Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Yan Yu,Shanqing Guo,Shaohua Lan,Tao Ban

DOI: https://doi.org/10.1007/978-3-642-02490-0_70

2009-01-01

Abstract:In network environment, time-varying traffic patterns make the detection model not characterize the current traffic accurately. At the same time, the deficiency of training samples also degrades the detection accuracy. This paper proposes an anomaly detection algorithm for evolving data stream based on semi-supervised learning. The algorithm uses data stream model with attenuation to solve the problem of the change of traffic patterns, as while as extended labeled dataset generated from semi-supervised learning is used to train detection model. The experimental results manifest that the algorithm have better accuracy than those based on all historical data equivalently by forgetting historical data gracefully, as while as be suitable for the situation of deficiency of labeled data.

Fu XU,Jian XU

DOI: https://doi.org/10.3969/j.issn.1672-9722.2017.08.003

2017-01-01

Abstract:Anomaly detection in data stream has gained a high attraction due to its applications,including real-time surveil-lance,network intrusion detection. However,traditional clustering is no longer suitable due to the particularity and timeliness of the data stream and the continuous characteristics of the data flow. Therefore,incremental clustering has become the research hotspots towards anomaly detection in data stream. An anomaly detection model in data stream is proposed based on two improved incremen-tal clustering aiming at the problem of low efficiency,high false positives and lack of pertinence of single clustering. The mothod is based on improved incremental clustering and an effective consensus function is designed to merge the results of a variety of cluster-ing algorithms. The experimental results show that the improved clustering algorithms are applicable to incremental clustering and they have better efficiency and better clustering result than single clustering method.

ZHENG Jun,HU Ming-zeng,YUN Xiao-chun,ZHENG Zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.001

2006-01-01

Abstract:The anomaly detection algorithms of the large scale network(LSN) were required to analysis the vast network traffic of G bit level in real-time and on-the-fly.A novel monitoring mechanism of LSN anomaly detection based on the data stream approach was proposed.The main contributions included: the sketch data structure and the frequent sketch algorithm of data streams were designed for anomaly detection of LSN.Optimized query methods were designed for customizing the security monitoring and detection policy with the correlations of multi data streams.The data reduction was proposed to make it possible that the whole network traffic character could be got using a few of special data streams.The experiments of the real networking environments validate the effectivity of LSN anomaly detection methods.

Yitong Liu,Caiyun Liu,Jun Li,Yan Sun

DOI: https://doi.org/10.1007/978-981-97-2757-5_49

2024-01-01

Abstract:In today's information age, with the rapid development of network technology and a large number of applications of sensors in daily life. The number of various types of data has shown a great growth. These data not only bring us convenience and benefits, but also pose a great challenge to us, that is, how to explore the information of the data and effectively analyze the specific significance contained in the data has become a hot research direction. In the large amount of data obtained, most of the data are in the normal state and only represent the basic "value" information. Compared with the data in the normal state, the information carried by a small part of the data is more worthy of attention. The emergence of these data is the so-called "exception". The occurrence of exceptions indicates that the system that should be running normally has changed, and these changes often have a negative impact on the system. Looking at these applications, it is not difficult to find that the actual frequency of these anomalies accounts for a very small proportion compared with a large number of normal time, but its value is very huge. Therefore, real-time online anomaly detection of convective data has very important value and significance for scientific research and industrial application. In the process of this research, I have a more comprehensive and detailed understanding of the research field of "anomaly detection of stream data" through theoretical learning, apply the deep learning model to anomaly detection of stream data, and test the performance of the model through experiments. By comparing the performance of traditional anomaly detection algorithms, unsupervised and semi supervised machine learning models and neural networks such as LSTM/HTM in stream data anomaly detection, we try to find an algorithm that can detect stream data information in real time and provide anomaly alarm in time.

YU Yan,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.02.010

2007-01-01

Abstract:Existing anomaly intrusion detection algorithms based on supervised learning usually face difficulties when the training samples are insufficient.At the same time,the characteristics that the pattern of network traffic is changing over time are not considered adequately by the intrusion detection algorithms which are based on the equivalent learning of all historical dataset.So,a streaming ensemble intrusion detection model based on small labeled data is presented,in which a small labeled dataset is extended to work out the problem of the insufficiency of training samples.In addition,it can adapt to the changes of network traffic adequately.The experimental results manifest that the algorithm has better detection performance than those based on all historical data while the size of labeled dataset is very small.

Xiaolan Wang,Md. Manjur Ahmed,Mohd Nizam Husen,Hai Tao,Qian Zhao

DOI: https://doi.org/10.1007/978-981-99-0405-1_5

2023-01-01

Abstract:The identification of anomalies in a data stream is a difficulty for decision-making in real time. A memory-constrained online detection system that is able to quickly detect the concept drift of streaming data is required because the constant arrival of massive amounts of streaming data with changing characteristics makes real-time and efficient anomaly detection a difficult task. This is because of the nature of the data itself, which is constantly changing. In this study, a novel model for detecting anomalies using dynamic micro-clusters scheme is developed. The macro-clusters are generated from a network of connected micro-clusters. When new data items are added, the normal patterns that are formed in macro-clusters will update in tandem with the dynamic micro-clusters in an incremental fashion. An outlier may be understood from both a global and a local perspective by examining the global and local densities respectively. The effectiveness of the suggested approach was evaluated with the use of three different datasets. The findings of the experiment demonstrate that the suggested method is superior to earlier algorithms in terms of both the accuracy of detection and the level of computing complexity it requires.

Yuan Zhang,Qinghai Yang,Sangarapillai Lambotharan,Konstantinos Kyriakopoulos,Ibrahim Ghafir,Basil AsSadhan

DOI: https://doi.org/10.1109/wcsp.2019.8927907

2019-01-01

Abstract:With the rapid development of new technologies and applications of Internet, much attention has been paid to the detection of anomalies in cyberspace traffic. A series of intrusion detection techniques based on machine learning have been developed. Support vector machine (SVM), as an essential approach, has been paid close attention in this filed. Nevertheless, the existing SVM-based techniques with the training features can not efficiently detect short duration intrusions and attacks in the traffic. To tackle this issue, we propose an anomaly-based SVM detection scheme by extracting and optimizing the training features. It trains the SVM with Kullback-Leibler (KL) divergence and cross-correlation calculated by the control and data planes traffic. Following this way, the novel training method can effectively enhance the detection accuracy. And the performance of the presented scheme is validated and evaluated based on a recent realistic Internet traffic dataset. Finally, relevant results indicate that the developed method establishes the relationship between Transmission Control Protocol (TCP) traffic and intrusions. It can efficiently detect short duration intrusions and attacks in the network traffic.

Yong WANG,Liang GAO,Hui-hua YANG

DOI: https://doi.org/10.3969/j.issn.1673-808X.2005.05.001

2005-01-01

Abstract:Most of IDS in current use are based on feature match.They usually appear incapable of detecting unknown intrusion.Anomaly detection can efficiently undertake the work of unknown intrusion detection.MIT's Lincoln Laboratory presented a well-renowned off-line intrusion detection scheme,but it couldn't lend itself to establishing a real-time intrusion detection system(IDS).As a response to this problem,we introduce in this paper a novel real-time IDS method.It dynamically reconstructs the TCP connections,extracts 31 intrusion features,and uses support vector machines as detector.The experiments show that the detection accuracy is above 95%.In order to cut down detect time,we present an algorithm to search best time for detection intrusion.A series of network intrusion experiments have demonstrated that the proposed method can precisely detect intrusions occurring in a local area network within 250 ms.

Liyang Wang,Yu Cheng,Hao Gong,Jiacheng Hu,Xirui Tang,Iris Li

2024-09-23

Abstract:The sophistication and diversity of contemporary cyberattacks have rendered the use of proxies, gateways, firewalls, and encrypted tunnels as a standalone defensive strategy inadequate. Consequently, the proactive identification of data anomalies has emerged as a prominent area of research within the field of data security. The majority of extant studies concentrate on sample equilibrium data, with the consequence that the detection effect is not optimal in the context of unbalanced data. In this study, the unsupervised learning method is employed to identify anomalies in dynamic data flows. Initially, multi-dimensional features are extracted from real-time data, and a clustering algorithm is utilised to analyse the patterns of the data. This enables the potential outliers to be automatically identified. By clustering similar data, the model is able to detect data behaviour that deviates significantly from normal traffic without the need for labelled data. The results of the experiments demonstrate that the proposed method exhibits high accuracy in the detection of anomalies across a range of scenarios. Notably, it demonstrates robust and adaptable performance, particularly in the context of unbalanced data.

Machine Learning,Artificial Intelligence,Cryptography and Security

H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

Dennis Ippoliti,Changjun Jiang,Zhijun Ding,Xiaobo Zhou

DOI: https://doi.org/10.1145/2934686

2016-01-01

ACM Transactions on Autonomous and Adaptive Systems

Abstract:Traditional network anomaly detection involves developing models that rely on packet inspection. However, increasing network speeds and use of encrypted protocols make per-packet inspection unsuited for today’s networks. One method of overcoming this obstacle is aggregating packet header information and performing flow-based analysis where data flow patterns are examined rather than deep packet inspection. Many existing approaches are special purpose limited to detecting specific behavior. Also, the data reduction inherent in identifying anomalous flows hinders alert correlation. In this article, we propose and develop a dynamic anomaly detection approach for augmented network flows. We sketch network state during flow creation, enabling general-purpose threat detection. We describe an efficient flow augmentation approach based on the count-min sketch that provides per-flow-, per-node-, and per-network-level statistics parallel to flow record generation. We design and develop a support vector machine-based adaptive anomaly detection and correlation mechanism, which is capable of aggregating alerts without a priori alert classification and evolving models online. We further develop a lightweight evolving alert aggregation method and combine it with a confidence forwarding mechanism identifying a small percentage predictions for additional processing. We show effectiveness of our methods on both enterprise and backbone traces. Experimental results demonstrate its ability to maintain high accuracy without the need for offline training.

Qifan Wang,Bo Yan,Hongyi Su,Hong Zheng

DOI: https://doi.org/10.1109/icbda51983.2021.9402957

2021-01-01

Abstract:Time Series is an important data object, which has the characteristics of high dimensionality, large amount of data, and fast data update. In the field of anomaly detection problems, there are problems of data skew and few abnormal data samples, which makes it difficult to train traditional supervised learning models. At the same time, with the rise of the Internet of Things, more and more data exists in the form of streams. In response to the above problems, this paper proposes a anomaly detection method for time series data stream. This method first uses multiple random convolution kernels to perform feature transformation on the time series, and then inputs the obtained feature map into RRCF (Robust random cut forest), and finally scores the samples according to the characteristics of the RRCF, and the ones that exceed the threshold are considered abnormal. This method does not need pre training model for real-time detection of time series data stream, but dynamic maintenance model, so it does not need manual label and has low cost. The experimental results show that the method in this paper has good performance on different data sets. Finally, the algorithm is implemented on the Apache Flink platform, which greatly improves the throughput of the detection system and enables the system to process massive data.

Nam Hun Park,Sang Hyun Oh,Won Suk Lee

DOI: https://doi.org/10.1016/j.ins.2010.03.001

IF: 8.1

2010-06-15

Information Sciences

Abstract:In anomaly intrusion detection, modeling the normal behavior of activities performed by a user is an important issue. To extract normal behavior from the activities of a user, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches model only the static behavior of a user in the audit data set. This drawback can be overcome by viewing a user’s continuous activities as an audit data stream. This paper proposes an anomaly intrusion detection method that continuously models the normal behavior of a user over the audit data stream. A set of features is used to represent the characteristics of an activity. For each feature, clusters of feature values corresponding to activities observed thus far in an audit data stream are identified by a statistical grid-based clustering algorithm for a data stream. Each cluster represents the frequency range of the activities with respect to the feature. As a result, without the physical maintenance of any historical activity of the user, the user’s new activities can be continuously reflected in the ongoing results. At the same time, various statistics of activities related to the identified clusters are also modeled to improve the performance of anomaly detection. The proposed algorithm is illustrated by a series of experiments to identify various characteristics.

computer science, information systems

Xudong Feng,Jin Liu,Jialu Yin,Handing Wang,Ruochen Liu

DOI: https://doi.org/10.1109/docs60977.2023.10294549

2023-01-01

Abstract:With the development of network-based software system, companies and operators pay more and more attention to the analysis of key performance indicators (KPI), such as network traffic and user browsing time. The challenges of anomaly detection of KPI data include the lack of labels and the unexpected changes of time series data distribution, named concept drift. Stream data clustering method is also used to deal with the above situation of stream data. An anomaly detection method based on stream data clustering is introduces in this paper to deal with the challenges above. This algorithm is called similarity based stream clustering (SBSC), which aims to deal with seasonal time series and concept drift. By using the density based stream data clustering framework based on similarity as a distance measure for time series, SBSC can deal with seasonal time series well and detect the concept drift phenomenon of time series. Compared with several common unsupervised anomaly detection algorithms, the algorithm is more efficient at identifying seasonal time series anomalies on real KPI data, and it is easier to detect concept drift and subsequence anomalies.

Y Feng,ZF Wu,KG Wu,ZY Xiong,Y Zhou

DOI: https://doi.org/10.1109/icmlc.2005.1527630

2005-01-01

Abstract:An approach to network intrusion detection is investigated, based on swarm intelligence. The basic idea of the method is to produce the cluster by swarm intelligence-based clustering. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on swarm intelligence can settle these problems effectively. The experiment result shows that our approach can detect unknown intrusions efficiently in the real network connections.

Marina Thottan,Guanglei Liu,Chuanyi Ji

DOI: https://doi.org/10.1007/978-1-84882-765-3_11

2010-01-01

Abstract:In recent years, network anomaly detection has become an important area for both commercial interests as well as academic research. Applications of anomaly detection typically stem from the perspectives of network monitoring and network security. In network monitoring, a service provider is often interested ill capturing such network characteristics as heavy flows, flow size distributions, and the number of distinct flows. In network security, the interest lies in characterizing known or unknown anomalous patterns of an attack or a virus.In this chapter we review two main approaches to network anomaly detection: streaming algorithms, and machine learning approaches with a focus on unsupervised learning. We discuss the main features of the different approaches and discuss their pros and cons. We conclude the chapter by presenting some open problems in the area of network anomaly detection.

Jun Zheng,MingZeng Hu,Hongli Zhang

DOI: https://doi.org/10.1109/ICMLC.2004.1378297

2004-01-01

Abstract:Data preprocessing including feature extraction is the first significant step in anomaly detection where normal profiles needed to be constructed. The paper defined a sort of traffic flows to be the atomy event unit of preprocessing, making the data preprocessing module more efficient and robust. Based on TCP Flows, the paper introduces a novel methodology to analysis the feature attributes of network traffic flow with some new techniques, Including a novel quantization model of TCP states. Integrating with data preprocessing, we construct an anomaly detection algorithm with SOFM and applied the detection frame to DARPA Intrusion Detection Evaluation Data. We train SOFM to exploit the normal profile distributions of network traffic. And then the test data with attack-instances embedded is utilized. It is shown that the network attacks are detected with more efficiency and relatively low false alarms.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Li Cheng,Yijie Wang,Yong Zhou,Xingkong Ma

DOI: https://doi.org/10.1177/1550147718803303

IF: 1.938

2018-01-01

International Journal of Distributed Sensor Networks

Abstract:Due to the increasing arriving rate and complex relationship of behavior data streams, how to detect sequential behavior anomaly in an efficient and accurate manner has become an emerging challenge. However, most of the existing literature simply calculates the anomaly score for segmented sequence, and there is limited work going deep to investigate data stream segment and structural relationship. Moreover, existing studies cannot meet efficiency requirements because of large number of projected subsequences. In this article, we propose EADetection, an efficient and accurate sequential behavior anomaly detection approach over data streams. EADetection adopts time interval and fuzzy logic–based correlation to segment event stream adaptively based on rolling window. Through dynamic projection space–based fast pruning, large number of repeated patterns are reduced to improve detection efficiency. Meanwhile, EADetection calculates the anomaly score by top-k pattern–based abnormal scoring based on directed loop graph–based storage strategy, which ensures the accuracy of detection. Specially, we design and implement a streaming anomaly detection system based on EADetection to perform real-time detection. Extensive experiments confirm that EADetection can achieve real time and improve accuracy, significantly reduces latency by 36.8% and reduces false positive rate by 6.4% compared with existing approach.