Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Lei Zhang,Jianqing Zhang,Yong Chen,Shaowen Liao

DOI: https://doi.org/10.1109/icicta.2018.00074

2018-01-01

Abstract:In this paper, a hybrid intrusion detection model based on data mining, which is commonly used in network security anomaly detection, is proposed that combines anomaly detection with misuse detection technology. Two test stages were formed and applied to the instrusion detection system in the process of large-scale network traffic detection. On the basis of improving the detection ability of the massive information detection system, the security of the data source of the intrusion detection system was ensured.

QT Wu,ZQ Shao

DOI: https://doi.org/10.1109/icas-icns.2005.69

2005-01-01

Abstract:This paper presents a method of detecting network anomalies by analyzing the abrupt change of time series data obtained from management information base (MIB) variables. The method applies the auto-regressive (AR) process to model the abrupt change of time series data, and performs sequential hypothesis test to detect the anomalies. With time correlation and location correlation, the method determines not only the presence of anomalous activity, but also its occurring time and location. The experimental results show that the proposed method performs well in detecting the traffic-related anomalies

H Jin,JH Sun,H Chen,ZF Han

DOI: https://doi.org/10.1109/ftdcs.2004.1316613

2004-01-01

Abstract:With explosively increasing information, data mining techniques are frequently employed to identify trends in the warehouse that may not be readily apparent. In this paper we apply fuzzy data mining techniques to a security system and build a fuzzy data mining based intrusion detection model. Through normalizing the data set and building a fuzzy similar matrix of the network connections in the data set, network connections are clustered into different classes.

Tongguang Ni,Xiaoqing Gu,Hongyuan Wang,Yu Li

DOI: https://doi.org/10.1155/2013/821315

2013-01-01

Journal of Control Science and Engineering

Abstract:Distributed denial of service (DDoS) attacks are one of the major threats to the current Internet, and application-layer DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. Consequently, neither intrusion detection systems (IDS) nor victim server can detect malicious packets. In this paper, a novel approach to detect application-layer DDoS attack is proposed based on entropy of HTTP GET requests per source IP address (HRPI). By approximating the adaptive autoregressive (AAR) model, the HRPI time series is transformed into a multidimensional vector series. Then, a trained support vector machine (SVM) classifier is applied to identify the attacks. The experiments with several databases are performed and results show that this approach can detect application-layer DDoS attacks effectively.

Guojun Mao,Xindong Wu,Xuxian Jiang

DOI: https://doi.org/10.1080/18756891.2012.670519

2012-01-01

Abstract:Computer intrusions are taking place everywhere, and have become a major concern for information security. Most intrusions to a computer system may result from illegitimate or irregular calls to the operating system, so analyzing the system-call sequences becomes an important and fundamental technique to detect potential intrusions. This paper proposes two models based on data mining technology, respectively called frequency patterns (FP) and tree patterns (TP) for intrusion detection. FP employs a typical method of sequential mining based on frequency analysis, and uses a short sequence model to find out quickly frequent sequential patterns in the training system-call sequences. TP makes use of the technique of tree pattern mining, and can get a quality profile from the training system-call sequences of a given system. Experimental results show that FP has good performances in training and detecting intrusions from short system-call sequences, and TP can achieve a high detection precision in handling long sequences.

Qing Ye,Xiaoping Wu,Gaofeng Huang

DOI: https://doi.org/10.1109/ICFCC.2010.5497340

2010-01-01

Abstract:An intrusion is defined as any set of actions that compromise the integrity, confidentiality or availability of a resource. Data mining is to identify valid, novel, potentially useful, and ultimately understandable patterns in massive data. It is demanding to apply data mining techniques to detect various intrusions. This paper presents an approach to detect intrusion based on data mining frame work. In the framework, intrusion detection is thought of as clustering. The reduction algorithm is presented to cancel the redundant attribute set and obtain the optimal attribute set to form the input of the FCM. To find the reasonable initial centers easily, the advanced FCM is established, which improves the performance of intrusion detection since the traffic is large and the types of attack are various. In the illustrative example, the number of attributes is reduced greatly and the detection is in a high precision for the attacks of DoS and Probe, a low false positive rate in all types of attacks. ©2010 IEEE.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

GU Xiaoqing,WANG Hongyuan,NI Tongguang,DING Hui

DOI: https://doi.org/10.3724/sp.j.1087.2013.02228

2013-01-01

Journal of Computer Applications

Abstract:According to the difference between normal users' visiting patterns and abnormal ones,a new method to detect application-layer Distributed Denial of Service(DDoS) attack was proposed based on IP Service Request Entropy(SRE) time series.By approximating the Adaptive AutoRegressive(AAR) model,the SRE time series was transformed into a multidimensional vector series regarded as a description of current users' visiting patterns.Furthermore,a Support Vector Machine(SVM) classifier was applied to classify vector series and identify the attacks.The simulation results show that this approach not only can distinguish between normal traffic and DDoS attack traffic,but also is suitable to detect DDoS attack against the large scale network traffic,which does not arouse the sharp changes of the network traffic.

F Zhao,Qh Li,Yb Zhao

DOI: https://doi.org/10.1007/978-3-540-30208-7_128

2004-01-01

Abstract:dThere is often the need to detect currently intrusion and new attacks in existed Intursion Detection System (IDS) due to customers' demands. Since traditional data mining-based IDSs contructed on the basis of historied data, systems are expensive and not real time. In this paper, we present an overview of our research in real time time-series mining-based intrusion detection systems. At first we describe multidimensional spatial model of network events, then present time-series minging-based architecture model and finally discuss real time approaches for systems. We focus on the issues related to deploying an accurate and efficient time-series mining-based IDS in a real time environment.

Simon Duque Anton,Lia Ahrens,Daniel Fraunholz,Hans Dieter Schotten

DOI: https://doi.org/10.1109/ICDMW.2018.00008

2018-09-20

Abstract:The Industrial Internet of Things drastically increases connectivity of devices in industrial applications. In addition to the benefits in efficiency, scalability and ease of use, this creates novel attack surfaces. Historically, industrial networks and protocols do not contain means of security, such as authentication and encryption, that are made necessary by this development. Thus, industrial IT-security is needed. In this work, emulated industrial network data is transformed into a time series and analysed with three different algorithms. The data contains labeled attacks, so the performance can be evaluated. Matrix Profiles perform well with almost no parameterisation needed. Seasonal Autoregressive Integrated Moving Average performs well in the presence of noise, requiring parameterisation effort. Long Short Term Memory-based neural networks perform mediocre while requiring a high training- and parameterisation effort.

Machine Learning,Cryptography and Security

Huazan Liu,Zhenzhou Ji,Chong Li,Kaikai Li

DOI: https://doi.org/10.1109/ICCEA58433.2023.10135289

2023-01-01

Abstract:As the development of the Internet of Things, industrial control network security issues have become more prominent. Anomaly detection technology is an important detection technology for ensuring the network security of industrial control systems, which can issue alarms and block responses before the system is compromised. However, most models currently suffer from problems such as low detection rate, high false positive rate, and inability to locate the anomalies. To address these issues, this paper proposes a multidimensional feature and spectral residual-based industrial control time series anomaly detection method (SRMCAD) to improve the accuracy of anomaly detection while reducing the false positive rate. First, this paper applies the spectral residual method to multidimensional time series anomaly detection in the industrial control domain, and uses the residual data obtained by spectral residual processing instead of the original data as input to the model. Secondly, to address the problem of imprecise device attack localization and high false positive rate in existing industrial control anomaly detection models, this paper designs and implements an industrial control anomaly detection model based on an encoding-decoding architecture, incorporating the idea of system state modeling and using the Mahalanobis distance as the loss function. Experimental results show that SRMCAD has significant advantages over current advanced methods.

Xiejun Ni,Daojing He,Farooq Ahmad

DOI: https://doi.org/10.21015/vtse.v9i2.403

2016-01-01

VFAST Transactions on Software Engineering

Abstract:Revised July 2015 ABSTRACT. Network anomaly detection is an effective way to detect intrusions which defends our computer systems or network from attackers on the Internet. In this paper, we introduce the current research works in network anomaly detection and consider several pratical solutions for this issue. Different from signature-based method, data mining techniques can automatically extract normal pattern from a large set of network data and distinguish them from each other. However, those data mining techniques, such as classification, clustering, association rules and feature selection, can not be applied into this problem directly due to the characteristic of network data and technique themselves. We analyze those unfitness and propose some adaptation to detect anomaly timely and accurately.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Long Zhao,Yanyan Wang,Wenbin Fan,DeXuan Wang,Yuan Zhou,Yekun Fang,Enhong Chen

DOI: https://doi.org/10.1007/978-3-031-20738-9_111

2023-01-01

Abstract:The rapid increase of data has made data security a major problem that enterprises need to explore urgently. At present, data leakage is mainly divided into external attacks and internal leakage. This paper is focused on internal data leakage. Aiming at the quantifiable problem of abnormal behaviors, we propose a model based on data mining algorithms and time series to discover a criterion of normal behaviors. Via those criteria (called baseline), calculating anomaly scores and sorting the importance of those abnormal behaviors are possible. The purpose of our works is to discover possible data security risks efficiently and quickly and intuitively display their priority by quantifying their anomaly scores.

Jh Sun,H Jin,H Chen,Zf Han,Dq Zou

DOI: https://doi.org/10.1007/978-3-540-45080-1_91

2003-01-01

Abstract:Intrusion Detection Systems (IDSs) have become a critical part of security systems. The goal of an intrusion detection system is to block intrusion effectively and accurately. However, the performance of IDS is not satisfying. In this paper, we study the issue of building a data mining based intrusion detection model to raise the detection performance. The key ideas are to use data mining techniques to discover consistent and useful patterns for intrusion and use the set of patterns to recognize intrusion. By applying statistics inference theory to this model, the patterns mined from a set of test data are effective to detect the attacks in the same category, and therefore can detect most novel attacks that are variants of known attacks.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1016/j.comcom.2007.10.010

IF: 5.047

2008-01-01

Computer Communications

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. Most current intrusion detection models lack the ability to process massive audit data streams for real-time anomaly detection. In this paper, we present an effective anomaly intrusion detection model based on Principal Component Analysis (PCA). The model is more suitable for high speed processing of massive data streams in real-time from various data sources by considering the frequency property of audit events than by use of the transition property or the correlation property. It can serve as a general framework that a practical Intrusion Detection Systems (IDS) can be implemented in various computing environments. In this method, a multi-pronged anomaly detection model is used to monitor various computer system and network behaviors. Three sources of data, system call data from the University of New Mexico (lpr) and from KLINNS Lab of Xi'an Jiaotong University (ftp), shell command data from AT&T Research laboratory, and network data from MIT Lincoln Lab, are used to validate the model and the method. The frequencies of individual system calls generated by one process and of individual commands embedded in one command block as well as features extracted in one network connection are transformed into an input data vector. Our method is employed to reduce the high dimensional data vectors and thus the detection is handled in a lower dimension with high efficiency and low use of system resources. The distance between a vector and its reconstruction in the reduced subspace is used for anomaly detection. Empirical results show that our model is promising in terms of detection accuracy and computational efficiency, and thus amenable for real-time intrusion detection.

YU Yan,GUO Shan-Qing,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.05.018

2007-01-01

Computer Science

Abstract:Existing anomaly intrusion detection algorithms based on machine learning are usually founded on the equivalent learning of all historical dataset.Therefore,the learned network behavior profiles depend on the historical data heavily,thus behavior characteristics of current network traffic can not be represented exactly.At the same time,the network packets which arrive persistently with high speed and large volume can not be stored and maintained in time because of the high time and space complexity of the anomaly intrusion detection algorithms.So,a kind of two-phase intrusion detection method based on data stream clustering is presented.In the method,the statistical information of the network traffic are collected and generated on line firstly.Then the statistical information which can represent current network situation nicely are used to detect the intrusions.Accordingly,the influence of historical data can be reduced.The empirical results manifest that such a two-phase intrusion detection method has better detection performance than that based on all historical data,as well as resolves the problems of insufficient system resources,such as memory,etc.,to improve the flexibility and concurrency of system.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.