Chonghua Wang,Hao Zhou,Zhiqiang Hao,Shu Hu,Jun Li,Xueying Zhang,Bo Jiang,Xuehong Chen

DOI: https://doi.org/10.1016/j.comnet.2022.108760

IF: 5.493

2022-03-01

Computer Networks

Abstract:Due to the ever-growing presence of network traffic, there has been a considerable amount of research on anomaly detection in network traffic by clustering. Most of them have not considered the problem that collective anomaly detection in network traffic. Collective anomaly might scatter among multiple clusters when applying the clustering-based algorithms in the anomaly detection. In this paper, we propose a progressive exploration framework for collective anomaly detection on network traffic based on a clustering method, called CCAD. CCAD enables analysts to effectively explore collective anomaly in network traffic. This framework is different from the other anomaly detection methods. It is based on the analysis of the influence of collective anomaly on the clustering results in the network traffic stream data. CCAD framework efficiently supports the collective anomaly exploration. As demonstrated by our extensive experiments with real-world data, CCAD has high detection rate in comparison with other existing methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.

Yangrui HU,Xingshu CHEN,Junfeng WANG,Xiaoming YE

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.11.008

2016-01-01

Abstract:Real network environment lack of labeled data set, so traditional anomaly traffic detection method based on labeled data set is unsuitable for actual large-scale network. To resolve this, the paper proposes an improved k-means anomaly traffic detection method for unlabeled data sets. Firstly, collect the Sichuan University network outlet lfow and store in the distributed ifle system;secondly, construct user behavior feature set on the basis of network lfow analysis, and extract relevant characteristics by Spark big data processing platform. Referenced principles of group to define the normal behavior of clusters in the actual flow, construct normal flow behavior model on improved K-means++cosine clustering method;Finally, the cosine distance between the normal behavior model and user actual flow behavior is calculated to detected anomaly flow behavior. The feasibility and validity of the method are verified by attacking experiment. The experimental results show that the normal lfow behavior model for anomaly lfow detection has higher accuracy.

Jinbo Li,Hesam Izakian,Witold Pedrycz,Iqbal Jamal

DOI: https://doi.org/10.1016/j.asoc.2020.106919

IF: 8.7

2021-03-01

Applied Soft Computing

Abstract:Multivariate time series data come as a collection of time series describing different aspects of a certain temporal phenomenon. Anomaly detection in this type of data constitutes a challenging problem yet with numerous applications in science and engineering because anomaly scores come from the simultaneous consideration of the temporal and variable relationships. In this paper, we propose a clustering-based approach to detect anomalies concerning the amplitude and the shape of multivariate time series. First, we use a sliding window to generate a set of multivariate subsequences and thereafter apply an extended fuzzy clustering to reveal a structure present within the generated multivariate subsequences. Finally, a reconstruction criterion is employed to reconstruct the multivariate subsequences with the optimal cluster centers and the partition matrix. We construct a confidence index to quantify a level of anomaly detected in the series and apply Particle Swarm Optimization as an optimization vehicle for the problem of anomaly detection. Experimental studies completed on several synthetic and six real-world datasets suggest that the proposed methods can detect the anomalies in multivariate time series. With the help of available clusters revealed by the extended fuzzy clustering, the proposed framework can detect anomalies in the multivariate time series and is suitable for identifying anomalous amplitude and shape patterns in various application domains such as health care, weather data analysis, finance, and disease outbreak detection.

computer science, artificial intelligence, interdisciplinary applications

Zheng-mao ZHUANG,Xing-shu CHEN,Guo-lin SHAO,Xiao-ming YE

DOI: https://doi.org/10.6040/j.issn.1671-9352.1.2016.030

2017-01-01

Abstract:Server behavior characteristics in a time of dynamic correlation characteristics of a clustering method based on the distribution ratio, clustering and density deviation combined to construct a temporal correlation server traffic anomaly detection model. Through the campus network server traffic and long-term observation study found that server traffic characteristics and dynamic correlation time, based on this condition, this article extract the feature server traffic flow at the present time and combines the features of the current moment of time associated with dynamic, using K-means clustering algorithm to detect the outliers of the flow characteristics, and find abnormal server traffic. Experimental results show that the model can effectively detect abnormal server traffic even in the real-world environment. The longer the model applies, the stronger adaptable the algorithm is.

Yating Liu,Yuantao Gu

DOI: https://doi.org/10.1109/dsw.2018.8439923

2018-01-01

Abstract:Network anomaly detection refers to automatically identifying the flows associated with anomalous events, which is the first line of defense against attacks in network security system. This paper proposes a new reliable unsupervised detector Multiple Sketches and Clustering (MSC) combining sketches (random projections) and clustering to blindly identify anomalies without relying on signatures or labeled traffic data. Multiple random projections and voting strategy alleviate the potential misclassification of single analysis and ensure a lower false positive rate. The K-means++ clustering detection detects both known and unknown anomalies accurately and triggers a higher true positive rate without any prior information about traffic data or anomaly patterns. The results on the MAWILAB backbone network dataset reveal that the novel detector outperforms the state-of-the-art detectors.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Liang Hu,Nurbol,Zhiyu Liu,Jinshan He,Kuo Zhao

DOI: https://doi.org/10.4103/0256-4602.62784

2010-01-01

IETE Technical Review

Abstract:Anomaly detection, as an important complement to misuse detection, has the capability of finding and foiling both known and "zero day" attacks. Performing anomaly detection in real time places hard requirement on the algorithms used. It makes many detection techniques based on proposed data mining algorithms less suitable to be used under real-time network circumstances. To address the problem, a novel anomaly detection algorithm using time-stamped clustering is proposed. In this paper, the normality model used for detection is the clustering result of BIRCH. Once a cluster is generated or modified in the tree index of BIRCH, it will be marked by a lasted modified time-stamp and frequent item. Using each clusters time-stamp and frequent item, the algorithm can dynamically remove some expired clusters from the model, and can also produce some new clusters that makes our clustering method more suitable for the real network environment. Experiments with the KDDCUP 1999 dataset show that our algorithm is less sensitive to noise data objects than ADWICE and has lower computer resource consumption.

YANG Yu-zhou,ZHANG Feng-li,WANG Yong

DOI: https://doi.org/10.3969/j.issn.1002-137x.2012.04.012

2012-01-01

Computer Science

Abstract:Network anomaly detection has become one of the focus research topics in the field of intrusion detection.However,issues on accurate selection of key date in training set,the long selection time,and the high rate of detection misstatement are still unresolved.Regarding to those problems,to integrate K-MEANS and Branch and Bound Algorithm,and to build up a network anomaly detection model on it can significantly improve the accuracy of key data selection,and reduce time consumption as well.A series of experiments on well known KDD Cup 1999 dataset demonstrate that the model can achieve a high detection accuracy and efficiently constrain the false alarms caused by detection.

Chun Yang,Feiqi Deng,Haidong Yang

DOI: https://doi.org/10.1109/CHINACOM.2007.4469390

2007-01-01

Abstract:Previous Research in network intrusion detection system (NIDS) has typically used misuse detection or supervised anomaly detection techniques. These techniques have difficulty in detecting new types of attacks or causing high false positives in real network environment. Unsupervised anomaly detection can overcome the drawbacks of misuse detection and supervised anomaly detection. In this paper, normal-anomaly patterns are built over the network traffic dataset that uses subtractive clustering, and at the same time the built Hidden Markov Model (HMM) correlates the observation sequences and state transitions to predict the most probable intrusion state sequences. The proposed unsupervised anomaly detection approach is capable of reducing false positives by classifying intrusion sequences into different emergency levels. The experimental results are also reported using the KDDCup'99 dataset and Matlab.

Yong Feng,Jiang Zhong,Zhong-Yang Xiong,Chun-Xiao Ye,Kai-Gui Wu

DOI: https://doi.org/10.1007/978-3-540-72393-6_113

2007-01-01

Abstract:An approach to network anomaly detection is investigated, based on dynamic self-organizing maps (DSOM) and ant colony optimization (ACO) clustering. The basic idea of the method is to produce the cluster by DSOM and ACO. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM and ACO clustering can settle these problems effectively. The experiment results show that our approach can detect unknown intrusions efficiently in the real network connections.

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Dingde Jiang,Zhengzheng Xu,Peng Zhang,Ting Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.09.014

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic anomalies contain existing abnormal changes in network traffic, which are derived from malicious and anomalous behaviors of users or network devices, such as network faults, abuses, network attacks, etc. These anomalies often damage our operation networks and even lead to network disruptions. In the present paper, we propose a novel method for detecting traffic anomalies in a network by exacting and capturing their features in the transform domain. Here, we take in consideration network topology information and network-wide traffic jointly. We find that anomalous network-wide traffic usually exhibits distinct high-frequency nature. This motivates us to utilize transform domain analysis theory to characterize network-wide traffic to identify its abnormal components. Besides, we group all origin-destination flows in the network in accordance with common destination nodes. By combining network topology information and transform-domain analysis in the given time window, the specious traffic components can be found and identified. Simulation results show that our detection algorithm exhibits a fairly robust detection ability and provides the better detection performance than previous algorithms. (c) 2013 Elsevier Ltd. All rights reserved.

Xiejun Ni,Daojing He,Sammy Chan,Farooq Ahmad

DOI: https://doi.org/10.1007/978-3-319-39555-5_12

2016-01-01

Abstract:Intrusion detection systems (IDSs) play a significant role to effectively defend our crucial computer systems or networks against attackers on the Internet. Anomaly detection is an effective way to detect intrusion, which can discover patterns that do not conform to expected behavior. The mainstream approaches of ADS (anomaly detection system) are using data mining technology to automatically extract normal pattern and abnormal ones from a large set of network data and distinguish them from each other. However, supervised or semi-supervised approaches in data mining rely on data label information. This is not practical when the network data is large-scale. In this paper, we propose a two-stage approach, unsupervised feature selection and density peak clustering to tackle label lacking situations. First, the density-peak based clustering approach is introduced for network anomaly detection, which considers both distance and density nature of data. Second, to achieve better performance of clustering process, we use maximal information coefficient and feature clustering to remove redundant and irrelevant features. Experimental results show that our method can get rid of useless features of high-dimensional data and achieves high detection accuracy and efficiency in the meanwhile.

jing yuan,ruixi yuan,xi chen

DOI: https://doi.org/10.15837/ijccc.2014.1.870

IF: 2.635

2014-01-01

International Journal of Computers Communications & Control

Abstract:This paper proposes a novel detection engine, called the Wavelet-Recurrence-Clustering (WRC) detection model, to study the network anomaly detection problem that is widely attractive in Internet security area. The WRC model first applies the wavelet transform and recurrence analysis to calculate the multi-scale dynamic characteristics of network traffic, and then identifies network anomalies through the clustering algorithm with those dynamic characteristics. The evaluation results on DARPA 1999 dataset indicate that the WRC detection model can effectively improve the detection accuracy with a low false alarm

Bo Li,Simin Zhang,Ke Li

DOI: https://doi.org/10.1002/cpe.3955

2016-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryAnomaly detection plays a crucial part in identifying unforeseen attacks for network and information security. However, the accuracy of existing network anomaly detection approaches is limited because of the lack of sufficient and high‐quality features. Most research works only take information from one network layer into account, which leads to a situation that some key features of other network layers are omitted. To address this issue, we propose a novel approach, named Multi‐Layers Anomaly Detection, which extracts and combines features from different network layers. In order to reduce redundancy and noise derived from the combination of multiple layers, an algorithm called RanPF is designed by applying principal components analysis (PCA) into random forest (RF) algorithm. RanPF uses features selected by PCA to decide the height of every tree in RF and provides a method to select which features for tree nodes to use according to the weights of principal components. To obtain high‐quality features, we adopt an attribute learning mechanism. Naive Bayes is used to characterize the attribute information, which is fast and simple compared with other learning algorithms such as SVM. In addition, a series of experiments conducted on two real‐life datasets demonstrate that our approach outperforms the state‐of‐the‐art methods in terms of detection rate and false alarm rate. MLAD achieves about 99% detection rate and about 0.6% false alarm rate on average when the ratio of the training set is 60%. Copyright © 2016 John Wiley & Sons, Ltd.

Hong Wang,Zhenghu Gong,Qing Guan,Baosheng Wang

DOI: https://doi.org/10.1109/icn.2008.83

2008-01-01

Abstract:Anomalies generate vast amounts of bogus traffic, which can overwhelm the network and any attached hosts. Identifying Traffic anomalies rapidly and accurately is critical to network stability and usefulness. Most papers focus on analyzing the volume of data or packets on the network. However, legitimate network traffic may be bursty or highly variable, rendering such naive approaches ineffective[7]. We propose a novel method called MultiA to solve this problem. Rather than just looking at volumes of packets, MultiA intelligently adopted Multistage Filter and information entropy take into account the behavior of the network. The MultiA is scalable, automated and self-training. We find this technique effectively identifies network traffic anomalies while avoiding the high false alarms rate.

zheng hong xiao,zhi gang chen,xiao heng deng

DOI: https://doi.org/10.4028/www.scientific.net/AMM.121-126.3745

2012-01-01

Applied Mechanics and Materials

Abstract:Based on the principle that the same class is adjacent, an anomaly intrusion detection method based on K-means and Support Vector Machine (SVM) is presented. In order to overcome the disadvantage that k-means algorithm requires initializing parameters, this paper proposes an improved K-means algorithm with a strategy of adjustable parameters. According to the location of wireless sensor networks (WSN), we can obtain clustering results by applying improved K-means algorithm to WSN, and then SVM algorithm is applied to different clusters for anomaly intrusion detection. Simulation results show that the proposed method can detect abnormal behaviors efficiently and has high detection rate and low false positive rate than the current typical intrusion detection schemes of WSN.

Xiaoyu Wang,Yongwang Zhou,Dongbiao Li,Chi Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681973

2024-01-01

Abstract:Anomaly detection in dynamic and temporal graphs is frequently accomplished using unsupervised learning. This involves clustering to group similar data instances and identify outliers. Nonetheless, the accuracy of unsupervised learning algorithms is limited when anomalous data instances exhibit similar features. Existing graph theory-based methods can only detect significant anomalies that affect the entire network structure but fail to detect subtle anomalies such as small-scale DDoS attacks within node groups. Conversely, monitoring the behavior of every node in a real-time network can be expensive. In this paper, we propose a real-time anomaly detection method that leverages community detection and graph spectral theory. Specifically, each graph is partitioned into groups of densely connected nodes, which serve as detection objects to identify subtle anomalies. To address the challenge of detecting anomalies with similar features, we measured changes in communities between adjacent time steps, allowing us to identify outlier time points. Finally, to strike a balance between accuracy and cost, we utilize a novel graph spectral theory method as a graph distance function. Experimental evaluations demonstrate the efficacy of our approach in detecting subtle anomalies.