Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

牛国林,管晓宏,龙毅,秦涛

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.04.009

2009-01-01

Abstract:Based on tradeoffs analysis of abnormal behavior and detection methods,a multi-source traffic features analysis and abnormal detection method was proposed.The distribution characteristics of the flow size,IP addresses and ports were analyzed and found to be efficacious in traffic patterns analysis.The Renyi entropy was employed to fuse the multi-source information captured by different traffic features,and an abnormal behavior detection method was presented.Beacause of using the multi-source information,the models could detect many kinds of abnormal behaviors,which was an impossible mission for many other traditional abnormal detection methods.The experimental results based on actual network data show that the proposed abnormal detection methods are effective in detecting known and unknown attacks with high-accuracy detection rate and low complexity.

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

XIAO Zheng-hong,PAN Mei-sen,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.02.099

2007-01-01

Abstract:Network traffic is one of the key properties in LAN as well as WAN,by wavelet analysis,the complex traffic times series can be decomposed into different frequent components.Based on wavelet decomposed,the self-similar of traffic can be used to detect anomaly behavior of network,a method of detecting attacks based on the deviation of Hurst parameter is presented.The changes of Hurst parameter are analyzed and compared in different time scale.Result shows the proposed approach can detect the possible presence of not only an anomaly,but also its location on data set.

YU Han-Bing,WANG Ji-Long

2008-01-01

Periodical of Ocean University of China

Abstract:Abnormal traffic appears very different from normal traffic on the distribution of both destination IP address and time.This paper clusters the Netflow records of the traffic via the campus network based on the higher 16 bits of the outer IP address,finding that some clusters appear unusual on frequency of the emergence.This paper analyzes two kinds of typical cluster,proposes a method to detect anomaly sources insides the campus network using the clusters,and finds the differences of two kinds of anomaly source.Comparing with common anomaly detection methods,this method has fewer amounts of data required for dealing with,and therefore higher efficiency.

Guodong Fang,Zhihong Deng,Hao Ma

DOI: https://doi.org/10.1109/FSKD.2009.444

2009-01-01

Abstract:To keep the network secure, it is necessary to monitor network traffic timely and effectively. The traditional methods for detecting network anomalies were mainly based on such ways as sampling, counting and aggregating, but they can not solve the problem of getting accurate and effective results well. In this paper we propose a new method that is based on the basic properties of frequent pattern mining problem and makes use of the vertical mining methods to mine frequent patterns from network traffic. Based on this algorithm, we build a prototype system to evaluate our algorithm on huge netflow data of campus network. The experimental result shows that this algorithm can detect network anomalies timely and effectively and can help network administrators achieve more effective monitoring on network.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

LV Jun,LI Xing

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.11.071

2006-01-01

Abstract:This paper proposes a new algorithms which is based on combining the linear model and wave transaction.This algorithm can solve the problem that cannot be detected by threshold detection method.By applying the method to network traffic detection,etc,SNMP MIB data or Netflow data,the performance of this method has been shown.The algorithm has the advantage of accurate,reliable comparing with GLR method.

Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Ziyu Wang,Jiahai Yang,Fuliang Li

DOI: https://doi.org/10.1007/978-3-319-23802-9_10

2014-01-01

Abstract:Network anomalies have been a serious challenge for the Internet nowadays. In this paper, two new metrics, IGTE (Inter-group Traffic Entropy) and IGFE (Inter-group Flow Entropy), are proposed for network anomaly detection. It is observed that IGTE and IGFE are highly correlated and usually change synchronously when no anomaly occurs. However, once anomalies occur, this highly linear correlation would be destroyed. Based on this observation, we propose a linear regression model built upon IGTE and IGFE, to detect the network anomalies. We use both CERNET2 netflow data and synthetic data to validate the regression model and its corresponding detection method. The results show that the regression-based method works well and outperforms the well known wavelet-based detection method.

Ning Chen,Xiao-Su Chen,Bing Xiong,Hong-Wei Lu

DOI: https://doi.org/10.1109/embeddedcom-scalcom.2009.50

2009-01-01

Abstract:Based on TCP protocol, this paper aims at TCP flows, discusses the effects of multivariate correlation analysis on network traffic, obtains the quantitative relationship between different types of TCP packets in each time unit by correlation coefficient matrix, and finally proposes an anomaly detection and analysis method based on the correlation coefficient matrix. The experimental results show that our method can efficiently distinguish normal and abnormal traffic, and accurately detect and classify various anomaly behaviors (such as network scanning and DDoS attacks) in network traffic. The linear complexity of our method makes real-time detection and analysis practical.

Tingting Huang,Chao Liu,Anuj Sharma,Soumik Sarkar

DOI: https://doi.org/10.36001/ijphm.2018.v9i1.2671

2020-01-01

International Journal of Prognostics and Health Management

Abstract:Traffic dynamics in the urban interstate system are critical in terms of highway safety and mobility. This paper proposes a systematic data mining technique to detect traffic system-level anomalies in a batch-processing fashion. Built on the concepts of symbolic dynamics, a spatiotemporal pattern network (STPN) architecture is developed to capture the system characteristics. This novel spatiotemporal graphical modeling approach is shown to be able to extract salient time series features and discover spatial and temporal patterns for a traffic system. An information-theoretic metric is used to quantify the causal relationships between sub-systems. By comparing the structural similarity of the information-theoretic metrics of the STPNs learnt from each day, a day with anomalous system characteristics can be identified. A case study is conducted on an urban interstate in Iowa, USA, with 11 roadside radar sensors collecting 20-second resolution speed and volume data. After applying the proposed methods on one-month data (Feb. 2017), several system-level anomalies are detected. The potential causes that include inclement weather condition and non-recurring congestion are also verified to demonstrate the efficacies of the proposed technique. Compared to the traditional predefined performance measures for the traffic systems, the proposed framework has advantages in capturing spatiotemporal features in a fast and scalable manner.

Geng Tian,Zhiliang Wang,Xia Yin,Jun Chen,Xingang Shi,Chao Zhou,Zimu Li,Yingya Guo

DOI: https://doi.org/10.1109/ISCC.2017.8024622

2017-01-01

Abstract:Nowadays, there are two major challenges to detect traffic anomalies in a large scale network. One is how to handle huge amounts of traffic data when we detect traffic anomalies in a network, and the other is how to carry out fast and detailed detection and classification. To address these two challenges, we propose a Change based Effective Frequent flow Features approach (CEFF), which can quickly obtain the anomaly detection and classification results by scanning the flow data only once. We implement CEFF for both offline and online detection and classification in Spark, a popular big data processing platform. Besides, we evaluate CEFF using China Telecom NetFlow format data in experiments, and make comparisons between CEFF and Shannon entropy based method, which has been proved to be effective for traffic anomaly detection. The experiment results show that CEFF has excellent performance in traffic anomaly detection and classification.

Xueyuan Duan,Yu Fu,Kun Wang

DOI: https://doi.org/10.48550/arXiv.2205.03907

2022-05-08

Networking and Internet Architecture

Abstract:To address the problem that traditional network traffic anomaly detection algorithms do not suffi-ciently mine potential features in long time domain, an anomaly detection method based on mul-ti-scale residual features of network traffic is proposed. The original traffic is divided into subse-quences of different time spans using sliding windows, and each subsequence is decomposed and reconstructed into data sequences of different levels using wavelet transform technique; the stacked autoencoder (SAE) constructs similar feature space using normal network traffic, and gen-erates reconstructed error vector using the difference between reconstructed samples and input samples in the similar feature space; the multi-path residual group is used to learn reconstructed error The traffic classification is completed by a lightweight classifier. The experimental results show that the detection performance of the proposed method for anomalous network traffic is sig-nificantly improved compared with traditional methods; it confirms that the longer time span and more S transformation scales have positive effects on discovering potential diversity information in the original network traffic.

Songtao Peng,Jiaqi Nie,Xincheng Shu,Zhongyuan Ruan,Lei Wang,Yunxuan Sheng,Qi Xuan

DOI: https://doi.org/10.1016/j.comnet.2022.109129

IF: 5.493

2022-01-01

Computer Networks

Abstract:As the default protocol for exchanging routing reachability information on the Internet, the abnormal behavior in traffic of Border Gateway Protocols (BGP) is closely related to Internet anomaly events. The BGP anomalous detection model ensures stable routing services on the Internet through its real-time monitoring and alerting capabilities. Previous studies either focused on the feature selection problem or the memory characteristic in data, while ignoring the relationship between features and the precise time correlation in feature (whether it is long or short term dependence). In this paper, we propose a multi-view model for capturing anomalous behaviors from BGP update traffic, in which Seasonal and Trend decomposition using Loess (STL) method is used to reduce the noise in the original time-series data, and Graph Attention Network (GAT) is used to discover feature relationships and time correlations in feature, respectively. Our results outperform the state-of-the-art methods at the anomaly detection task, with the average F1 score up to 96.3% and 93.2% on the balanced and imbalanced datasets respectively. Meanwhile, our model can be extended to classify multiple anomalous and to detect unknown events.

Jian Wu,Zhiming Cui,Yujie Shi,Dongliang Su

DOI: https://doi.org/10.1260/1748-3018.7.2.209

2013-01-01

Journal of Algorithms & Computational Technology

Abstract:In order to improve the speed and accuracy of traffic flow anomaly detection in real-time traffic system, we proposed an anomaly detection algorithm which is based on wavelet denoising and support vector regression. Firstly, we use wavelet transform to decompose and restructure the sampled data, and then apply support vector regression to data training. By fitting the obtained data, it can achieve dynamic prediction of traffic flow parameters. Through comparing the predictive values with the measured values of traffic flow parameters, we can achieve traffic anomaly detection. Experimental results show that the method proposed in this paper has a higher detection rate under the same false alarm rate.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Raja, Nirav M

DOI: https://doi.org/10.1007/s13278-023-01057-0

2023-04-19

Social Network Analysis and Mining

Abstract:Currently, there is an enormous disturbance regarding privacy in information and communication technology around the scientific community. Since any assault or abnormality in the network can seriously disturb numerous realms like national security, private data storage, social welfare, economic issues, and so on. Consequently, one of the domains for detecting intrusion in the network is anomaly detection domain and it is a wide probe area. Various numerous methods and approaches have developed for anomaly detection. In the network security field, traffic anomaly detection has been a main aspect. The network security domain recognizes assaults in terms of significant deviations from the entrenched regular usage profiles. Nowadays, software-defined networking (SDN) is a new networking model has developed to ease effectual network control and management. This view investigates 50 probe papers focused on traffic flow rate prediction-based anomaly detection in SDN. Furthermore, it presents technique wise classifications like flow counting-based techniques, information theory-based approaches, entropy-based techniques, deep learning (DL)-based approaches, hybrid methods and network methods. An examination includes in an overview based on classification research techniques, toolset used, years of publication, datasets, and evaluation metrics for predicting anomaly in the SDN environment. Lastly, the limitations of surveyed techniques are explained, that encourage investigators for inventing more new techniques for predicting anomaly in SDN.

YU Yan,GUO Shan-Qing,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.05.018

2007-01-01

Computer Science

Abstract:Existing anomaly intrusion detection algorithms based on machine learning are usually founded on the equivalent learning of all historical dataset.Therefore,the learned network behavior profiles depend on the historical data heavily,thus behavior characteristics of current network traffic can not be represented exactly.At the same time,the network packets which arrive persistently with high speed and large volume can not be stored and maintained in time because of the high time and space complexity of the anomaly intrusion detection algorithms.So,a kind of two-phase intrusion detection method based on data stream clustering is presented.In the method,the statistical information of the network traffic are collected and generated on line firstly.Then the statistical information which can represent current network situation nicely are used to detect the intrusions.Accordingly,the influence of historical data can be reduced.The empirical results manifest that such a two-phase intrusion detection method has better detection performance than that based on all historical data,as well as resolves the problems of insufficient system resources,such as memory,etc.,to improve the flexibility and concurrency of system.