets demonstrate our framework's superior performance in detecting a wide range of anomalies, demonstrating 2.4% improvement over state-of-the-art methods.

engineering, multidisciplinary,instruments & instrumentation