Yunlong Niu,Yunfeia Luo,Feiyun Cong,Huidi Zheng,Xinggao Liu

DOI: https://doi.org/10.2298/ntrp2401047y

2024-01-01

Abstract:The state-controlled radiation environment automatic monitoring stations are important facilities for monitoring the quality and trends of the radiation environment. However, the anal ysis and utilization of monitoring data from these stations have limitations. To address this is sue, this pa per pro poses an ap proach that uti lizes the high-di men sional data vi su al iza tion method based on t-SNE and PCA-BIRCH algorithm's spectrum clustering model to classify historical spectrum data. Subsequently, a local outlier factor-based environmental spectrum abnormal fluctuation detection model is established to enhance discrimination of non-environmental factors causing spectrum anomalies. Results indicate significant differences in spectrum aggregation under different meteorological conditions. The clustering algo rithm ef fec tively sep a rates clear and rainy weather spec tra based on spec tral fea tures, with min i mal time con sump tion and re duced in ter fer ence from mixed spec trum data. By uti liz ing local density features, we establish an anomaly detection model, assigning an abnormal score to each spectrum. Comparative analysis demonstrates improved discriminability of the anomaly detection model for unclassified datasets. Our algorithm accurately identifies spectrum fluctuations caused by non-environmental factors amidst complex backgrounds, offering valuable technical support for environmental quality assurance and nuclear emergency decision-making.

Cuixia Gao,Zhitang Li,Haigang Song

DOI: https://doi.org/10.1109/mue.2009.88

2009-01-01

Abstract:After analyzing malicious attacks against host that affect the host resource usage a method is presented to evaluate the security situation of host system based on host resource availability. A group of factors that can reflect the host resource availability features in a fixed time window are selected as the evaluation metrics. Based on the large samples, the information entropy gain method is applied to determine the importance of evaluation results for different metrics. Then by using analytic hierarchy process (AHP) method, the evaluation results are regarded as the normalized abnormality value to evaluate the host risk status. If the value of host risk status is larger than the threshold then an alert is triggered. Experiments show that this method can reasonably evaluate the host risk status caused by most of attacks.

Cuixia Gao,Zhitang Li

DOI: https://doi.org/10.1109/MINES.2009.150

2009-01-01

Abstract:Anomaly detection means developing a reference profile of normal activity and comparing the ongoing activity against it. Anomaly detection is very promising because of its potential to detect unseen types of attacks. In this paper we present our preliminary research on host anomaly detection by fusing multi-source security information. We selected five types of information which may be good indicators of host anomalies. They are RAM usage, host network connections, usage of bandwidth, the alert of antivirus and the alert of our own project SATA. In the information fusion framework, the D-S evidence theory was used to fuse the dynamic host-related information. Some improvements are also discussed. We also use real-world environment to demonstrate the method's capability for detecting host anomaly. We show that our prototype can successfully detect most of anomalies caused by DOS, scanning and other attacks.

Jian ZHANG,Yan TONG,Mingdi XU,Tao QIN

DOI: https://doi.org/10.7652/xjtuxb201704015

2017-01-01

Abstract:A new method for data collection and anomaly detection of hosts is proposed to focus on the problems that the methods based on signature matching cannot detect unknown anomaly and data collection agents occupy too many host resources.Intelligent mobile agents are employed to perform data collection so that the number of collection agents is greatly reduced.In order to achieve the goal of online anomaly detection,the principal component analysis method is employed to reduce the dimension of the data,and the clustering method is used to mine the abnormal events.The host anomaly detection method based on continuous time windows is adopted to eliminate the influence of random outliers.Experimental results show that the proposed method has lower computational complexity and higher detection accuracy,and for same number of records the time complexity is reduced by more than 50％ and the detection accuracy is above 95％,compared with conventional method.It is concluded that the method is suitable for real-time detection of host anomaly.

Tao Qin,Ruoya Chen,Lei Wang,Chao He

DOI: https://doi.org/10.1109/cns.2018.8433208

2018-01-01

Abstract:With ever-growing complexity and dynamically of cloud computing systems, security monitoring has become more and more important. In this paper, we propose a lightweight framework for host based real-time anomaly detection in cloud computing. Firstly, unlike the traditional host based anomaly detection methods in which data collection agents usually occupy too many host resources, we employ the intelligent mobile agent which can automatically transfer to other hosts to collect data according to the monitoring task requirements, in turn reduce the number of data collection agents running in the platform. Secondly, we employ Principal Component Analysis (PCA) to extract the main features from the collected data and further reduce the data dimension. Thirdly, to mine the abnormal behavior point candidates, DBSCAN clustering is applied to labeling and gathers the entire data into corresponding cluster sets based on the data characteristics. The clusters containing a very small number of instances and the isolated instance are regarded as anomaly candidates since normal instances usually present as highly coherent clusters. Finally, to better improve the accuracy of anomaly detection, we propose an analysis method based on continuous sliding time window to eliminate the influence of the noise caused by normal operations, the anomaly candidates are further analyzed to finally determine whether the host is in abnormal status or not. The experimental results based on the anomaly detection platform we constructed show that the proposed method has lower computational complexity and higher detection accuracy, which can reduce the time complexity by 50% with detection accuracy is above 95%.

GUO Zhen-he,TAN Ying,LIU Zheng-kai

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.11.012

2005-01-01

Abstract:Based on the principle of non-self detection and diversity of Ab,this paper studies anomaly detection algorithm of computer static resource.First of all,the relationship between the diversity of detector with detection holes is analyzed.Then,this paper proposes Computer Static System Resource Anomaly Detection Algorithms(SRAnDA).Finally,The proposed algorithm is verified by different datasets,and compared to MD5.It is turned out that its computational complexity and space complexity is superior to MD5,which indicates that the algorithm will has great prospect onto anomaly detection of Computer Immune System.

Feiyi Chen,Yingying zhang,Zhen Qin,Lunting Fan,Renhe Jiang,Yuxuan Liang,Qingsong Wen,Shuiguang Deng

DOI: https://doi.org/10.1109/icde60146.2024.00047

2024-01-01

Abstract:Anomaly detection significantly enhances the robustness of cloud systems.While neural network-based methods have recently demonstrated strongadvantages, they encounter practical challenges in cloud environments: thecontradiction between the impracticality of maintaining a unique model for eachservice and the limited ability to deal with diverse normal patterns by aunified model, as well as issues with handling heavy traffic in real time andshort-term anomaly detection sensitivity. Thus, we propose MACE, a multi-normal-pattern accommodated and efficientanomaly detection method in the frequency domain for time series anomalydetection. There are three novel characteristics of it: (i) a patternextraction mechanism excelling at handling diverse normal patterns with aunified model, which enables the model to identify anomalies by examining thecorrelation between the data sample and its service normal pattern, instead ofsolely focusing on the data sample itself; (ii) a dualistic convolutionmechanism that amplifies short-term anomalies in the time domain and hindersthe reconstruction of anomalies in the frequency domain, which enlarges thereconstruction error disparity between anomaly and normality and facilitatesanomaly detection; (iii) leveraging the sparsity and parallelism of frequencydomain to enhance model efficiency. We theoretically and experimentally provethat using a strategically selected subset of Fourier bases can not only reducecomputational overhead but is also profitable to distinguish anomalies,compared to using the complete spectrum. Moreover, extensive experimentsdemonstrate MACE's effectiveness in handling diverse normal patterns with aunified model and it achieves state-of-the-art performance with highefficiency.

Jing Tao,Ning Zheng,Waner Wang,Ting Han,Xuna Zhan,Qingxin Luan

DOI: https://doi.org/10.1109/icbk.2019.00039

2019-01-01

Abstract:Abnormal host detection is a critical issue in an enterprise intranet data center. The traditional anomaly host detection method mainly focuses on detecting anomaly behavior, and the abnormality determination for a single behavior point often has certain limitations. For example, the entire attack process cannot be completely restored. And it will cause a lot of underreporting. Therefore, in this paper, we propose A Behavior Sequence Clustering-based Enterprise Network Anomaly Host Detection Method to solve the problem of anomaly host detection of an enterprise network We use the Toeplitz Inverse Covariance-Based Clustering (TICC) algorithm [1] to segment and cluster time series data and mining anomaly host behavior sequences, identify the anomaly host of the enterprise network The experimental results show that the Behavior Sequence Clustering-based Enterprise Network Anomaly Host Recognition Method can quickly identify the anomaly host and accurately restore the complete attack process.

Qinglin Xie,Z. Wen,Chenxi Xie,G. Tao

DOI: https://doi.org/10.1109/TIE.2022.3231279

Abstract:Identifying abnormal data to improve data quality is of great importance for machinery health monitoring (MHM). Existing abnormal data detection methods generally depend on appropriate parameter settings and prior knowledge of data distribution, which result in relatively low adaptability to MHM data. To obtain more reliable MHM results, this article proposed a novel method to detect abnormal data. First, the concept of adaptive sliding window (ASW) is defined and the advantages of ASW in avoiding data leakage and data redundancy are derived. The ASW can optimally divide the overall data into several segments. Next, statistical factors in time- and frequency-domain are extracted from these segments to generate corresponding research objects. Then, an improved weighted multiscale local outlier factor (WMLOF) algorithm is proposed herein to evaluate the data anomaly degree of each object. The WMLOF has the ability to assess and fuse the local outlier factor characteristics at multiple scales, and eventually yields a more comprehensive WMLOF value to evaluate the anomaly degree of the MHM data. Finally, the effectiveness and superiority of the ASW and WMLOF are validated by a synthetic simulation of a faulty rolling bearing and two engineering projects pertaining to a railway vehicle gearbox, and bench test data. Comparative analysis shows that the proposed abnormal data detection method based on the ASW and WMLOF strategies outperforms five reported algorithms in outlier detection.

Engineering,Computer Science

Xiaoming Ye,Shaojie Qiao,Nan Han,Kun Yue,Tao Wu,Li Yang,Faliang Huang,Chang-an Yuan

DOI: https://doi.org/10.1016/j.knosys.2020.106734

2021-02-01

Abstract:<p>Network behavior analysis is an active and challenging research direction in anomalous network traffic detection. With rapidly-increasing popularity of online applications, network traffic volume has grown exponentially. In the meantime, network communication is becoming more complex. Consequently, new interaction patterns of network behaviors, named group activity, need to be investigated. Group activities can be generated by various hosts over the network and changes in group activities usually cannot be captured by traditional anomaly detection methods. Currently, the primary limitation of traditional flow-based methods for network traffic analysis is the lack of a mechanism that studies the social relationship in the interaction patterns between hosts. Besides, existing approaches fail to detect group activities. To overcome these limitations, the paper aims to detect anomalous hosts based on the profile of group activity evolution. We propose a mathematical method to quantify and detect anomalous group activities based on the stability of group activity evolution, which fully captures both the temporal and structural characteristics of network evolution. This anomaly detection algorithm is called GAP (Group Activity Profile), which is a powerful supplement and extension of the traditional method of network behavior analysis. The main contributions of this paper are: (1) the paper introduces a new perspective of the group activity based on network evolution and network behavior anomaly detection; (2) the algorithm is suitable for measuring the changes in group activity evolution and determining whether the current evolution relatively conforms to or deviates from the normal evolution; and (3) this work defines the baseline of the group activity evolution by applying historical characteristics that can significantly reduce the false positive rate, and detect anomalous hosts accurately. The results of experiments conducted on real datasets demonstrate that GAP is capable of detecting anomalous host more effectively than traditional methods. GAP is free of parameters and achieves high scalability, which can effectively identify group activities as well as accurately detect anomalous hosts over time.</p>

computer science, artificial intelligence

Tao Qin,Zhaoli Liu,Pinghui Wang,Shancang Li,Xiaohong Guan,Lixin Gao

DOI: https://doi.org/10.1109/tifs.2019.2933731

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Anomaly detection is an important technique used to identify patterns of unusual network behavior and keep the network under control. Today, network attacks are increasing in terms of both their number and sophistication. To avoid causing significant traffic patterns and being detected by existing techniques, many new attacks tend to involve gradual adjustment of behaviors, which always generate incomplete sessions due to their running mechanisms. Accordingly, in this work, we employ the behavior symmetry degree to profile the anomalies and further identify unusual behaviors. We first proposed a symmetry degree to identify the incomplete sessions generated by unusual behaviors; we then employ a sketch to calculate the symmetry degree of internal hosts to improve the identification efficiency for online applications. To reduce the memory cost and probability of collision, we divide the IP addresses into four segments that can be used as keys of the hash functions in the sketch. Moreover, to further improve detection accuracy, a threshold selection method is proposed for dynamic traffic pattern analysis. The hash functions in the sketch are then designed using Chinese remainder theory, which can analytically trace the IP addresses associated with the anomalies. We tested the proposed techniques based on traffic data collected from the northwest center of CERNET (China Education and Research Network); the results show that the proposed methods can effectively detect anomalies in large-scale networks.

王伟,张文博,魏峻,钟华,黄涛

DOI: https://doi.org/10.3724/sp.j.1001.2010.03781

2010-01-01

Journal of Software

Abstract:This paper proposes a resource-aware performance diagnostic method.For transactions in Web applications,the proposed method constructs performance profile chains based on the resource service time,which is stable for different workload characteristics.According to the anomaly of resource service time at application runtime,the proposed method provides an efficient solution to performance anomaly detection,location and diagnosis.Experimental results show that this method can effectively detect performance anomalies caused by different resource bottlenecks with changing workload characteristics.

Bo Xin,Quan Zheng,Zhengjiu Gao,Song Wang

DOI: https://doi.org/10.3969/j.issn.1000-0755.2014.06.009

2014-01-01

Abstract:With the emergence and vigorous development of“cloud computing”, the “cloud” is being used as a new resource by more and more users. The resource allocation problem in cloud environment has become a negligible problem. In the resource management platform in the cloud, the question how to not only meet the needs of the user's task, but also save the cost of cloud resources, is one of the issues for cloud operators to solve as soon as possible. In fact, the tasks submitted to the cloud platform by cloud users have difference, and the completion of the tasks is usually realized with multiple heterogeneous cloud resources. In this paper the authors take the difference among heterogeneous resources into account, and propose the RA-HR algorithm. The algorithm divides cloud tasks submitted by users into different combinations considering from the global view of the tasks, and then according to the difference among the cloud resources, allocates appropriate resources to the appropriate combinations. The simulation results show that the algorithm can offer better performance in saving cloud resource under the premise of meeting user's needs in heterogeneous cloud environment.

Xiao Han,Lu Zhang,Yongkai Wu,Shuhan Yuan

DOI: https://doi.org/10.48550/arXiv.2309.16896

2023-09-29

Abstract:Anomaly detection in multivariate time series has received extensive study due to the wide spectrum of applications. An anomaly in multivariate time series usually indicates a critical event, such as a system fault or an external attack. Therefore, besides being effective in anomaly detection, recommending anomaly mitigation actions is also important in practice yet under-investigated. In this work, we focus on algorithmic recourse in time series anomaly detection, which is to recommend fixing actions on abnormal time series with a minimum cost so that domain experts can understand how to fix the abnormal behavior. To this end, we propose an algorithmic recourse framework, called RecAD, which can recommend recourse actions to flip the abnormal time steps. Experiments on two synthetic and one real-world datasets show the effectiveness of our framework.

Machine Learning

Min Hu,Yi Wang,Xiaowei Feng,Shengchen Zhou,Zhaoyu Wu,Yuan Qin

DOI: https://doi.org/10.48550/arXiv.2202.02721

2022-02-06

Abstract:Time-series anomaly detection plays a vital role in monitoring complex operation conditions. However, the detection accuracy of existing approaches is heavily influenced by pattern distribution, existence of multiple normal patterns, dynamical features representation, and parameter settings. For the purpose of improving the robustness and guaranteeing the accuracy, this research combined the strengths of negative selection, unthresholded recurrence plots, and an extreme learning machine autoencoder and then proposed robust anomaly detection for time-series data (RADTD), which can automatically learn dynamical features in time series and recognize anomalies with low label dependency and high robustness. Yahoo benchmark datasets and three tunneling engineering simulation experiments were used to evaluate the performance of RADTD. The experiments showed that in benchmark datasets RADTD possessed higher accuracy and robustness than recurrence qualification analysis and extreme learning machine autoencoder, respectively, and that RADTD accurately detected the occurrence of tunneling settlement accidents, indicating its remarkable performance in accuracy and robustness.

Machine Learning

ZHAO Dong-ping,ZHENG Wei-bin,ZHANG De-yun

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.035

2005-01-01

Abstract:To address the problem of application-level web security,an adaptive intrusion detection system is proposed,which is embedded directly in the Web server.In order to define all the valid requests for anomaly detection and misuse detection,the techniques which observe the clients' access behavior relevancy and adjust their personal policies dynamically are employed.The experiments indicate that the proposed system can not only confirm the valid request but also defend the new attack behavior and detect the old attack event.Based on the proposed method,the detecting rate is over 95.8% under common attack scanning.

Rui Yu,Fei Xiao,Zhiliang Wang,Jiahai Yang,Dongqi Han,Zhihua Wang,Minghui Jin,Chenglong Li,Enhuan Dong,Shutao Xia

DOI: https://doi.org/10.1109/iscc58397.2023.10218155

2023-01-01

Abstract:When conducting anomaly detection on server monitoring data, it is important to consider the heterogeneity of the data, which is characterized by the diverse and irregular nature of events. The event values can vary widely, encompassing both continuous and discrete values, and there may be a multitude of randomly occurring events. However, many commonly used anomaly detection methods tend to overlook or discard this heterogeneous data, resulting in a significant loss of valuable information. As such, we propose a novel method, called Heterogeneous Time Series Anomaly Detection (HTSAD), to overcome this difficulty. The approach introduces event gates in the Long Short-Term Memory (LSTM) model while using unsupervised learning to overcome the challenges mentioned above. The results of our experiments on real-world datasets show that HTSAD could achieve an f-score of 0.958, which demonstrates the effectiveness of our approach in detecting anomalies in heterogeneous time series data.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Zheng Ruijuan,Chen Jing,Zhang Mingchuan,Zhu Junlong,Wu Qingtao

DOI: https://doi.org/10.1016/s1005-8885(16)60029-8

2016-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:It is the premise of accessing and controlling cloud environment to establish the mutual trust relationship between users and clouds. How to identify the credible degree of the user identity and behavior becomes the core problem? This paper proposes a user abnormal behavior analysis method based on neural network clustering to resolve the problems of over-fitting and flooding the feature information, which exists in the process of traditional clustering analysis and calculating similarity. Firstly, singular value decomposition (SVD) is applied to reduce dimension and de-noise for massive data, where map-reduce parallel processing is used to accelerate the computation speed, and neural network model is used for softening points. Secondly, information entropy is added to hidden layer of neural network model to calculate the weight of each attribute. Finally, weight factor is used to calculate the similarity to make the cluster more accuracy. For the problem of analyzing the mobile cloud user behaviors, the experimental results show that the scheme has higher detection speed (DS) and clustering accuracy than traditional schemes. The proposed method is more suitable for the mobile cloud environment.