YU Yan,GUO Shan-Qing,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.05.018

2007-01-01

Computer Science

Abstract:Existing anomaly intrusion detection algorithms based on machine learning are usually founded on the equivalent learning of all historical dataset.Therefore,the learned network behavior profiles depend on the historical data heavily,thus behavior characteristics of current network traffic can not be represented exactly.At the same time,the network packets which arrive persistently with high speed and large volume can not be stored and maintained in time because of the high time and space complexity of the anomaly intrusion detection algorithms.So,a kind of two-phase intrusion detection method based on data stream clustering is presented.In the method,the statistical information of the network traffic are collected and generated on line firstly.Then the statistical information which can represent current network situation nicely are used to detect the intrusions.Accordingly,the influence of historical data can be reduced.The empirical results manifest that such a two-phase intrusion detection method has better detection performance than that based on all historical data,as well as resolves the problems of insufficient system resources,such as memory,etc.,to improve the flexibility and concurrency of system.

Yitong Liu,Caiyun Liu,Jun Li,Yan Sun

DOI: https://doi.org/10.1007/978-981-97-2757-5_49

2024-01-01

Abstract:In today's information age, with the rapid development of network technology and a large number of applications of sensors in daily life. The number of various types of data has shown a great growth. These data not only bring us convenience and benefits, but also pose a great challenge to us, that is, how to explore the information of the data and effectively analyze the specific significance contained in the data has become a hot research direction. In the large amount of data obtained, most of the data are in the normal state and only represent the basic "value" information. Compared with the data in the normal state, the information carried by a small part of the data is more worthy of attention. The emergence of these data is the so-called "exception". The occurrence of exceptions indicates that the system that should be running normally has changed, and these changes often have a negative impact on the system. Looking at these applications, it is not difficult to find that the actual frequency of these anomalies accounts for a very small proportion compared with a large number of normal time, but its value is very huge. Therefore, real-time online anomaly detection of convective data has very important value and significance for scientific research and industrial application. In the process of this research, I have a more comprehensive and detailed understanding of the research field of "anomaly detection of stream data" through theoretical learning, apply the deep learning model to anomaly detection of stream data, and test the performance of the model through experiments. By comparing the performance of traditional anomaly detection algorithms, unsupervised and semi supervised machine learning models and neural networks such as LSTM/HTM in stream data anomaly detection, we try to find an algorithm that can detect stream data information in real time and provide anomaly alarm in time.

Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1109/INFOCOM.2014.6848076

2014-01-01

Abstract:Real-time characterization of traffic anomalies, such as heavy hitters and heavy changers, is critical for the robustness of operational networks, but its accuracy and scalability are challenged by the ever-increasing volume and diversity of network traffic. We address this problem by leveraging parallelization. We propose LD-Sketch, a data structure designed for accurate and scalable traffic anomaly detection using distributed architectures. LD-Sketch combines the classical counter-based and sketch-based techniques, and performs detection in two phases: local detection, which guarantees zero false negatives, and distributed detection, which reduces false positives by aggregating multiple detection results. We derive the error bounds and the space and time complexity for LD-Sketch. We compare LD-Sketch with state-of-the-art sketch-based techniques by conducting experiments on traffic traces from a real-life 3G cellular data network. Our results demonstrate the accuracy and scalability of LD-Sketch over prior approaches.

Shenglong Liu,Yuxiao Xia,Di Wang

DOI: https://doi.org/10.1109/access.2024.3376413

IF: 3.9

2024-03-27

IEEE Access

Abstract:In the era of mobile big data, smart mobile devices have become an integral part of our daily life, which brings many benefits to the digital society. However, their popularity and relatively lax security make them vulnerable to various cyber threats. Traditional network traffic analysis techniques utilizing pattern matching and regular expressions matching algorithms are becoming insufficient for mobile big data. Network traffic anomaly detection is an effective method to replace traditional methods. Network traffic anomaly detection can solve many new challenges brought by future network and protect the security of network. In this article, we propose a streaming network framework for mobile big data, referred to as SNMDF, which provides massive data traffic collection, processing, analysis, and updating functions, to cope with the tremendous amount of data traffic. In particular, by analyzing the specific characteristics of anomaly traffic data from flow and user behavior, our proposed SNMDF demonstrates its capability to offer real data-based advice to address new challenges for future wireless networks from the viewpoints of operators. Tested by real mobile big data, SNMDF has proven its efficiency and reliability. Furthermore, SNMDF is accessed for the digital twin of the space Internet, which validates that it can be generalized to other environments with massive data traffic or big data.

computer science, information systems,telecommunications,engineering, electrical & electronic

FuCheng Pan,DeZhi Han,Yuping Hu

DOI: https://doi.org/10.1504/IJES.2019.102428

2019-11-25

International Journal of Embedded Systems

Abstract:In order to realise the rapid analysis and identification of abnormal traffic in real-time networks, a distributed real-time network abnormal traffic detection system (DRNATDS) was designed, which could effectively analyse abnormal network traffic. DRNATDS provided effective real-time big data analysis platform and guaranteed network security. The paper proposes K-means algorithm based on relative density and distance, integrated with Spark Streaming and Kafka. It could effectively detect various network attacks under real-time data stream. The experimental results show that DRNATDS has good high availability and stability. Compared to other algorithms, K-means algorithm based on relative density and distance could more effectively identify abnormal network traffic and improve the recognition rate.

English Else

XIAO San,YANG Yahui,SHEN Qingni

DOI: https://doi.org/10.3778/j.issn.1002-8331.1208-0286

2013-01-01

Abstract:Since online abnormal detection for backbone network with large flow currently is a research hotspot in network security field,an online network abnormal detection method is proposed to handle big data stream properly.The method processes big data stream into micro-clusters with density-based cluster method,and then micro-clusters absorb data stream directly to enhance the performance.The method regularly executes outlier detection process to find intrusion.The method does not require offline training process and can find any arbitrary clusters.It also supports big data stream and can balance between detection precision and resources with great performance.In the experiment,the prototype system finishes analysis task in 20 s over MIT Lincoln Laboratory LLS_DDOS_1.0 data,with 82% TPR and 6% FPR,which is equivalent to K-means.

Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1016/j.comnet.2015.08.025

IF: 5.493

2015-01-01

Computer Networks

Abstract:Real-time characterization of network traffic anomalies, such as heavy hitters and heavy changers, is critical for the robustness of operational networks, but its accuracy and scalability are challenged by the ever-increasing volume and diversity of network traffic. We address this problem by leveraging parallelization. We propose LD-Sketch, a data structure designed for accurate and scalable traffic anomaly detection using distributed architectures. LD-Sketch combines the classical counter-based and sketch-based techniques, and performs detection in two phases: local detection, which guarantees zero false negatives, and distributed detection, which reduces false positives by aggregating multiple detection results. We derive the error bounds and the space and time complexity for LD-Sketch. We further analyze the impact of ordering of data items on the memory usage and accuracy of LD-Sketch. We compare LD-Sketch with state-of-the-art sketch-based techniques by conducting experiments on traffic traces from a real-life 3G cellular data network. Our results demonstrate the accuracy and scalability of LD-Sketch over prior approaches.

YU Yan,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.02.010

2007-01-01

Abstract:Existing anomaly intrusion detection algorithms based on supervised learning usually face difficulties when the training samples are insufficient.At the same time,the characteristics that the pattern of network traffic is changing over time are not considered adequately by the intrusion detection algorithms which are based on the equivalent learning of all historical dataset.So,a streaming ensemble intrusion detection model based on small labeled data is presented,in which a small labeled dataset is extended to work out the problem of the insufficiency of training samples.In addition,it can adapt to the changes of network traffic adequately.The experimental results manifest that the algorithm has better detection performance than those based on all historical data while the size of labeled dataset is very small.

Pinghui Wang,Xiaohong Guan,Tao Qin,Qiuzhen Huang

DOI: https://doi.org/10.1109/tifs.2011.2123094

IF: 7.231

2011-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Due to the massive amount of data in high-speed network traffic and the limit on processing capability, it is a great challenge to accurately measure and monitor network traffic over high-speed links online. A new data structure is presented in this paper for locating the hosts associated with large connection degrees or significant changes in connection degrees based on the reversible connection degree sketch to monitor anomalous network traffic. The reversible connection degree sketch builds a compact summary of host connection degrees efficiently and accurately. For each packet coming, it only needs to set several bits selected in a bit array by a group of hash functions. These hash functions are designed based on the Chinese Remainder Theorem so that the in-degree or out-degree associated with a given host can be accurately estimated. With this new data structure, we develop a new reverse sketch method for locating abnormal hosts. Although the reversible connection degree sketch does not preserve any host address information, we can analytically reconstruct the host addresses associated with large connection degrees or significant changes in connection degrees by a simple calculation purely based on the characteristics of the hash functions. Furthermore, a reinforced reversible connection degree sketch, the double connection degree sketch, is developed to reduce false positives which are commonly encountered in the sketch-based methods. A traffic monitoring system based on this double connection degree is developed to detect and classify the abnormal hosts associated with large connection degrees or significant changes in connection degrees. The experiments are conducted based on the actual network traffic and the testing results show that our method is accurate and efficient.

Swapneel Mehta,Prasanth Kothuri,Daniel Lanza Garcia

DOI: https://doi.org/10.48550/arXiv.1812.01941

2018-12-01

Abstract:We leverage a streaming architecture based on ELK, Spark and Hadoop in order to collect, store, and analyse database connection logs in near real-time. The proposed system investigates outliers using unsupervised learning; widely adopted clustering and classification algorithms for log data, highlighting the subtle variances in each model by visualisation of outliers. Arriving at a novel solution to evaluate untagged, unfiltered connection logs, we propose an approach that can be extrapolated to a generalised system of analysing connection logs across a large infrastructure comprising thousands of individual nodes and generating hundreds of lines in logs per second.

Machine Learning,Distributed, Parallel, and Cluster Computing

Ying Zhao,Gang Shao,Guangwen Yang

DOI: https://doi.org/10.1109/IFCSTA.2009.59

2009-01-01

Abstract:Today, large scale computer systems have become an important component in production and scientific computing and lead to rapid advances in many disciplines. However, the size, and complexity of systems make them very difficult to detect unusual nodes automatically and traditional host monitoring tools are not capable of dealing with the need of anomaly detection in large amount of nodes. In this paper, we introduce a novel tool, LSAND, which could detect anomalistic nodes in a horizontal view of the machines with comparable configuration and tasks running on. We evaluated LSAND in a cluster environment, table the results of our experiment and give a discussion on the effect and show that LSAND is both effective and efficient for detecting anomalistic nodes with high-dimensional features.

Fengrui Liu,Yang Wang,Zhenyu Li,Hongtao Guan,Gaogang Xie

DOI: https://doi.org/10.1016/j.comcom.2023.06.027

IF: 5.047

2023-09-01

Computer Communications

Abstract:With the widespread use of Internet applications, ensuring the quality and reliability of online services has become increasingly important. Therefore, anomaly detection methods play a critical role in identifying potential anomalies in the data streams of infrastructure systems and service applications. However, most of known detection methods have an underlying assumption that the data streams are continuous. In practice, we learn that many real-world data streams can be sporadic. It incurs particular challenges for the task of anomaly detection, for which the common preprocessing of downsampling on sporadic data can omit potential anomalies and delay alarms. In this paper, we propose an ensemble learning-based anomaly detection method on sporadic data streams named AD 2 S . It consists of two modules: a monitor module to continuously and adaptively determine the measure windows for observations, and a detection module that utilizes an isolation partition strategy to estimate the anomaly degree of each incoming observation. Based on experimental results on eight synthetic and public real-world datasets, our method outperforms other state-of-the-art methods with an average AUC score of 0.923. Additionally, our analysis demonstrates that the proposed method has constant amortized time and space complexity, enabling once detection within an average of 9.9 ms and maximum memory usage of 26.14 KB. The code of AD 2 S is open-sourced for further research.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Emaad A. Manzoor,Sadegh Momeni,Venkat N. Venkatakrishnan,Leman Akoglu

DOI: https://doi.org/10.48550/arXiv.1602.04844

2016-02-22

Abstract:Given a stream of heterogeneous graphs containing different types of nodes and edges, how can we spot anomalous ones in real-time while consuming bounded memory? This problem is motivated by and generalizes from its application in security to host-level advanced persistent threat (APT) detection. We propose StreamSpot, a clustering based anomaly detection approach that addresses challenges in two key fronts: (1) heterogeneity, and (2) streaming nature. We introduce a new similarity function for heterogeneous graphs that compares two graphs based on their relative frequency of local substructures, represented as short strings. This function lends itself to a vector representation of a graph, which is (a) fast to compute, and (b) amenable to a sketched version with bounded size that preserves similarity. StreamSpot exhibits desirable properties that a streaming application requires---it is (i) fully-streaming; processing the stream one edge at a time as it arrives, (ii) memory-efficient; requiring constant space for the sketches and the clustering, (iii) fast; taking constant time to update the graph sketches and the cluster summaries that can process over 100K edges per second, and (iv) online; scoring and flagging anomalies in real time. Experiments on datasets containing simulated system-call flow graphs from normal browser activity and various attack scenarios (ground truth) show that our proposed StreamSpot is high-performance; achieving above 95% detection accuracy with small delay, as well as competitive time and memory usage.

Social and Information Networks

Shuiyuan Xie,Xiuli Ma,Shiwei Tang

DOI: https://doi.org/10.1007/978-3-642-39527-7_9

2013-01-01

Abstract:In many real networks, the detection and tracking of unusual phenomena, such as the diffusion of contamination and the spreading of disease, is one of the key feature users are great interested in, which is called anomaly with technical terms. In this paper, we present a framework to detect and track anomaly region continuously. First, we build a state transition graph to summarize network's operating regularity, that is, network stays in a state for a period of time and alternates among states over and over again, which exists in many real networks. Second, we employ the state transition graph to predict network's next state. While comparing expected state and current state, we present suspicious region and its anomaly probability. We evaluate our approach on a real water distribution network from the Battle of the Water Sensor Network (BWSN). Experiments show that our approach is effective, efficient and scalable to detect and track anomaly region. © 2013 Springer-Verlag.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Lisheng Huang,Jinye Ran,Wenyong Wang,Tan Yang,Yu Xiang

DOI: https://doi.org/10.1016/j.comnet.2020.107645

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>This paper proposes a novel multi-channel network traffic anomaly detection method combined with the idea of multi-scale decomposition, feature selection and fusion. Our method includes a feature selection and fusion module, which extracts the most important features from redundancy traffic features and fuses the selected features, a multi-scale decomposition module, and a multi-channel Generalized Likelihood Ratio Test (GLRT) detection module, for anomaly detection and decision-making. The advantage of our method is that, first, it only considers the selected features and reduces the amount of computation. Second, compared with traditional anomaly detection methods that usually work on each scale independently thus mainly focused on temporally correlated traffic, our method fully explores the internal frequency-time correlations within multiple scales. It can be verified with experiments that this method performs better than other traditional methods, thus gives a new sight on the anomaly detection with different types of traffic data.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jianliang Zhang,Jian Zhang,Zhishen Wu

DOI: https://doi.org/10.3390/s22166045

2022-08-12

Abstract:Structural health monitoring (SHM) systems have been widely applied in long-span bridges and a large amount of SHM data is continually collected. The harsh environment of sensors installed at structures causes multiple types of anomalies such as outlier, minor, missing, trend, drift, and break in the SHM data, which seriously hinders the further analysis of SHM data. In order to achieve anomaly detection from a large amount of SHM data, this paper proposes a long-short term memory (LSTM) network-based anomaly detection method. Firstly, the proposed method reduces the workload for preparing training sets. Secondly, the purpose of real-time anomaly detection can be met. Thirdly, the problem of high alarm rate can be avoided by utilizing double thresholds. To validate the effectiveness of the proposed method, a case study of finite element model simulation is firstly introduced, which illustrates the detailed implementation process. Finally, acceleration data from the SHM system of a long-span suspension bridge located in Jiangyin, China is employed. The results show that the proposed method can detect anomaly with high accuracy and identify abnormal accidents such as a ship collision quickly.

Min Lu,Qianzhen Zhang,Xianqiang Zhu

DOI: https://doi.org/10.3390/math12193092

IF: 2.4

2024-10-03

Mathematics

Abstract:A streaming graph is a constantly growing sequence of edges, which forms a dynamic graph that changes with every edge in the stream. An anomalous behavior in a streaming graph can be modeled as an edge or a subgraph that is unusual compared to the rest of the graph. Identifying anomalous behaviors in real time is essential to the early warning of abnormal or notable events. Due to the complexity of the problem, little work has been reported so far to solve the problem. In this paper, we propose Finger-based Higher-order Graph Sketch (FHGS for short), which is an approximate data structure for streaming graphs with linear memory usage, high update speed, and high accuracy and supports both edge and subgraph anomaly detection. FHGS first maps each edge into a matrix based on hash functions, and then counts its frequency in a time window with unique fingerprints for detecting anomalies. Extensive experiments confirm that our approach generate high-quality results compared to baseline methods.

mathematics

Su Yang,Wenbin Zhou

DOI: https://doi.org/10.1109/PASSAT/SocialCom.2011.10

2011-01-01

Abstract:Some special natural and social events like natural disasters, terrorism attacks, and traffic accidents may have remarkable effect on people's collective behaviors, which means the behaviors of a large number of people viewed as a whole. Analysis of the patterns of collective behaviors in the sense of data mining is an important topic. Solving this problem is crucial and practical in that online detection of abnormal patterns of people's collective behaviors may lead to rapid response to emergent affairs. In terms of technology, the task can be regarded as detection of abnormal particle movement patterns from a global point of view. In this study, we propose a solution to solve this problem. First, the traffic flows observed by more than 4000 sensors are organized as high-dimensional time series. Second, a widely used manifold learning technique referred to as locally linear embedding (LLE) is used to compute the K coefficients in fitting every data point with its K nearest neighbors in the high-dimensional space, which can be regarded as a K-dimensional local feature associated with every data point. Then, the local features of the data points within a time window are summarized by using principal component analysis (PCA) to obtain a global feature to represent the traffic data in every time window. Finally, outlier detection is performed on such PCALLE feature space. The experimental results show that the proposed method can effectively detect abnormal traffic patterns, which correspond with some special days, like the New Year day, the national day of America, and some days with extreme weather. © 2011 IEEE.