Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Hao Luo,Binxing Fang,Xiao-chun Yun,Zhi-gang Wu

2008-01-01

Abstract:We investigate an effective and robust mechanism for detecting SMTP traffic anomaly. Our detection method cumulates the deviation of current delivering status from history behavior based on the leaky integrate-and-fire model to detect anomaly. The simplicity of our detection method is that the method requires neither the set of anomalies to be detected, nor the thresholds to be supplied by the user. Furthermore the proposed method need not store history profile and has low computation overhead, which makes the detection method itself immune to attacks. The performance evaluation results show that leaky integrate-and-fire method is quite effective at detecting constant intensity attacks and increasing intensity attacks in the SMTP traffic. Compared with other anomaly detection method, our detection method has better detecting performance.

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Hao Luo,Binxing Fang,Xiaochun Yun

DOI: https://doi.org/10.1109/ITNG.2006.34

2006-01-01

Abstract:We investigate an effective and robust mechanism for detecting SMTP traffic anomaly. Our detection method cumulates the deviation of current delivering status from history behavior based on a weighted sum method called the leaky integrate-and-fire model to detect anomaly. The simplicity of our detection method is that the method need not store history profile and low computation overhead, which makes the detection method itself immunes to attacks. The performance is investigated in terms of detection probability, the false alarm ratio, and the detection delay. Our results show that leaky integrate-and-fire method is quite effective at detecting anomaly in the SMTP traffic. Compared with non-parametric cumulative sum method, the evaluation results show that our detection method has lower false alarm ratio and higher detection probability

ZM Cai,TH Qin,X Guan,XB Ma,XM Zhou

2006-01-01

Abstract:Internet is perhaps the most complex man-made system. Its complexity makes internet security a very hard problem which attracts a lot of research interests. Recent large-scale and fast spreading internet worms led to researches in automated containment against self-propagating worms and early worm detection is widely believed as the essential choke point of worm containment. In this paper, two new concepts, flow intensity and flow distribution intensity, are proposed to capture fundamental characteristics of network traffic. Although raw network traffics are non-stable, we find that the calculated flow intensity and flow distribution intensity are stable processes with non-zero means. We also find that the abnormal network behavior, e.g. occurrences of worms, will lead to significant changes of the stable process's mean and variance. EWMA (Exponential Weighted Moving Average) control charts are applied to the detection of the change point and in turn the detection of early worm propagation. The extensive experimental results show that our method detects early worm propagation in local networks both quickly and accurately.

Zhongmin Cai,Tao Qin

DOI: https://doi.org/10.3321/j.issn:0253-987X.2007.04.003

2007-01-01

Abstract:Based on NetFlow, the definition of two net-flows, Host-Net-Flow and Region-Net-Flow, as well as a depictive method for corresponding network traffic characteristics are proposed. The netflows are abstracted from the host level and network level by the definition. The incorporation of netflow information in bottom level is implemented, and the number of netflow records can significantly be reduced without losing key network traffic characteristics. EWMA (exponential weighted moving average) control chart models are employed to forecast and estimate the distilled network traffic features, then an early net-worm propagation detection method is presented considering the features of network worm propagation. The experimental results show that the early worm propagation in local networks can be detected both quickly and accurately by the proposed method, thereby worm propagation can be controlled as soon as possible.

WANG Yan,ZHANG Yue,HU Ming-zeng

DOI: https://doi.org/10.3969/j.issn.1672-0946.2006.06.016

2006-01-01

Abstract:The distributed denial-of-service(DDoS) leading to network traffic anomaly is growing rapidly.In this paper,a network traffic anomaly detection method based on wavelet transform is proposed.Network traffic is broken down into different frequency,and anomaly change of network traffic is detected through the high-frequency power analysis,that is the change of wavelet variance.In order to enhance the alarm veracity,a LRU Cache is used to filter the long-term flow and part of outburst flow is found.Experiments proved that it is viable attempt to analyze network traffic from the aspect of frequency.

Rongsheng Shan,Jianhua Li,MINGZHENG WANG

DOI: https://doi.org/10.3969/j.issn.1003-7985.2004.01.004

2004-01-01

Abstract:This paper presents a novel mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-attacks. In this paper, SYN-flooding, as an instance of flooding-attack, is used to illustrate the anomaly detection mechanism. The mechanism applies an exponentially weighted moving average (EWMA) method to detect the abrupt net flow and applies a symmetry analysis method to detect the anomaly activity of the network flow. Experiment shows that the mechanism has high detection accuracy and low detection latency.

王勇超,谢永凯,朱之平,林怀忠

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.03.062

2010-01-01

Abstract:This paper raised a method detect the abnormal net-flow based on normal distribution,then estimated the existence of Internet worm in internal network.According to the normal distribution character of the history flow,this method computed the normal behavior trusted zone of data flow in network,judged the inspected flow abnormal flow if it went beyond the trusted zone,and alarmed the threat of Internet worm.Combined with this method,further analyzed how to use two-factor model ana-lysis of the number of Internet worms in network.

LIU Peng,XIAO Zong-shui,LI Wei

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.032

2006-01-01

Abstract:Worm epidemic might spread at unprecedented high speed in high-speed links.And it is very necessary to design a compre-hensive automated defense system.The design of the system must base on high reliable detection accuracy and real-time traffic analysis.To solve these problems,a detecting method was presented which is based on the visualization of worm traffic flow.A simple and novel visualization scheme was introduced,which plots a packet in a 3-dimensional space using its source IP address,destination IP address and the destination port.After the high-speed link's traffic flow is visualized through this scheme,worms could be detected easily.Based on this character,an efficient attack detection and classification algorithm was brought forth.

XIAO Zheng-hong,PAN Mei-sen,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.02.099

2007-01-01

Abstract:Network traffic is one of the key properties in LAN as well as WAN,by wavelet analysis,the complex traffic times series can be decomposed into different frequent components.Based on wavelet decomposed,the self-similar of traffic can be used to detect anomaly behavior of network,a method of detecting attacks based on the deviation of Hurst parameter is presented.The changes of Hurst parameter are analyzed and compared in different time scale.Result shows the proposed approach can detect the possible presence of not only an anomaly,but also its location on data set.

Xiaojun Tong,Zhu Wang,Miao Zhang,Yang Liu,Hui Xu

DOI: https://doi.org/10.1109/DCABES.2014.55

2014-01-01

Abstract:This paper proposes a novel anomaly detection method of network worms. The algorithm detects unknown worms by multidimensional worm abnormal detection technology, extracts its feature string via analyzing worm data with leap-style and creates new rules to detect the corresponding worm in case that the unknown worm attacks again. The paper has realized the automatic detection of unknown worms. Experiment data has showed that the method has high success detection rate and low false alarm rate.

Liyang Wang,Yu Cheng,Hao Gong,Jiacheng Hu,Xirui Tang,Iris Li

2024-09-23

Abstract:The sophistication and diversity of contemporary cyberattacks have rendered the use of proxies, gateways, firewalls, and encrypted tunnels as a standalone defensive strategy inadequate. Consequently, the proactive identification of data anomalies has emerged as a prominent area of research within the field of data security. The majority of extant studies concentrate on sample equilibrium data, with the consequence that the detection effect is not optimal in the context of unbalanced data. In this study, the unsupervised learning method is employed to identify anomalies in dynamic data flows. Initially, multi-dimensional features are extracted from real-time data, and a clustering algorithm is utilised to analyse the patterns of the data. This enables the potential outliers to be automatically identified. By clustering similar data, the model is able to detect data behaviour that deviates significantly from normal traffic without the need for labelled data. The results of the experiments demonstrate that the proposed method exhibits high accuracy in the detection of anomalies across a range of scenarios. Notably, it demonstrates robust and adaptable performance, particularly in the context of unbalanced data.

Machine Learning,Artificial Intelligence,Cryptography and Security

Wei Wang

DOI: https://doi.org/10.1117/12.2640110

2022-08-01

Abstract:As awareness of network security being enhanced, more and more encryption technologies are used in cyberspace. The security detection of e-mail system in encrypted traffic becomes a challenge. This paper proposes an analysis system of email attack in encrypted traffic based on abnormal behavior, which identifies mail behavior and determines abnormal behaviors by extracting relevant feature information in the traffic. The special model and general model of the system were used to test the encrypted traffic of the existing network. The results show that the efficiency has been greatly improved compared with traditional detection methods.

Engineering,Computer Science

Zong-Lin Li,Guang-Min Hu,Xingmiao Yao

DOI: https://doi.org/10.1109/icacia.2009.5361117

2009-01-01

Abstract:Distributed anomalous traffic is difficult to detect, since it is simultaneously dispersed in many links and tend to not present any obvious anomalous features in a single link. This paper proposed a multi-scale spatial detection method against distributed stealthy traffic anomaly, it can deploy early-stage detection on key nodes of network. Multi-scale wavelet packet analysis is performed separately on links at which information is available on each node, with the aim of getting abnormal frequency ranges at different time sections and reconstructing signals with anomalous features. Then from a spatial point of view, evaluate deviation degree of high dimension vectors that composed of reconstructions by kernel density estimation as anomaly indicator. Detection results on both real anomalies of American education backbone network and synthetic distributed anomalies shows, our method performs better than existing method.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Ping Ren,Wu Liu,Ke Liu,Donghong Sun

DOI: https://doi.org/10.1109/IWCDM.2011.36

2011-01-01

Abstract:As the flooding of malicious codes such as worms, how to analyze large number of malicious samples quickly and effectively becomes a great issue for researchers in network security. This paper proposed an analysis algorithm for worm network behavior based on event sequence, which uses the data flow recombination and compression methods to process the pure malicious data. With this algorithm, one can quickly extract the network behavior profile and the signature of the worm. The application of this algorithm will greatly improve the efficiency of analyzing the worm network behavior, which will be significant for the deployment of firewalls and network invasion detection systems.

Bo CHEN,Bin-Xing FANG,Xiao-Chun YUN

2007-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new monitoring algorithm. Based on the monitoring result, we present an adaptive method to detect un-known worm by using recursive least squares estimation. The experiment result proves that our approach can be effectively, quickly and robust to detect unknown worm.