XIE Yi,YU Shun-Zheng

DOI: https://doi.org/10.1360/jos180967

2007-01-01

Journal of Software

Abstract:This paper proposes an anomaly detection based on Web user access behavior for the defense of application layer Distributed Denial-of-Service (DDoS) attack. Based on the hyperlink characteristics of Web pages and the HTTP responding effect of different proxies in the Internet, this paper uses hidden semi-Markov model (HsMM) to describe the Web user browsing behavior observed at Web server, and employs likelihood of the observation sequence on user browsing behaviors fitting to the model as a measure of user's normality. A parameterized model and its recursive formulae are derived and an on-line anomaly detection approach is introduced. Some issues involved in practical implementations of the model and the anomaly detection approach are discussed. Finally, an experiment is conducted to validate the model and the algorithm, which is based on a set of data colleted from a heavy-loaded Web server and an emulated DDoS attack that launches HTTP flooding to the Web site. The experimental results show that the model is effective in measuring the user behaviors and in detecting the application layer DDoS attacks.

Yi Xie,Shun-Zheng Yu

2006-01-01

Abstract:It is difficult for the existing anomaly detection methods to distinguish the normal flash crowds from the anomalous traffic of distributed denial of service attacks in large-scale Web site. This paper used hidden semi-Markov model to categorize the Web pages in an unsupervised manner. A new parameter re-estimation algorithm based on segmental K-means algorithm was derived for the model which was used to implement the application-layer distributed denial of service attacks detection for large-scale Web server. Likelihood of observation sequence on user browsing behaviors fitting to the model was used as a measure of user's normality. Finally, an experiment was conducted to validate our model and algorithm, which was based on a set of data colleted from a real traffic data of a heavily-accessed Web server and an emulated distributed denial of service attack that launches flooding of HTTP requests to the Web site.

Yi Xie,Shun-Zheng Yu

DOI: https://doi.org/10.1109/TNET.2008.923716

2009-01-01

IEEE/ACM Transactions on Networking

Abstract:Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to achieve early attack detection and filtering for the application-layer-based DDoS attack. An extend...

Shun-Zheng Yu,Ning Li

2006-01-01

Abstract:This paper presents a novel anomaly detection method that is to be used in detecting distributed denial of service (DDoS) attacks on a Web server. The anomaly detection algorithm is based on a hidden semi-Markov model (HSMM) that will issue alarms with high accuracy and detect intrusions with high efficiency. Finally, an experiment is conducted to validate the algorithm.

Xiaobin Tan,Hongsheng Xi

DOI: https://doi.org/10.1016/j.amc.2008.05.028

IF: 4.397

2008-01-01

Applied Mathematics and Computation

Abstract:In this paper, hidden semi-Markov model (HSMM) is introduced into intrusion detection. Hidden Markov model (HMM) has been applied in intrusion detection systems several years, but it has a major weakness: the inherent duration probability density of a state in HMM is exponential, which may be inappropriate for the modeling of audit data of computer systems. We can handle this problem well by developing an HSMM for perfect normal processes of computer systems. Based on this HSMM, an algorithm of anomaly detection is presented in this paper, which computes the distance between the processes monitored by intrusion detection system and the perfect normal processes. In this algorithm, we use the average information entropy (AIE) of fixed-length observed sequence as the anomaly detection metric based on maximum entropy principle (MEP). To improve accuracy, the segmental K-means algorithm is applied as training algorithm for the HSMM. By comparing the accurate rate with the experimental results of previous research, it shows that our method can perform a more accurate detection.

Min Li,Shunzheng Yu,Li He

DOI: https://doi.org/10.1109/npc.2008.89

2008-01-01

Abstract:In contrast to many techniques exploiting temporal patterns of traffic from a single network element, network-wide traffic analysis mainly focuses on the spatial behavior across the whole network. This paper proposes a spatial hidden Markov model (SHMM) to learn the normal patterns of network-wide traffic. Combined with topology information, SHMM models traffic volumes on links as probabilistic outputs of underlying interactions between routers. Based on a trained SHMM, a nonparametric CUSUM algorithm is used to track the change of entropy of observation sequences in different sliding windows for anomaly detection. Background traffic collected from real network and synthetic anomalies are used for validation of the detection method. The results prove our method effective for network-wide traffic anomaly detection.

Li Min,Yu Shun-Zheng

DOI: https://doi.org/10.1109/icccas.2006.284987

2006-01-01

Abstract:Hidden semi-Markov model (HsMM) has been well studied and widely applied to many areas. The advantage of using an HsMM is its efficient forward-backward algorithm for estimating model parameters to best account for an observed sequence. In this paper, we propose an HsMM to model the distribution of network-wide traffic and use an observation window to distinguish DoS flooding attacks mixed within the normal background traffic. Several experiments are conducted to validate our method

Yi Xie,Shunzheng Yu

2006-01-01

Abstract:Since the flash crowds and distributed denial of service (DDoS) attacks have the similar characteristics, it is difficult for current detection systems to distinguish the malicious requests of DDoS from legitimate flash crowds. This is especially the case for large-scale heavily-accessed Web server environments, which have received considerably less attention in the research literature. In this paper, we focus on the HTTPlevel DDoS attacks detection for flash crowd events of high-volume Website. In contrast to the existing detection methods, we will distinguish the HTTP flooding attacks from the legitimate flash crowd events by a Web user browsing behavior model based on Hidden Semi-Markov Model (HSMM). The entropy of observation sequence on user browsing behavior is used as a measure of user's normality and filter policy. An efficient algorithm for this model is presented for the online implementation of anomaly detection. Finally, an experiment is conducted to validate our model and algorithm, which is based on a real traffic data and an emulated DDoS attack that launches flooding of HTTP requests to the Website.

Yi Xie,Shun-Zheng Yu

DOI: https://doi.org/10.1109/IMSCCS.2006.159

2006-01-01

Abstract:Countering Distributed Denial of Service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. DDoS attacks are typically carried out at the network layer. However, there is evidence to suggest that application layer DDoS attacks can be more effective than the traditional ones. In this paper, we consider sophisticated attacks that utilize legitimate application layer HTTP requests from legitimately connected network machines to overwhelm Web server. Since the attack signature of each application layer DDoS is represented in abnormal user behavior, we propose a countermechanism based on Web user browsing behavior to protect the servers from these attacks. In contrast to prior works, we explore Hidden semi-Markov Model to describe the browsing behaviors of Web users and apply it to implement the anomaly detection for the application layer DDoS attacks which simulate the Web request behaviors of browser and use HTTP requests to launch attacks. By conducting an experiment with a real traffic data, the model shows that it is effective in measuring the user behaviors and detecting the application layer DDoS attacks.

Su Yang,Weihua Liu

DOI: https://doi.org/10.1109/iThings/CPSCom.2011.25

IF: 5.711

2011-01-01

Internet of Things

Abstract:Trajectories of people provide rich information about the collective behaviors, where the term collective behavior means the behavior of a large number of people as a whole. Abnormal people trajectories that are rarely observed may correspond with some unusual events, for instance, natural disasters, terrorism attacks, or traffic accidents. To detect such abnormal people trajectories, namely outliers, this paper presents a solution based on Hidden Markov Model (HMM). The motivation to use HMM for outlier detection on people trajectories is that time-varying people distribution can be modeled by using HMM and HMM can provide the probability that a sequence appears. Here, the time-varying people distributions with low probabilities to appear are regarded as outliers. Experiments with an artificial data set simulating collective behaviors and a real-world traffic data set validate the proposed solution.

Dit-Yan Yeung,Yuxin Ding

DOI: https://doi.org/10.1007/3-540-47887-6_49

2002-01-01

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on user profiles built from normal usage data. In particular, user profiles based on Unix shell commands are modeled using two different types of behavioral models. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only. To determine whether a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that static modeling outperforms dynamic modeling for this application. Moreover, the static modeling approach based on cross entropy is similar in performance to instance-based learning reported previously by others for the same dataset but with much higher computational and storage requirements than our method.

Keisuke Yoshihara,Kei Takahashi

DOI: https://doi.org/10.1371/journal.pone.0262463

IF: 3.7

2022-01-11

PLoS ONE

Abstract:We propose a simple anomaly detection method that is applicable to unlabeled time series data and is sufficiently tractable, even for non-technical entities, by using the density ratio estimation based on the state space model. Our detection rule is based on the ratio of log-likelihoods estimated by the dynamic linear model, i.e. the ratio of log-likelihood in our model to that in an over-dispersed model that we will call the NULL model. Using the Yahoo S5 data set and the Numenta Anomaly Benchmark data set, publicly available and commonly used benchmark data sets, we find that our method achieves better or comparable performance compared to the existing methods. The result implies that it is essential in time series anomaly detection to incorporate the specific information on time series data into the model. In addition, we apply the proposed method to unlabeled Web time series data, specifically, daily page view and average session duration data on an electronic commerce site that deals in insurance goods to show the applicability of our method to unlabeled real-world data. We find that the increase in page view caused by e-mail newsletter deliveries is less likely to contribute to completing an insurance contract. The result also suggests the importance of the simultaneous monitoring of more than one time series.

DY Yeung,YX Ding

DOI: https://doi.org/10.1016/s0031-3203(02)00026-2

IF: 8

2003-01-01

Pattern Recognition

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on program or user profiles built from normal usage data. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled using two different types of behavioral models for data mining. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only, as opposed to the classification approach which has to use both normal and intrusion data for training. To determine whether or not a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that the dynamic modeling approach is better than the static modeling approach for the system call datasets, while the dynamic modeling approach is worse for the shell command datasets. Moreover, the static modeling approach is similar in performance to instance-based learning reported previously by others for the same shell command database but with much higher computational and storage requirements than our method.

Waqas Haider,Jiankun Hu,Yi Xie,Xinghuo Yu,Qianhong Wu

DOI: https://doi.org/10.1109/tbdata.2017.2736555

2017-01-01

IEEE Transactions on Big Data

Abstract:Anomaly detection for cloud servers is important for detecting zero-day attacks. However, it is very challenging due to the large amount of accumulated data. In this paper, a new mathematical model for modeling dynamic usage behavior and detecting anomalies is proposed. It is constructed using state summarization and a novel nested-arc hidden semi-Markov model (NAHSMM). State summarization is designed to extract usage behavior reflective states from a raw sequence. The NAHSMM is comprised of exterior and interior hidden Markov chains. The exterior controls the propagation of raw sequences of system calls and, conditional on it, the interior one controls the summarized observation process from the transition less usage behavior reflective states. An anomaly detection algorithm is derived by integrating state summarization and NAHSMM. During training the algorithm is assisted by a forensic module to tune the behavioral threshold. Experimental data is collected using IXIA Perfect Storm in conjunction with the commercial security-test hardware platform cyber range. To evaluate the reliability of the proposed model, first, its accuracy and training costs are compared with those of existing machine-learning models and then its scalability and resistance capabilities are tested. The results indicate that this model could be used as a method for detecting anomalies in cloud servers.

Jiu Jun Chen,Ji Gao,Jun Hu,Bei Shui Liao

DOI: https://doi.org/10.1007/978-3-540-30497-5_125

2004-01-01

Abstract:Web user patterns can be used to create a more robust web information service in personalization. But the user interests are changeable, that is, they differ from one user to another, and they are constantly changing for a specific user. This paper presents a dynamic mining approach based on Markov model to solve this problem. Markov model is introduced to keep track of the changes of user interest according to his or her navigational behaviors. Some new concepts in the model are defined. An algorithm based on the model is then designed to learn the user's favorite navigation paths. The approach is implemented in an example website, and the experimental results proved the effective of our approach.

Xi XIAO,Shu-tao XIA,Xin-guang TIAN,Qi-bin ZHAI

DOI: https://doi.org/10.1016/s1005-8885(10)60128-8

2011-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:In anomaly detection, a challenge is how to model a user's dynamic behavior. Many previous works represent the user behavior based on fixed-length models. To overcome their shortcoming, we propose a novel method based on discrete-time Markov chains (DTMC) with states of variable-length sequences. The method firstly generates multiple shell command streams of different lengths and combines them into the library of general sequences. Then the states are defined according to variable-length behavioral patterns of a valid user, which improves the precision and adaptability of user profiling. Subsequently the transition probability matrix is created. In order to reduce computational complexity, the classification values are determined only by the transition probabilities, then smoothed with sliding windows, and finally used to discriminate between normal and abnormal behavior. Two empirical evaluations on datasets from Purdue University and AT&T Shannon Lab show that the proposed method can achieve higher detection accuracy and require less memory than the other traditional methods.

Yi Xie,Shun-zheng Yu

DOI: https://doi.org/10.1109/ICCS.2008.4737369

2008-01-01

Abstract:This paper is focused on a new type sneaky HTTP attack which has no obvious anomaly characteristics. A new light-weight anomaly detection scheme is introduced for large-scale Web sites whose workload is much heavier and more bursty than the general Web sites. Based on stack distance values of HTTP requests, an improved event-driven hidden semi-Markov model is applied to describe the stochastic process of HTTP traffic. Normalized Viterbi score of incoming HTTP request sequence fitting to the given model is used as a measure criterion. Experiments based on a real Web traffic and an emulated attack are implemented to valid the proposal.

Wunjun Huo,Wei Wang,Wen Li

DOI: https://doi.org/10.1007/978-3-030-23499-7_5

2019-01-01

Abstract:Anomaly detection is a key challenge in data mining, which refers to finding patterns in data that do not conform to expected behavior. It has a wide range of applications in many fields as diverse as finance, medicine, industry, and the Internet. In particular, intelligent operation has made great progress in recent years and has an urgent need for this technology. In this paper, we study the problem of anomaly detection in the context of intelligent operation and find the practical need for high-accuracy, online and universal anomaly detection algorithms in time series database. Based on the existing algorithms, we propose an innovative online distance-based anomaly detection algorithm. K-means and time-space trade-off mechanism are used to reduce the time complexity. Through the experiments on Yahoo! Web-scope S5 dataset we show that our algorithm can detect anomalies accurately. The comparative study of several anomaly detectors verifies the effectiveness and generality of the proposed algorithm.

Fanping Zeng,Kaitao Yin,Minghui Chen,Xufa Wang

DOI: https://doi.org/10.1109/ICIS.2009.140

2009-01-01

Abstract:Over the past few years, anomaly detection has been an increasing concern with the rapid growth of the network security. Hidden Markov model (HMM) has been applied in various methods in intrusion detection and proved to be a good tool to model normal behaviors of privileged processes, however, one major problem with this approach is that it demands excessive computing resources and costs a long model training time, which makes it inefficient for practical intrusion detection. This paper presents a new method of bringing rough set reduction into HMM to overcome the shortcoming. The proposed approach classifies and simplifies the long observation sequence by virtue of rough set reduction, and the decision conditions obtained in rough set reduction phase could be used in further detection. The experimental results indicate that this method can promote the model training efficiency. Further-more, it is suitable for anomaly detection with high detect rate and low false alarm rate.