Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Bin Zhang,Jia-Hai Yang,Jian-Ping Wu,Ying-Wu Zhu

DOI: https://doi.org/10.1007/s11390-012-1225-0

2012-01-01

Abstract:Network traffic anomalies are unusual changes in a network, so diagnosing anomalies is important for network management. Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing packet header features. PCA-subspace method (Principal Component Analysis) has been verified as an efficient feature-based way in network-wide anomaly detection. Despite the powerful ability of PCA-subspace method for network-wide traffic detection, it cannot be effectively used for detection on a single link. In this paper, different from most works focusing on detection on flow-level traffic, based on observations of six traffic features for packet-level traffic, we propose a new approach B6-SVM to detect anomalies for packet-level traffic on a single link. The basic idea of B6-SVM is to diagnose anomalies in a multi-dimensional view of traffic features using Support Vector Machine (SVM). Through two-phase classification, B6-SVM can detect anomalies with high detection rate and low false alarm rate. The test results demonstrate the effectiveness and potential of our technique in diagnosing anomalies. Further, compared to previous feature-based anomaly detection approaches, B6-SVM provides a framework to automatically identify possible anomalous types. The framework of B6-SVM is generic and therefore, we expect the derived insights will be helpful for similar future research efforts.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

jing yuan,ruixi yuan,xi chen

DOI: https://doi.org/10.15837/ijccc.2014.1.870

IF: 2.635

2014-01-01

International Journal of Computers Communications & Control

Abstract:This paper proposes a novel detection engine, called the Wavelet-Recurrence-Clustering (WRC) detection model, to study the network anomaly detection problem that is widely attractive in Internet security area. The WRC model first applies the wavelet transform and recurrence analysis to calculate the multi-scale dynamic characteristics of network traffic, and then identifies network anomalies through the clustering algorithm with those dynamic characteristics. The evaluation results on DARPA 1999 dataset indicate that the WRC detection model can effectively improve the detection accuracy with a low false alarm

XIAO Zheng-hong,PAN Mei-sen,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.02.099

2007-01-01

Abstract:Network traffic is one of the key properties in LAN as well as WAN,by wavelet analysis,the complex traffic times series can be decomposed into different frequent components.Based on wavelet decomposed,the self-similar of traffic can be used to detect anomaly behavior of network,a method of detecting attacks based on the deviation of Hurst parameter is presented.The changes of Hurst parameter are analyzed and compared in different time scale.Result shows the proposed approach can detect the possible presence of not only an anomaly,but also its location on data set.

Tingting Huang,Chao Liu,Anuj Sharma,Soumik Sarkar

DOI: https://doi.org/10.36001/ijphm.2018.v9i1.2671

2020-01-01

International Journal of Prognostics and Health Management

Abstract:Traffic dynamics in the urban interstate system are critical in terms of highway safety and mobility. This paper proposes a systematic data mining technique to detect traffic system-level anomalies in a batch-processing fashion. Built on the concepts of symbolic dynamics, a spatiotemporal pattern network (STPN) architecture is developed to capture the system characteristics. This novel spatiotemporal graphical modeling approach is shown to be able to extract salient time series features and discover spatial and temporal patterns for a traffic system. An information-theoretic metric is used to quantify the causal relationships between sub-systems. By comparing the structural similarity of the information-theoretic metrics of the STPNs learnt from each day, a day with anomalous system characteristics can be identified. A case study is conducted on an urban interstate in Iowa, USA, with 11 roadside radar sensors collecting 20-second resolution speed and volume data. After applying the proposed methods on one-month data (Feb. 2017), several system-level anomalies are detected. The potential causes that include inclement weather condition and non-recurring congestion are also verified to demonstrate the efficacies of the proposed technique. Compared to the traditional predefined performance measures for the traffic systems, the proposed framework has advantages in capturing spatiotemporal features in a fast and scalable manner.

Paul Barford,Jeffery Kline,David Plonka,Amos Ron

DOI: https://doi.org/10.1145/637201.637210

2002-01-01

Abstract:Identifying anomalies rapidly and accurately is critical to the efficient operation of large computer networks. Accurately characterizing important classes of anomalies greatly facilitates their identification; however, the subtleties and complexities of anomalous traffic can easily confound this process. In this paper we report results of signal analysis of four classes of network traffic anomalies: outages, flash crowds, attacks and measurement failures. Data for this study consists of IP flow and SNMP measurements collected over a six month period at the border router of a large university. Our results show that wavelet filters are quite effective at exposing the details of both ambient and anomalous traffic. Specifically, we show that a pseudo-spline filter tuned at specific aggregation levels will expose distinct characteristics of each class of anomaly. We show that an effective way of exposing anomalies is via the detection of a sharp increase in the local variance of the filtered data. We evaluate traffic anomaly signals at different points within a network based on topological distance from the anomaly source or destination. We show that anomalies can be exposed effectively even when aggregated with a large amount of additional traffic. We also compare the difference between the same traffic anomaly signals as seen in SNMP and IP flow data, and show that the more coarse-grained SNMP data can also be used to expose anomalies effectively.

Xueyuan Duan,Yu Fu,Kun Wang

DOI: https://doi.org/10.48550/arXiv.2205.03907

2022-05-08

Networking and Internet Architecture

Abstract:To address the problem that traditional network traffic anomaly detection algorithms do not suffi-ciently mine potential features in long time domain, an anomaly detection method based on mul-ti-scale residual features of network traffic is proposed. The original traffic is divided into subse-quences of different time spans using sliding windows, and each subsequence is decomposed and reconstructed into data sequences of different levels using wavelet transform technique; the stacked autoencoder (SAE) constructs similar feature space using normal network traffic, and gen-erates reconstructed error vector using the difference between reconstructed samples and input samples in the similar feature space; the multi-path residual group is used to learn reconstructed error The traffic classification is completed by a lightweight classifier. The experimental results show that the detection performance of the proposed method for anomalous network traffic is sig-nificantly improved compared with traditional methods; it confirms that the longer time span and more S transformation scales have positive effects on discovering potential diversity information in the original network traffic.

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Lisheng Huang,Jinye Ran,Wenyong Wang,Tan Yang,Yu Xiang

DOI: https://doi.org/10.1016/j.comnet.2020.107645

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>This paper proposes a novel multi-channel network traffic anomaly detection method combined with the idea of multi-scale decomposition, feature selection and fusion. Our method includes a feature selection and fusion module, which extracts the most important features from redundancy traffic features and fuses the selected features, a multi-scale decomposition module, and a multi-channel Generalized Likelihood Ratio Test (GLRT) detection module, for anomaly detection and decision-making. The advantage of our method is that, first, it only considers the selected features and reduces the amount of computation. Second, compared with traditional anomaly detection methods that usually work on each scale independently thus mainly focused on temporally correlated traffic, our method fully explores the internal frequency-time correlations within multiple scales. It can be verified with experiments that this method performs better than other traditional methods, thus gives a new sight on the anomaly detection with different types of traffic data.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Feiyi Chen,Yingying zhang,Zhen Qin,Lunting Fan,Renhe Jiang,Yuxuan Liang,Qingsong Wen,Shuiguang Deng

DOI: https://doi.org/10.1109/icde60146.2024.00047

2024-01-01

Abstract:Anomaly detection significantly enhances the robustness of cloud systems.While neural network-based methods have recently demonstrated strongadvantages, they encounter practical challenges in cloud environments: thecontradiction between the impracticality of maintaining a unique model for eachservice and the limited ability to deal with diverse normal patterns by aunified model, as well as issues with handling heavy traffic in real time andshort-term anomaly detection sensitivity. Thus, we propose MACE, a multi-normal-pattern accommodated and efficientanomaly detection method in the frequency domain for time series anomalydetection. There are three novel characteristics of it: (i) a patternextraction mechanism excelling at handling diverse normal patterns with aunified model, which enables the model to identify anomalies by examining thecorrelation between the data sample and its service normal pattern, instead ofsolely focusing on the data sample itself; (ii) a dualistic convolutionmechanism that amplifies short-term anomalies in the time domain and hindersthe reconstruction of anomalies in the frequency domain, which enlarges thereconstruction error disparity between anomaly and normality and facilitatesanomaly detection; (iii) leveraging the sparsity and parallelism of frequencydomain to enhance model efficiency. We theoretically and experimentally provethat using a strategically selected subset of Fourier bases can not only reducecomputational overhead but is also profitable to distinguish anomalies,compared to using the complete spectrum. Moreover, extensive experimentsdemonstrate MACE's effectiveness in handling diverse normal patterns with aunified model and it achieves state-of-the-art performance with highefficiency.

Su Yang,Wenbin Zhou

DOI: https://doi.org/10.1109/PASSAT/SocialCom.2011.10

2011-01-01

Abstract:Some special natural and social events like natural disasters, terrorism attacks, and traffic accidents may have remarkable effect on people's collective behaviors, which means the behaviors of a large number of people viewed as a whole. Analysis of the patterns of collective behaviors in the sense of data mining is an important topic. Solving this problem is crucial and practical in that online detection of abnormal patterns of people's collective behaviors may lead to rapid response to emergent affairs. In terms of technology, the task can be regarded as detection of abnormal particle movement patterns from a global point of view. In this study, we propose a solution to solve this problem. First, the traffic flows observed by more than 4000 sensors are organized as high-dimensional time series. Second, a widely used manifold learning technique referred to as locally linear embedding (LLE) is used to compute the K coefficients in fitting every data point with its K nearest neighbors in the high-dimensional space, which can be regarded as a K-dimensional local feature associated with every data point. Then, the local features of the data points within a time window are summarized by using principal component analysis (PCA) to obtain a global feature to represent the traffic data in every time window. Finally, outlier detection is performed on such PCALLE feature space. The experimental results show that the proposed method can effectively detect abnormal traffic patterns, which correspond with some special days, like the New Year day, the national day of America, and some days with extreme weather. © 2011 IEEE.

Chen Yang

DOI: https://doi.org/10.1007/s10586-018-1755-5

2018-01-16

Cluster Computing

Abstract:In recent years, there are more and more abnormal activities in the network, which greatly threaten network security. Hence, it is of great importance to collect the data which indicate the running statement of the network, and distinguish the anomaly phenomena of the network in time. In this paper, we propose a novel anomaly network traffic detection algorithm under the cloud computing environment. Firstly, the framework of the anomaly network traffic detection system is illustrated, and six type of network traffic features are consider in this work, that is, (1) number of source IP address, (2) number of source port number, (3) number of destination IP address, (4) number of destination port number, (5) Number of packet type, and (6) number of network packets. Secondly, we propose a novel hybrid information entropy and SVM model to tackle the proposed problem by normalizing values of network features and exploiting SVM detect anomaly network behaviors. Finally, experimental results demonstrate that the proposed algorithm can detect anomaly network traffic with high accuracy and it can also be used in the large scale dataset.

Ning Chen,Xiao-Su Chen,Bing Xiong,Hong-Wei Lu

DOI: https://doi.org/10.1109/embeddedcom-scalcom.2009.50

2009-01-01

Abstract:Based on TCP protocol, this paper aims at TCP flows, discusses the effects of multivariate correlation analysis on network traffic, obtains the quantitative relationship between different types of TCP packets in each time unit by correlation coefficient matrix, and finally proposes an anomaly detection and analysis method based on the correlation coefficient matrix. The experimental results show that our method can efficiently distinguish normal and abnormal traffic, and accurately detect and classify various anomaly behaviors (such as network scanning and DDoS attacks) in network traffic. The linear complexity of our method makes real-time detection and analysis practical.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang

DOI: https://doi.org/10.1109/ICC.2009.5199196

2009-01-01

Abstract:The randomness of the network behaviors poses serious challenges for discovering the abnormal patterns in network traffic flows. This paper presents a method based on blind source separation approach for detecting abnormal traffic flows. It decomposes the network traffic into two components: the routine pattern and the abnormal pattern. The scale-space filter with adaptive scale is applied to filter the noise without affecting the main behavior patterns which can be used to form the abnormal traffic metrics and profiles. The zero-crossing method is applied to extract the stochastic behavior pulse widths and the largest width is selected as the scale space factor. In this way, the influence of the inherent randomness could be removed or greatly reduced. The extracted patterns of the routine behaviors imply the user's habit and the abnormal patterns are useful for discovering anomalous behaviors such as scanning, flooding and content distribution attacks. A salient feature of the method is that no supervised learning process is needed. This is a very important advantage since obtaining labeled samples in traffic monitoring is extremely difficult. Experimental results based on the datasets of an actual network show that this method is effective for monitoring anomaly traffic flows in the gigabytes traffic environment and the identification accuracy is above 95%.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Tao Yi,Xingshu Chen,Qindong Li,Yi Zhu

DOI: https://doi.org/10.1016/j.cose.2024.103809

IF: 5.105

2024-03-29

Computers & Security

Abstract:APT attacks have the characteristics of low frequency, stealth, and persistence. Achieving attack objectives and preventing trace-back often involve diverse tactics, various tools, and changing processes and patterns. Additionally, the goals of APT attacks are diverse. Apart from service disruptions or network outages, the main goals include remotely penetrating target hosts through the network to steal information, unauthorized encryption, and destructive wiping. Existing methods for characterizing attack features lack sufficient research on the communication methods and data transmission patterns used in attacks. In particular, due to the non-associated addresses, low frequency, fragmentation, and silent requirements of attacks, the features exhibited in a single session are increasingly minimal. Traditional approaches are no longer sufficient to address these challenges that relying solely on single-sample statistical features and "packet-sniffing" windowed traffic grouping detection methods. To tackle these issues, we propose a innovative approach to characterize network attack traffic based on Spatial Pyramid Pooling (SPP) by analyzing the attack communication methods and data transmission patters in the network session traffic of APT attacks with the remote information theft. Specifically, it employs derived feature attributes that integrate mean, total, and concentration characteristics to longitudinally extract multi-level spatiotemporal correlated behavioral features from aggregated multi-session sets. These features are then fused with single-session characteristics, ensuring that each session sample possesses both current traffic features and correlated properties of contextual session traffic. Additionally, this approach meets the requirements of fixed-length input for heterogeneous data in deep learning. Extensive experiments have been conducted to demonstrate that this method enhances the effective detection of APT attacks by deep learning models. Experiments results show that this approach exhibits superior timeliness, precision, and specificity when compared to Principal Component Analysis (PCA) artificial feature engineering methods and other methods based on fixed-length deep learning for raw data.

computer science, information systems