Xiaohong Guan,Wei Wang,Xiangliang Zhang

DOI: https://doi.org/10.1016/j.jnca.2008.04.006

IF: 7.574

2009-01-01

Journal of Network and Computer Applications

Abstract:In this paper, we present an efficient fast anomaly intrusion detection model incorporating a large amount of data from various data sources. A novel method based on non-negative matrix factorization (NMF) is presented to profile program and user behaviors of a computer system. A large amount of high-dimensional data is collected in our experiments and divided into smaller data blocks by a specific scheme. The system call data is divided into blocks by processes, while command data is divided into consecutive blocks with a fixed length. The frequencies of individual elements in each block of data are computed and placed column by column as data vectors to construct a matrix representation. NMF is employed to reduce the high-dimensional data vectors and anomaly detection can be realized as a very simple classifier in low dimensions. Experimental results show that the model presented in this paper is promising in terms of detection accuracy, computation efficiency and implementation for fast intrusion detection.

Fang Jinhe,Feng Yan,Wang Ruijie

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.18.048

2006-01-01

Abstract:After discussing the constraints of current intrusion detection systems(IDS),we issue two problems should be considered in developing an adaptive IDS,one is to select the time to update the normal profile and the other is to select a mechanism to update the profile.To resolve the first problem,we calculate the similarity between the incremental audit data and the normal profile and then decide whether to and when to update the profile.To resolve the second problem,we employ a sliding window approach and use only the audit data inside that sliding window to update the profile.The window therefore acts to filter out outdated audit data and to build a profile based on only recent data that reflects the recent system activities.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1016/j.comcom.2007.10.010

IF: 5.047

2008-01-01

Computer Communications

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. Most current intrusion detection models lack the ability to process massive audit data streams for real-time anomaly detection. In this paper, we present an effective anomaly intrusion detection model based on Principal Component Analysis (PCA). The model is more suitable for high speed processing of massive data streams in real-time from various data sources by considering the frequency property of audit events than by use of the transition property or the correlation property. It can serve as a general framework that a practical Intrusion Detection Systems (IDS) can be implemented in various computing environments. In this method, a multi-pronged anomaly detection model is used to monitor various computer system and network behaviors. Three sources of data, system call data from the University of New Mexico (lpr) and from KLINNS Lab of Xi'an Jiaotong University (ftp), shell command data from AT&T Research laboratory, and network data from MIT Lincoln Lab, are used to validate the model and the method. The frequencies of individual system calls generated by one process and of individual commands embedded in one command block as well as features extracted in one network connection are transformed into an input data vector. Our method is employed to reduce the high dimensional data vectors and thus the detection is handled in a lower dimension with high efficiency and low use of system resources. The distance between a vector and its reconstruction in the reduced subspace is used for anomaly detection. Empirical results show that our model is promising in terms of detection accuracy and computational efficiency, and thus amenable for real-time intrusion detection.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.012

2011-01-01

Computer Science

Abstract:This paper presented a novel method for anomaly detection of user behavior based on the discrete-time Mar-kov chain model,which is applicable to intrusion detection systems using shell commands as audit data.In the training period,the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered.This method takes the sequences of shell commands as the basic processing units.It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged results.Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space.In the detection stage,considering the real-time performance and the accuracy requirement of the detection system,it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences,and then provides two schemes,based on the probability stream filtered with single window or multi-windows,to classify the user's behavior.The results of our experiments show that this method can achieve higher detection performance and practicability than others.

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

Xi Xiangyu,Zhang Tong,Ye Wei,Wen Zhao,Zhang Shikun,Du Dongdong,Gao Qing

DOI: https://doi.org/10.1142/s0218194018400211

2018-01-01

Abstract:An intruder of a company’s network may use stolen login credentials to silently collect sensitive data. Such malicious user behavior is difficult to detect as long as it does not trigger access violation or data leak alert. In this paper, we propose to use an ensemble of three unsupervised anomaly detection algorithms, namely OCSVM, RNN and Isolation Forest, to detect abnormal user behavior patterns. Besides, an User Behavior Analytics (UBA) Platform is proposed to collect logs, extract features and conduct experiments. The experiment results indicate that our algorithm outperforms each individual algorithm with recall of 96.55% and precision of 91.24% on average, while both OCSVM and RNN suffer from anomalies in the training set, and [Formula: see text] produces more false positives and false negatives in prediction.

Xi XIAO,Shu-tao XIA,Xin-guang TIAN,Qi-bin ZHAI

DOI: https://doi.org/10.1016/s1005-8885(10)60128-8

2011-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:In anomaly detection, a challenge is how to model a user's dynamic behavior. Many previous works represent the user behavior based on fixed-length models. To overcome their shortcoming, we propose a novel method based on discrete-time Markov chains (DTMC) with states of variable-length sequences. The method firstly generates multiple shell command streams of different lengths and combines them into the library of general sequences. Then the states are defined according to variable-length behavioral patterns of a valid user, which improves the precision and adaptability of user profiling. Subsequently the transition probability matrix is created. In order to reduce computational complexity, the classification values are determined only by the transition probabilities, then smoothed with sliding windows, and finally used to discriminate between normal and abnormal behavior. Two empirical evaluations on datasets from Purdue University and AT&T Shannon Lab show that the proposed method can achieve higher detection accuracy and require less memory than the other traditional methods.

Nam Hun Park,Sang Hyun Oh,Won Suk Lee

DOI: https://doi.org/10.1016/j.ins.2010.03.001

IF: 8.1

2010-06-15

Information Sciences

Abstract:In anomaly intrusion detection, modeling the normal behavior of activities performed by a user is an important issue. To extract normal behavior from the activities of a user, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches model only the static behavior of a user in the audit data set. This drawback can be overcome by viewing a user’s continuous activities as an audit data stream. This paper proposes an anomaly intrusion detection method that continuously models the normal behavior of a user over the audit data stream. A set of features is used to represent the characteristics of an activity. For each feature, clusters of feature values corresponding to activities observed thus far in an audit data stream are identified by a statistical grid-based clustering algorithm for a data stream. Each cluster represents the frequency range of the activities with respect to the feature. As a result, without the physical maintenance of any historical activity of the user, the user’s new activities can be continuously reflected in the ongoing results. At the same time, various statistics of activities related to the identified clusters are also modeled to improve the performance of anomaly detection. The proposed algorithm is illustrated by a series of experiments to identify various characteristics.

computer science, information systems

ZM Cai,XH Guan,P Shao,QK Peng,GJ Sun

DOI: https://doi.org/10.1111/1468-0394.00249

IF: 3.3

2003-01-01

Expert Systems

Abstract:Abstract: Intrusion detection is important in the defense‐in‐depth network security framework. This paper presents an effective method for anomaly intrusion detection with low overhead and high efficiency. The method is based on rough set theory to extract a set of detection rules with a minimal size as the normal behavior model from the system call sequences generated during the normal execution of a process. It is capable of detecting the abnormal operating status of a process and thus reporting a possible intrusion. Compared with other methods, the method requires a smaller size of training data set and less effort to collect training data and is more suitable for real‐time detection. Empirical results show that the method is promising in terms of detection accuracy, required training data set and efficiency.

Swapnil Mane,Vaibhav Khatavkar,Niranjan Gijare,Pranav Bhendawade

2023-04-04

Abstract:An Intrusion detection system (IDS) is essential for avoiding malicious activity. Mostly, IDS will be improved by machine learning approaches, but the model efficiency is degrading because of more headers (or features) present in the packet (each record). The proposed model extracts practical features using Non-negative matrix factorization and chi-square analysis. The more number of features increases the exponential time and risk of overfitting the model. Using both techniques, the proposed model makes a hierarchical approach that will reduce the features quadratic error and noise. The proposed model is implemented on three publicly available datasets, which gives significant improvement. According to recent research, the proposed model has improved performance by 4.66% and 0.39% with respective NSL-KDD and CICD 2017.

Cryptography and Security

JJ Lu,BW Xu,WC Chu,HJ Yang

2003-01-01

Abstract:One possible approach to web personalization is to mine typical user profiles from the vast amount of historical data stored in access logs. Clustering techniques have been used to automatically discover typical user profiles recently. But it is a challenging problem to design effective similarity measure between the session vectors which are usually high dimensional and sparse. A new approach based on non-negative matrix factorization (NMF) is presented We apply non-negative matrix factorization to dimensionality reduction of the session-URL matrix, and the projecting vectors of the user session vectors are clustered into typical user session profiles using the spherical k-means algorithm. The results of experiment show that our algorithm can mine interesting user profiles effectively.

Wu Liu,Jian-Ping Wu,Hai-Xin Duan,Xing Li

DOI: https://doi.org/10.1007/11540007_96

2006-01-01

Abstract:In this paper, we apply data mining techniques to construct intrusion detection patterns. We mine both system audit data and network traffic data for consistent and useful patterns of program and user behavior, and use an iterative low-frequency-finder mining algorithm to find the low frequency but important patterns.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1007/978-3-540-28648-6_105

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer security in recent years. In this paper, a new intrusion detection method based on Principle Component Analysis (PCA) with low overhead and high efficiency is presented. System call data and command sequences data are used as information sources to validate the proposed method. The frequencies of individual system calls in a trace and individual commands in a data block are computed and then data column vectors which represent the traces and blocks of the data are formed as data input. PCA is applied to reduce the high dimensional data vectors and distance between a vector and its projection onto the subspace reduced is used for anomaly detection. Experimental results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Meng Bi,Jian Xu,Mo Wang,Fucai Zhou

DOI: https://doi.org/10.1007/s12652-015-0341-4

IF: 3.662

2016-01-21

Journal of Ambient Intelligence and Humanized Computing

Abstract:A new anomaly detection model which is based on principal component analysis (PCA) is proposed in this paper. Our schema proposes a method to extract the user’s behavior and analyzes the features selected as representative of the user’s access. The PCA method is introduced to the anomaly detection model which adopts its improvements to make it more consistent with anomaly detection system design to describe the user’s behavior more completely and to improve the efficiency and stability of the algorithm. This paper also uses our scheme to the anomaly detection of the database system. Finally, the data sets from the internet are used to test the feasibility of this model. The experimental results show that our model can detect normal and abnormal user behavior precisely and effectively.

computer science, information systems,telecommunications, artificial intelligence

Jionghua Jin,Xuejun Zhu

2006-01-01

Abstract:The intrusion detection in computer networks is a complex research problem, which requires the understanding of computer networks and the mechanism of intrusions, the configuration of sensors and the collected data, the selection of the relevant attributes, and the monitor algorithms for online detection. It is critical to develop general methods for data dimension reduction, effective monitoring algorithms for intrusion detection, and means for their performance improvement. This dissertation is motivated by the timely need to develop statistics-based machine learning methods for effective detection of computer network anomalies. Three fundamental research issues related to data dimension reduction, control charts design and performance improvement have been addressed accordingly. The major research activities and corresponding contributions are summarized as follows: (1) Filter and Wrapper models are integrated to extract a small number of the informative attributes for computer network intrusion detection. A two-phase analyses method is proposed for the integration of Filter and Wrapper models. The proposed method has successfully reduced the original 41 attributes to 12 informative attributes while increasing the accuracy of the model. The comparison of the results in each phase shows the effectiveness of the proposed method. (2) Supervised kernel based control charts for anomaly intrusion detection. We propose to construct control charts in a feature space. The first contribution is the use of multi-objective Genetic Algorithm in the parameter pre-selection for SVM based control charts. The second contribution is the performance evaluation of supervised kernel based control charts. (3) Unsupervised kernel based control charts for anomaly intrusion detection. Two types of unsupervised kernel based control charts are investigated: Kernel PCA control charts and Support Vector Clustering based control charts. The applications of SVC based control charts on computer networks audit data are also discussed to demonstrate the effectiveness of the proposed method. Although the developed methodologies in this dissertation are demonstrated in the computer network intrusion detection applications, the methodologies are also expected to be applied to other complex system monitoring, where the database consists of a large dimensional data with non-Gaussian distribution.

L Feng,XH Guan,SG Guo,Y Gao,PN Liu

DOI: https://doi.org/10.1016/j.cose.2004.01.016

IF: 5.105

2004-01-01

Computers & Security

Abstract:Identifying the intentions or attempts of the monitored agents through observations is very vital in computer network security. In this paper, a plan recognition method for predicting the anomaly events and the intentions of possible intruders to a computer system is developed based on the observation of system call sequences. The probability of the goal state for a system call sequence is defined as the prediction index to determine if the intention is normal. An efficient algorithm based on the dynamic Bayesian network theory with parameter compensation is derived and then applied to update the index recursively. Extensive empirical testing is performed on the data sets published in the literature and those collected in an actual computer system at our lab. The testing results showed that this method can identify the intrusion behaviors from the observed system call sequences with good accuracy.

Chenze Huang,Ying Zhong

DOI: https://doi.org/10.3390/math12040619

IF: 2.4

2024-02-20

Mathematics

Abstract:Community structure is a significant characteristic of complex networks, and community detection has valuable applications in network structure analysis. Non-negative matrix factorization (NMF) is a key set of algorithms used to solve the community detection issue. Nevertheless, the localization of feature vectors in the adjacency matrix, which represents the characteristics of complex network structures, frequently leads to the failure of NMF-based approaches when the data matrix has a low density. This paper presents a novel algorithm for detecting sparse network communities using non-negative matrix factorization (NMF). The algorithm utilizes local feature vectors to represent the original network topological features and learns regularization matrices. The resulting feature matrices effectively reveal the global structure of the data matrix, demonstrating enhanced feature expression capabilities. The regularized data matrix resolves the issue of localized feature vectors caused by sparsity or noise, in contrast to the adjacency matrix. The approach has superior accuracy in detecting community structures compared to standard NMF-based community detection algorithms, as evidenced by experimental findings on both simulated and real-world networks.

mathematics