Wenhao Wang,Chen Zhang,Quan Zhang

DOI: https://doi.org/10.1007/978-3-662-43908-1_15

2014-01-01

Abstract:In order to solve non-real time problem in traditional intrusion detection technologies, this paper proposes an anomaly detection model based on cloud model and danger theory. First using cloud model as a tool to evaluate the diversity factors between test data and the standard data set, then covert it into signal input of DCA to detect abnormality degree of system. Meanwhile, a dendritic cell algorithm based on data segmented detection is proposed in order to raise real-time response of the system. The paper use KDDCUP99 data sets to validate membership of normal data and detection rate of this model. Experimental results show that the model can effectively distinguish between normal data and abnormal data, and also improve the system anomaly detection capabilities.

Wei Xiong,Hanping Hu,Naixue Xiong,Laurence T. Yang,Wen-Chih Peng,Xiaofei Wang,Yanzhen Qu

DOI: https://doi.org/10.1016/j.ins.2013.04.009

IF: 8.1

2013-01-01

Information Sciences

Abstract:Cloud computing represents a new paradigm where computing resources are offered as services in the world via communication Internet. As many new types of attacks are arising at a high frequency, the cloud computing services are exposed to an increasing amount of security threats. To reduce security risks, two approaches of the network traffic anomaly detection in cloud communications have been presented, which analyze dynamic characteristics of the network traffic based on the synergetic neural networks and the catastrophe theory. In the former approach, a synergetic dynamic equation with a group of the order parameters is used to describe the complex behaviors of the network traffic system in cloud communications. When this equation is evolved, only the order parameter determined by the primary factors can converge to 1. Then, the anomaly can be detected. In the latter approach, a catastrophe potential function is introduced to describe the catastrophe dynamic process of the network traffic in cloud communications. When anomalies occur, the state of the network traffic will deviate from the normal one. To assess the deviation, an index named as catastrophe distance is defined. The network traffic anomaly can be detected by the value of this index. We evaluate the performance of these two approaches using the standard Defense Advanced Research Projects Agency data sets. Experimental results show that our approaches can effectively detect the network traffic anomaly and achieve the high detection probability and the low false alarms rate.

Wenyao Sha,Yongxin Zhu,Min Chen,Tian Huang

DOI: https://doi.org/10.1109/tcc.2015.2415813

IF: 5.697

2015-01-01

IEEE Transactions on Cloud Computing

Abstract:As a major strategy to ensure the safety of IT infrastructure, anomaly detection plays a more important role in cloud computing platform which hosts the entire applications and data. On top of the classic Markov chain model, we proposed in this paper a feasible multi-order Markov chain based framework for anomaly detection. In this approach, both the high-order Markov chain and multivariate time series are adopted to compose a scheme described in algorithms along with the training procedure in the form of statistical learning framework. To curb time and space complexity, the algorithms are designed and implemented with non-zero value table and logarithm values in initial and transition matrices. For validation, the series of system calls and the corresponding return values are extracted from classic Defense Advanced Research Projects Agency (DARPA) intrusion detection evaluation data set to form a two-dimensional test input set. The testing results show that the multi-order approach is able to produce more effective indicators: in addition to the absolute values given by an individual single-order model, the changes in ranking positions of outputs from different-order ones also correlate closely with abnormal behaviours.

Jun Jiang,Fagui Liu,Wing W. Y. Ng,Quan Tang,Guoxiang Zhong,Xuhao Tang,Bin Wang

DOI: https://doi.org/10.1016/j.comcom.2023.01.004

IF: 5.047

2023-01-01

Computer Communications

Abstract:The abnormality of system behavior is inevitable in cloud computing because of its complexity and scale. How to perform anomaly detection on the system’s operating data to discover abnormal behavior has become a popular research field. However, anomaly detection is a challenging research problem because data in cloud computing scenarios is continuous, imbalanced, and cannot be acquired at once. In this work, an adaptive ensemble random fuzzy (AERF) algorithm is proposed for anomaly detection in cloud computing systems. The random fuzzy rule-based method in the AERF selects samples randomly to enhance the diversity of base classifiers for dealing with disturbances caused by abnormal sample distribution effectively. A dynamic weighting strategy is used for fuzzy classifier ensembles to improve processing efficiency and anomaly detection accuracy. Experimental results show that the AERF yields 10% higher AUC and G-mean than existing methods on SMD and EMOSCloud datasets and 20% higher AUC and G-mean on five benchmarking datasets. The AERF yields 20% higher F1 than existing methods on EMOSCloud dataset. For all datasets, the AERF yields 50% faster training time than other methods.

N. Pandeeswari,Ganesh Kumar

DOI: https://doi.org/10.1007/s11036-015-0644-x

2015-08-16

Mobile Networks and Applications

Abstract:Cloud computing affords lot of resources and computing facilities through Internet. Cloud systems attract many users with its desirable features. In spite of them, Cloud systems may experience severe security issues. Thus, it is essential to create an Intrusion Detection System (IDS) to detect both insider and outsider attacks with high detection accuracy in cloud environment. This work proposes an anomaly detection system at the hypervisor layer named Hypervisor Detector that uses a hybrid algorithm which is a mixture of Fuzzy C-Means clustering algorithm and Artificial Neural Network (FCM-ANN) to improve the accuracy of the detection system. The proposed system is implemented and compared with Naïve Bayes classifier and Classic ANN algorithm. The DARPA’s KDD cup dataset 1999 is used for experiments. Based on extensive theoretical and performance analysis, it is evident that the proposed system is able to detect the anomalies with high detection accuracy and low false alarm rate even for low frequent attacks thereby outperforming Naïve Bayes classifier and Classic ANN.

computer science, information systems,telecommunications, hardware & architecture

Feiyi Chen,Yingying zhang,Zhen Qin,Lunting Fan,Renhe Jiang,Yuxuan Liang,Qingsong Wen,Shuiguang Deng

DOI: https://doi.org/10.1109/icde60146.2024.00047

2024-01-01

Abstract:Anomaly detection significantly enhances the robustness of cloud systems.While neural network-based methods have recently demonstrated strongadvantages, they encounter practical challenges in cloud environments: thecontradiction between the impracticality of maintaining a unique model for eachservice and the limited ability to deal with diverse normal patterns by aunified model, as well as issues with handling heavy traffic in real time andshort-term anomaly detection sensitivity. Thus, we propose MACE, a multi-normal-pattern accommodated and efficientanomaly detection method in the frequency domain for time series anomalydetection. There are three novel characteristics of it: (i) a patternextraction mechanism excelling at handling diverse normal patterns with aunified model, which enables the model to identify anomalies by examining thecorrelation between the data sample and its service normal pattern, instead ofsolely focusing on the data sample itself; (ii) a dualistic convolutionmechanism that amplifies short-term anomalies in the time domain and hindersthe reconstruction of anomalies in the frequency domain, which enlarges thereconstruction error disparity between anomaly and normality and facilitatesanomaly detection; (iii) leveraging the sparsity and parallelism of frequencydomain to enhance model efficiency. We theoretically and experimentally provethat using a strategically selected subset of Fourier bases can not only reducecomputational overhead but is also profitable to distinguish anomalies,compared to using the complete spectrum. Moreover, extensive experimentsdemonstrate MACE's effectiveness in handling diverse normal patterns with aunified model and it achieves state-of-the-art performance with highefficiency.

Wanning Sun,Xuhua Ma,Ruimin Peng,Yifan Xu,Dongrui Wu

DOI: https://doi.org/10.1109/BigData59044.2023.10386246

2023-01-01

Abstract:The modern cloud computing system has evolved into a highly dynamic and complex ecosystem with thousands of modules. Modifications and updates to these modules occur every day to accommodate customer needs. Unfortunately, these frequent changes may introduce anomalies to the system, whose diffusion can undermine the system performance and even cause system outage. Though very important, it is challenging to detect anomalies at the early stages and locate their root causes, due to the complexity of the cloud ecosystem and the huge number of attribute combinations. This paper proposes DARC for high-dimensional diffusing anomaly detection and root cause location in cloud computing systems. DARC uses first two-stage percentile analysis and Mann-Kendall score thresholding to detect rare anomalies, and then a bottom-up search strategy with three computational complexity reduction techniques to efficiently locate the root causes. Extensive experiments showed that DARC is able to accurately and efficiently locate root causes of diffusing anomalies. It has been successfully used in the daily practice of Alibaba Cloud, one of the world’s largest cloud computing service providers.

Mingwei Lin,Shuyu Chen

DOI: https://doi.org/10.17706/jcp.10.3.155-165

2015-01-01

Journal of Computers

Abstract:Infrastructure as a Service (IaaS) is an important service type provided by cloud computing. Infrastructure resources are encapsulated into services and they are provided to users over the Internet in the form of virtual machines. A malicious user can upload malicious software into the virtual machine allocated by a cloud computing service provider and launch the side channel attacks to other virtual machines located in the same physical node by operating his own virtual machine. In order to address the above problem, this paper proposes an efficient anomaly detection framework for cloud computing environment to detect the virtual machines that present abnormal behaviors. A new feature extraction algorithm is designed to reduce the dimensionality of the collected data and a new anomaly detection algorithm is also designed to detect the abnormal virtual machines. A series of experiments are conducted on a cloud computing environment that is deployed using the open source project OpenStack to evaluate the proposed framework. Experimental results show that the proposed framework is better than other anomaly detection methods designed for cloud computing environment in terms of precision, recall, false alarm rate, and runtime.

Junjie Cen,Yongbo Li

DOI: https://doi.org/10.1155/2022/6155925

2022-03-31

Wireless Communications and Mobile Computing

Abstract:To address the problem of poor detection performance of existing intrusion detection methods in the environment of high-dimensional massive data with uneven class distribution, a deep learning-based anomaly traffic detection method in cloud computing environment is proposed. First, the fuzzy C -means (FCM) algorithm is introduced and is combined with the general regression neural network (GRNN) to cluster the samples to be classified in the original space by FCM. Then, the GRNN model is trained and the center point is updated using the sample closest to the FCM clustering center until a stable cluster center is obtained. The parameters in FCM-GRNN are optimized using the global optimization feature of the modified fruit fly optimization algorithm (MFOA), and the optimal spread value is found using the three-dimensional search method through an iterative search. Finally, experiments are conducted based on the KDD CUP99 dataset, and the results demonstrate that the detection rate (DR) and false alarm rate (FAR) of the proposed FCM-MFOA-GRNN method are 91% and 1.176%, respectively, which are better than those of the comparison methods. Therefore, the proposed method has good anomaly traffic detection ability.

computer science, information systems,telecommunications,engineering, electrical & electronic

HU Liang,REN Wei-wu,REN Fei,LIU Xiao-bo,JIN Gang

DOI: https://doi.org/10.3321/j.issn:1671-5489.2009.05.021

2009-01-01

Abstract:This paper proposes an Anomaly Detection algorithm based on Improved Density Clustering(ADIDC).The improved algorithm adopts clustering features separately on individual characteristic arranges and weighting features by the correlativity between the features and the normal profile.It can solve the frequent problem of the high false positive rate on clustering in the application of anomaly detection.A series of experiments on well known KDD Cup 1999 dataset demonstrates that it has a lower false positive rate,especially ensuring high detection rate with respect to the traditional anomaly detection methods.The detection of the special attack which resembles the normal act is obviously improved.In addtion,the detection performace can be further optimized by feature selection via feature weights.It makes the proposed algorithm more suitable for the real-time detection.

LI Yang,FANG Bin-xing,GUO Li,TIAN Zhi-hong,ZHANG Yong-zheng,JIANG Wei

DOI: https://doi.org/10.1145/1229285.1229292

2007-01-01

Abstract:Intrusion detection is a critical component of secure information systems. Network anomaly detection has been an active and difficult research topic in the field of Intrusion Detection for many years. However, it still has some problems unresolved. They include high false alarm rate, difficulties in obtaining exactly clean data for the modeling of normal patterns and the deterioration of detection rate because of some "noisy" data in the training set. In this paper, we propose a novel network anomaly detection method based on improved TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) machine learning algorithm. A series of experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positive rate, low false positive rate and high confidence than the state-of-the-art anomaly detection methods. In addition, even interfered by "noisy" data (unclean data), the proposed method is robust and effective. Moreover, it still retains good detection performance after employing feature selection aiming at avoiding the "curse of dimensionality".

WANG Juan,ZHANG Ke,REN Da-sen,ZHOU Li-hua

DOI: https://doi.org/10.3969/j.issn.1000-2367.2010.05.016

2010-01-01

Abstract:Based on difference clustering analysis,this paper puts forward a new kind of anomaly intrusion detection algorithm DCAIDA.It introduces in detail user behavior model building algorithm and anomaly intrusion detection algorithm.Through making difference clustering analysis of original user behavior data,user behavior models can be built;According to clustering models to classify real-time user behavior,thereby whether it intrudes or not can be determined.The simulation experiment results based on KDD CUP 1999 show that: this algorithm has a high detection rate and a low false alarm rate,at the same time it has a certain capability to detect new types of attacks,so it can realize the desired results.

Chen Yang

DOI: https://doi.org/10.1007/s10586-018-1755-5

2018-01-16

Cluster Computing

Abstract:In recent years, there are more and more abnormal activities in the network, which greatly threaten network security. Hence, it is of great importance to collect the data which indicate the running statement of the network, and distinguish the anomaly phenomena of the network in time. In this paper, we propose a novel anomaly network traffic detection algorithm under the cloud computing environment. Firstly, the framework of the anomaly network traffic detection system is illustrated, and six type of network traffic features are consider in this work, that is, (1) number of source IP address, (2) number of source port number, (3) number of destination IP address, (4) number of destination port number, (5) Number of packet type, and (6) number of network packets. Secondly, we propose a novel hybrid information entropy and SVM model to tackle the proposed problem by normalizing values of network features and exploiting SVM detect anomaly network behaviors. Finally, experimental results demonstrate that the proposed algorithm can detect anomaly network traffic with high accuracy and it can also be used in the large scale dataset.

Jin Gao,Jiaquan Liu,Sihua Guo,Qi Zhang,Xinyang Wang

DOI: https://doi.org/10.1155/2020/6343705

IF: 1.43

2020-11-19

Mathematical Problems in Engineering

Abstract:Aiming at problems such as slow training speed, poor prediction effect, and unstable detection results of traditional anomaly detection algorithms, a data mining method for anomaly detection based on the deep variational dimensionality reduction model and MapReduce (DMAD-DVDMR) in cloud computing environment is proposed. First of all, the data are preprocessed by a dimensionality reduction model based on deep variational learning and based on ensuring complete data information as much as possible, the dimensionality of the data is reduced, and the computational pressure is reduced. Secondly, the data set stored on the Hadoop Distributed File System (HDFS) is logically divided into several data blocks, and the data blocks are processed in parallel through the principle of MapReduce, so the k-distance and LOF value of each data point can only be calculated in each block. Thirdly, based on stochastic gradient descent, the concept of k-neighboring distance is redefined, thus avoiding the situation where there are greater than or equal to k-repeated points and infinite local density in the data set. Finally, compared with CNN, DeepAnt, and SVM-IDS algorithms, the accuracy of the scheme is increased by 10.3%, 18.0%, and 17.2%, respectively. The experimental data set verifies the effectiveness and scalability of the proposed DMAD-DVDMR algorithm.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Jian Liu,Jie Li,Chentao Wu

DOI: https://doi.org/10.1109/globecom38437.2019.9013839

2019-01-01

Abstract:Log anomaly detection is a critical step towards building a secure and trustworthy cloud system. As more corporations turn to cloud system to store and process their most valuable data, the risk of a potential breach of those systems increases exponentially. However, conventional top-n log candidates anomaly detection methods, such as Deeplog and N-gram, often suffer from the limited scope of the top-n list, which rules out many potentially suitable candidates. In this paper, we propose Discounted Cumulative Gain (DCG) discriminative algorithm that ranks all the log candidates and calculates the dcg score to determine the number of log candidates. To demonstrate the effectiveness of our algorithm, we conduct comprehensive experiments under different log workloads. Experimental evaluations show that DCG has outperformed Deeplog and N-gram methods in cloud systems, and improved the F-score of Deeplog and N-gram by up to 3.8% and 11.6% respectively.

Tao Qin,Ruoya Chen,Lei Wang,Chao He

DOI: https://doi.org/10.1109/cns.2018.8433208

2018-01-01

Abstract:With ever-growing complexity and dynamically of cloud computing systems, security monitoring has become more and more important. In this paper, we propose a lightweight framework for host based real-time anomaly detection in cloud computing. Firstly, unlike the traditional host based anomaly detection methods in which data collection agents usually occupy too many host resources, we employ the intelligent mobile agent which can automatically transfer to other hosts to collect data according to the monitoring task requirements, in turn reduce the number of data collection agents running in the platform. Secondly, we employ Principal Component Analysis (PCA) to extract the main features from the collected data and further reduce the data dimension. Thirdly, to mine the abnormal behavior point candidates, DBSCAN clustering is applied to labeling and gathers the entire data into corresponding cluster sets based on the data characteristics. The clusters containing a very small number of instances and the isolated instance are regarded as anomaly candidates since normal instances usually present as highly coherent clusters. Finally, to better improve the accuracy of anomaly detection, we propose an analysis method based on continuous sliding time window to eliminate the influence of the noise caused by normal operations, the anomaly candidates are further analyzed to finally determine whether the host is in abnormal status or not. The experimental results based on the anomaly detection platform we constructed show that the proposed method has lower computational complexity and higher detection accuracy, which can reduce the time complexity by 50% with detection accuracy is above 95%.

Ping Lou,Yun Yang,Junwei Yan

DOI: https://doi.org/10.1145/3340997.3341005

2019-01-01

Abstract:The cloud service platform is an open platform designed to provide various users with application services. The reliability of the platform is threatened by anomalous access behaviors such as resource abuse, DDoS attacks etc. Detecting anomalous behaviors to access the cloud service platform is an essential task. In this paper, an anomaly detection method based on Max-min distance and Support vector data description (MMD-SVDD) is proposed. The method identifies anomalous user access behaviors using CPU/memory/disk/network related system resource metrics. It firstly uses MMD to divide servers in the cloud service platform into multi-clusters. The servers in each of the clusters have similar running environment and can share an anomaly detection model. This process can effectively reduce the detection scale and system resource consumption. Then, aiming at the problem of incomplete abnormal data samples, the anomaly detection models are built based on SVDD algorithm, which utilizes normal data samples to construct a hypersphere for each cluster. Finally, the anomalous behavior is identified via judging whether the target data falls outside the hypersphere. The method is applied in cloud service platform and the result shows that it can accurately identity anomalies with lower system resource consumption.

Jing Zhang

DOI: https://doi.org/10.48550/arXiv.1901.09294

2019-01-27

Abstract:Anomaly detecting as an important technical in cloud computing is applied to support smooth running of the cloud platform. Traditional detecting methods based on statistic, analysis, etc. lead to the high false-alarm rate due to non-adaptive and sensitive parameters setting. We presented an online model for anomaly detecting using machine learning theory. However, most existing methods based on machine learning linked all features from difference sub-systems into a long feature vector directly, which is difficult to both exploit the complement information between sub-systems and ignore multi-view features enhancing the classification performance. Aiming to this problem, the proposed method automatic fuses multi-view features and optimize the discriminative model to enhance the accuracy. This model takes advantage of extreme learning machine (ELM) to improve detection efficiency. ELM is the single hidden layer neural network, which is transforming iterative solution the output weights to solution of linear equations and avoiding the local optimal solution. Moreover, we rank anomies according to the relationship between samples and the classification boundary, and then assigning weights for ranked anomalies, retraining the classification model finally. Our method exploits the complement information between sub-systems sufficiently, and avoids the influence from imbalance dataset, therefore, deal with various challenges from the cloud computing platform. We deploy the privately cloud platform by Openstack, verifying the proposed model and comparing results to the state-of-the-art methods with better efficiency and simplicity.

Machine Learning

Hu Liang,Ren Wei-wu,Ren Fei

DOI: https://doi.org/10.1109/AICI.2009.239

2009-01-01

Abstract:Most anomaly detection methods can not be fit for the changing and complex network. High noise and updating normality profiles not in time will lead to high false alarm rate. In this paper, a new anomaly detection algorithm using improved hierarchy clustering, called ADIHC, is proposed in this paper. It applies an improved hierarchy clustering tree to organize clusters which are obtained by density-based partitioning method. We extend the clustering algorithm and apply branch and bound method for filtering noise. With the help of two advantages: filtering noise and updating normality profiles at any time, our algorithm is suitable for the changing and complex network. A series of experimental results on well known KDD Cup 1999 dataset indicate that ADIHC has superior performance of detection and meets more real-time requirements of intrusion detection system.

Deyuan Qin,Shuyu Chen,Hancui Zhang,Tianshu Wu

DOI: https://doi.org/10.1109/icsess.2016.7883102

2016-01-01

Abstract:Virtual machine is an important part of cloud platform. Ensuring virtual machine running correctly is of great significance to ensure the availability of cloud service. Due to cloud platform has characteristics of the large number of virtual machines and dynamic change of running environment, it's hard to accept the cost of collecting training data for anomaly detector and training the anomaly detector. This paper focuses on insufficient training data set for anomaly detector training of virtual machine of cloud platform and high cost of detector training, and does research on how to improve anomaly detection accuracy and efficiency under the condition that there is not enough training data for anomaly detector. Concretely speaking, main research contents and highlights of this paper are described as follows: It puts forward a virtual machine detection domain partitioning strategy based on K-medoids according to the virtual machine running environment, thereby, improving the accuracy and efficiency of anomaly detection. Meanwhile, this paper optimizes the steps of clustering iteration updating, to enhance the speed of detecting area partitioning. The experiment result shows that, the improved clustering algorithm has lower time complexity, and the virtual machine anomaly detection strategy based on detection domain partitioning possesses higher accuracy and efficiency.