Xi XIAO,Shu-tao XIA,Xin-guang TIAN,Qi-bin ZHAI

DOI: https://doi.org/10.1016/s1005-8885(10)60128-8

2011-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:In anomaly detection, a challenge is how to model a user's dynamic behavior. Many previous works represent the user behavior based on fixed-length models. To overcome their shortcoming, we propose a novel method based on discrete-time Markov chains (DTMC) with states of variable-length sequences. The method firstly generates multiple shell command streams of different lengths and combines them into the library of general sequences. Then the states are defined according to variable-length behavioral patterns of a valid user, which improves the precision and adaptability of user profiling. Subsequently the transition probability matrix is created. In order to reduce computational complexity, the classification values are determined only by the transition probabilities, then smoothed with sliding windows, and finally used to discriminate between normal and abnormal behavior. Two empirical evaluations on datasets from Purdue University and AT&T Shannon Lab show that the proposed method can achieve higher detection accuracy and require less memory than the other traditional methods.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan,YE Run-guo

2011-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges,while pretending to be legitimate users.This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user′s behavior and the relevance of the operation of shell commands are thoroughly considered.The method constructs specific highorder homogeneous Markov chain models to represent the normal behavior profiles of valid users.It defines the states by twofold hierarchical merging shell commands.Therefore this method increases the accuracy of describing the normal behavior profiles,improves the generalization of the detection system and sharply reduces the storage space.In the detection period,taking the real-time performance into account,it computes the categorical boolean variables only using the transition probabilities,which has little computation workload,and then smoothes them to get the decision values used to determine whether the monitored user′s behavior is normal or anomalous.Its performance is tested in computer simulation,showing higher detection accuracy and fewer computation costs than related methods′.The proposed method is especially suitable for on-line detection.

Zhining Lv,Ziheng Hu,Baifeng Ning,Yu Sun,Gangfeng Yan,Xiasheng Shi

DOI: https://doi.org/10.1109/CAC48633.2019.8996440

2019-01-01

Abstract:Power industrial terminal is a complex system with high reliability and security. Traditional methods for detecting data anomalies of power industrial terminal fail to fully mine the data characteristics. And it has shortcomings such as complex calculation, poor flexibility and low accuracy. In order to solve the problem that it is difficult to predict the operational status of power industrial terminal accurately, a prediction method based on long-term memory (LSTM) neural network is proposed. Considering the variety of data reflecting the operating status of power industrial terminal, choose the ambient temperature system related to the operating status of power industrial terminal as a experiment object. Through experiments, the algorithm has higher prediction effect for the operating status of power industrial terminal.

Ye Du,Tong Wang

DOI: https://doi.org/10.1109/kamw.2008.4810611

2008-01-01

Abstract:Intrusion detection has emerged as an important approach to security problems. This paper proposes an effective anomaly detection method based on Unix shell commands to learn patterns. By looking upon each short shell commands sequence as an instance and each observable symbol as a bag that contains some instances, the task of detecting abnormal behaviors can be mapped as multiple-instance learning. KNN algorithm and Euclidean distances are selected as learning approach and a new kernel method is proposed to calculate the deviation between normal and intrusive bags. The algorithm is simple and can be directly applied. Experiments demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

DY Yeung,YX Ding

DOI: https://doi.org/10.1016/s0031-3203(02)00026-2

IF: 8

2003-01-01

Pattern Recognition

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on program or user profiles built from normal usage data. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled using two different types of behavioral models for data mining. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only, as opposed to the classification approach which has to use both normal and intrusion data for training. To determine whether or not a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that the dynamic modeling approach is better than the static modeling approach for the system call datasets, while the dynamic modeling approach is worse for the shell command datasets. Moreover, the static modeling approach is similar in performance to instance-based learning reported previously by others for the same shell command database but with much higher computational and storage requirements than our method.

Dit-Yan Yeung,Yuxin Ding

DOI: https://doi.org/10.1007/3-540-47887-6_49

2002-01-01

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on user profiles built from normal usage data. In particular, user profiles based on Unix shell commands are modeled using two different types of behavioral models. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only. To determine whether a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that static modeling outperforms dynamic modeling for this application. Moreover, the static modeling approach based on cross entropy is similar in performance to instance-based learning reported previously by others for the same dataset but with much higher computational and storage requirements than our method.

Wenyao Sha,Yongxin Zhu,Min Chen,Tian Huang

DOI: https://doi.org/10.1109/tcc.2015.2415813

IF: 5.697

2015-01-01

IEEE Transactions on Cloud Computing

Abstract:As a major strategy to ensure the safety of IT infrastructure, anomaly detection plays a more important role in cloud computing platform which hosts the entire applications and data. On top of the classic Markov chain model, we proposed in this paper a feasible multi-order Markov chain based framework for anomaly detection. In this approach, both the high-order Markov chain and multivariate time series are adopted to compose a scheme described in algorithms along with the training procedure in the form of statistical learning framework. To curb time and space complexity, the algorithms are designed and implemented with non-zero value table and logarithm values in initial and transition matrices. For validation, the series of system calls and the corresponding return values are extracted from classic Defense Advanced Research Projects Agency (DARPA) intrusion detection evaluation data set to form a two-dimensional test input set. The testing results show that the multi-order approach is able to produce more effective indicators: in addition to the absolute values given by an individual single-order model, the changes in ranking positions of outputs from different-order ones also correlate closely with abnormal behaviours.

XU Ming,DING Hong,CHEN Chun

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.02.008

2005-01-01

Abstract:In order to exactly and rapidly detect anomaly, a detection model that can exactly depict the profiles of normal process actions was proposed. The consistently repeated system call sequences in normal process traces were regarded as macros, then a Markov chains anomaly detection model based on system call macros was constructed. Conclusions were drawn by comparing the performance metrics of Macro MCM (Markov chains model) with the first-order MCM and second-order MCM based on system call. The comparison shows that in detection performance (hit rates and false alarm rates), Macro MCM is better than the other two models; in needed memory capability, Macro MCM is more than the first-order MCM, but less than the second-order MCM; in computing speed, the training speed of Macro MCM is the slowest among three models, but its detection speed is the highest.

W Wang,XH Guan,XL Zhang

DOI: https://doi.org/10.1109/cdc.2004.1428613

2004-01-01

Abstract:Profiling program and user behaviors is an effective approach for detecting hostile attacks to a computer system. A new model based method by non-negative matrix factorization (NMF) is presented in this paper to profile program and user behaviors for anomaly intrusion detection. In this new method, the audit data streams obtained from sequences of system calls and UNIX commands are used as the information source. The audit data is partitioned into segments with a fixed length. Program and user behaviors are, in turn, measured by the frequencies of individual system calls or commands embedded in each segment of the data, and NMF is applied to extract the features from the blocks of audit data associated with the normal behaviors. The model describing the normal program and user behaviors are built based on these features and deviation from the normal program and user behaviors above a predetermined threshold is considered as anomalous. The method is implemented and tested with the system call data from the University of New Mexico and the Unix command data from AT&T Research lab. Experiment results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

Xiao X,Tian X,Zhai Q,Xia S.

DOI: https://doi.org/10.1016/j.jss.2012.05.049

IF: 3.5

2012-01-01

Journal of Systems and Software

Abstract:Masquerade detection is now one of the major concerns of system security research and its difficulty is to model user behavior on the nonstationary audit data. Many previous works represent the user behavior based on fixed-length models. In this paper, we propose a variable-length model to overcome their weakness in the precision and adaptability of user profiling. In the model, the user's normal behavior is profiled by Markov chain with states of variable-length sequences. At first multiple shell command streams of different lengths are generated and different shell command sequences are hierarchically merged into several sets to form the library of general sequences. Then the variable-length behavioral patterns of a valid user are mined and the Markov chain is constructed. While performing detection, the probabilities of short state sequences are calculated, smoothed with sliding windows, and finally used to classify the monitored user's activity as normal or abnormal. Our experiments with standard datasets such as Purdue data and SEA data reveal that the proposed model can achieve higher detection accuracy, require less memory and take shorter time than the other traditional methods and is amenable for real-time intrusion detection.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.

Xi Xiangyu,Zhang Tong,Ye Wei,Wen Zhao,Zhang Shikun,Du Dongdong,Gao Qing

DOI: https://doi.org/10.1142/s0218194018400211

2018-01-01

Abstract:An intruder of a company’s network may use stolen login credentials to silently collect sensitive data. Such malicious user behavior is difficult to detect as long as it does not trigger access violation or data leak alert. In this paper, we propose to use an ensemble of three unsupervised anomaly detection algorithms, namely OCSVM, RNN and Isolation Forest, to detect abnormal user behavior patterns. Besides, an User Behavior Analytics (UBA) Platform is proposed to collect logs, extract features and conduct experiments. The experiment results indicate that our algorithm outperforms each individual algorithm with recall of 96.55% and precision of 91.24% on average, while both OCSVM and RNN suffer from anomalies in the training set, and [Formula: see text] produces more false positives and false negatives in prediction.

Feiyi Chen,Yingying zhang,Zhen Qin,Lunting Fan,Renhe Jiang,Yuxuan Liang,Qingsong Wen,Shuiguang Deng

DOI: https://doi.org/10.1109/icde60146.2024.00047

2024-01-01

Abstract:Anomaly detection significantly enhances the robustness of cloud systems.While neural network-based methods have recently demonstrated strongadvantages, they encounter practical challenges in cloud environments: thecontradiction between the impracticality of maintaining a unique model for eachservice and the limited ability to deal with diverse normal patterns by aunified model, as well as issues with handling heavy traffic in real time andshort-term anomaly detection sensitivity. Thus, we propose MACE, a multi-normal-pattern accommodated and efficientanomaly detection method in the frequency domain for time series anomalydetection. There are three novel characteristics of it: (i) a patternextraction mechanism excelling at handling diverse normal patterns with aunified model, which enables the model to identify anomalies by examining thecorrelation between the data sample and its service normal pattern, instead ofsolely focusing on the data sample itself; (ii) a dualistic convolutionmechanism that amplifies short-term anomalies in the time domain and hindersthe reconstruction of anomalies in the frequency domain, which enlarges thereconstruction error disparity between anomaly and normality and facilitatesanomaly detection; (iii) leveraging the sparsity and parallelism of frequencydomain to enhance model efficiency. We theoretically and experimentally provethat using a strategically selected subset of Fourier bases can not only reducecomputational overhead but is also profitable to distinguish anomalies,compared to using the complete spectrum. Moreover, extensive experimentsdemonstrate MACE's effectiveness in handling diverse normal patterns with aunified model and it achieves state-of-the-art performance with highefficiency.

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

Xinlong Pan,Haipeng Wang,Xueqi Cheng,Xuan Peng,You He

DOI: https://doi.org/10.1016/j.inffus.2019.12.009

IF: 18.6

2019-01-01

Information Fusion

Abstract:In the surveillance domain, timely detection of anomaly behaviors is very important and is a great challenge to human operators due to information overload, fatigue and inattention. Many anomaly detection algorithms based on trajectories have been proposed for this problem. However, these algorithms generally have problems such as complex parameter setting, unfaithful statistical model, not well-calibrated false alarm rate, poor ability of online learning and sequential anomaly detection, etc. The theory of conformal prediction was introduced to solve these problems by constructing the sequential Hausdorff nearest neighbor conformal anomaly detector. Yet, it only considers position information of the targets and is not sensitive to velocity and course anomaly behaviors. And the run times are increasing as the increase of the data size, which is not appropriate for early warning surveillance application. In order to solve these problems, sequential multi-factor Hausdorff nearest neighbor conformal anomaly detector (SMFHNN-CAD) and sequential multi-factor Hausdorff nearest neighbor inductive conformal anomaly detector (SMFHNN-ICAD) based on multidimensional trajectories are proposed in this paper. Experiments in both simulated military scenario and realistic civilian scenario show the presented algorithm has a good performance to online detect anomaly behaviors and would have a wide prospect in early warning surveillance systems.

Zhi-Zhong WU,Xue-Hai ZHOU

DOI: https://doi.org/10.3969/j.issn.1003-3254.2015.04.032

2015-01-01

Abstract:In this paper, we present a distributed anomaly detection system for mobile devices. The proposed framework realizes a client-server architecture, the client continuously extracts various features of mobile device and transfers to the server, and the server’s major task is to detect anomaly using state-of-art detection algorithms. According to the regularity of human daily activity and the periodic of using mobile device, we also propose a novel user behavior cycle based statistical approach, in which the abnormal is determined by the distance from the undetermined feature vector to the similar time segments’ vectors of previous cycles. We use the Mahalanobis distance as distance metric since it is rarely affected by the correlate and value range of features. Evaluation results demonstrated that the proposed framework and novel anomaly detection algorithm could effectively improve the detection rate of malwares on mobile devices.

Lin Guo,Guo Shan,Huang Hao,Cao Tian

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.006

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Differing from existed anomaly detection methods which only dealt with the frequencies of system calls or local variation, the paper puts forward a model named DBCPIDS. It took in both dynamic behavior and character patterns of programs. In this model, the authors defined the short sequence of system calls as a character pattern if this sequence satisfied the certain support degree, and propose an improved HMM (IHMM) on this basis. When detecting intrusions, firstly, we would judge whether the program trace is matched character patterns. If not, then the authors would use IHMM to detect. The model can not only reflect the global character of the program normal traces, but also pay much attention to the local warp in the execution. The experiments results show that the authors can get higher detection rate and lower false positive rate with DBCPIDS.