Li Zonglin,Hu Guangmin,Yao Xingmiao,Yang Dan

DOI: https://doi.org/10.1155/2009/752818

2008-01-01

EURASIP Journal on Advances in Signal Processing

Abstract:Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

Jia-chun LI,Zhi-tang Li

2004-01-01

Abstract:In order to reduce duplicated or incomplete or imperfect alerts in distributed intrusion detection systems and false alert rate, so as to solve alert correlation mixing prerequisites and consequences of intrusions with characteristic similarity of intrusions, a hierarchical correlation algorithm is presented in this paper. Based on the detect time similarity, alert correlation analysis is divided into two class: probabilistic correlation and consequence correlation. Adjustable increment Bayesian classifier and real-time correlation algorithm based on prerequisites and consequences of intrusions are given. As a result, alert correlation mixing multi-character is implemented and the alert correlation rate is improved. 2000 DARPA LLDOS1.0 from MIT Lincoln Lab is used to evaluate the hierarchical correlation algorithm, and the experiment results show the efficiency of the algorithm.

Xuejiao Liu,Yingjie Xia,Yanbo Wang,Jing Ren

DOI: https://doi.org/10.1002/sec.855

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:A challenge faced by many system administrators in utilizing the intrusion detection system (IDS) is to sift out genuine alerts buried with overwhelming alerts of benign activities generated by the IDS, especially for IDS deployed in large networks. Existing methods propose to identify the real alerts to aid the administrators. In our paper, we extend the idea of filtering irrelevant alerts based on alert volumes. And we formulate the flow estimation of abrupt changes in feature distribution caused by anomalies, by computing Kullback-Leibler distance of alert feature values under observation in comparison with a reference distribution, which is the mixture of a distribution drawing a tread from historical alerts, and a distribution derived from expertise provided by administrators. Experimental studies on the Defense Advanced Research Projects Agency dataset as well as real-life data gathered from the IDS of a large network show that our method is able to distinguish and highlight genuine anomalies arising from the tremendous number of intrusion alerts, including different kinds of attacks and network failures. Application of this technique to alerts greatly helps the administrators in identifying real alerts and then reduces the alert load in the future. Copyright (C) 2013 John Wiley & Sons, Ltd.

Sizheng Chen,Dong Yan,Xing He

DOI: https://doi.org/10.23919/ccc63176.2024.10662146

2024-01-01

Abstract:Anomaly detection is a crucial task in monitoring the diverse states within Industrial Control Systems (ICS), which are typically characterized by Multivariate Time Series (MTS). Accurately detecting anomalies, along with identifying a set of highly anomalous metrics to explain these anomalies, is essential for facilitating effective troubleshooting. This paper introduces a sophisticated deep learning method that comprehensively addresses both temporal and feature correlations within multivariate time series data. During training, this method integrates models based on both forecasting and reconstruction. The forecasting model adeptly captures the temporal and feature dependencies within the data. Meanwhile, the reconstruction model enhances the system’s robustness, accommodating the stochastic nature of the time series and better resisting perturbations and noise. By synergizing these approaches, the method capitalizes on their combined strengths. The efficacy of this model is demonstrated through its evaluation on the SWaT water treatment dataset, where it achieves an impressive average anomaly detection F1-Score of 0.93, outperforming other methodologies in the field.

Fan Yang,Sirish Lalji Shah,Deyun Xiao,Tongwen Chen

DOI: https://doi.org/10.1016/j.isatra.2012.03.005

IF: 7.3

2012-01-01

ISA Transactions

Abstract:The problem of multivariate alarm analysis and rationalization is complex and important in the area of smart alarm management due to the interrelationships between variables. The technique of capturing and visualizing the correlation information, especially from historical alarm data directly, is beneficial for further analysis. In this paper, the Gaussian kernel method is applied to generate pseudo continuous time series from the original binary alarm data. This can reduce the influence of missed, false, and chattering alarms. By taking into account time lags between alarm variables, a correlation color map of the transformed or pseudo data is used to show clusters of correlated variables with the alarm tags reordered to better group the correlated alarms. Thereafter correlation and redundancy information can be easily found and used to improve the alarm settings; and statistical methods such as singular value decomposition techniques can be applied within each cluster to help design multivariate alarm strategies. Industrial case studies are given to illustrate the practicality and efficacy of the proposed method. This improved method is shown to be better than the alarm similarity color map when applied in the analysis of industrial alarm data.

杨丹,胡光岷,李宗林,姚兴苗

DOI: https://doi.org/10.3969/j.issn.1001-0548.2008.06.006

2008-01-01

Abstract:Aiming at the lack of the single link's anomaly detection and the network-wide traffic's anomaly detection,we propose a network-wide multi-traffic correlative anomaly detection method. This method uses the characteristic that the anomaly signals on different links or origin-destination(OD) flows,produced by one anomaly,are similar in frequency,the transformation characteristic of the amplitude,and so on. And the comparability is used as the evidence of the anomaly detection. In principle,the traffic is forecasted by the previous data on every OD flow or link,the anomaly traffic is obtained by subtracting the real traffic from the forecast data,and lastly,the traffic anomaly is detected by global correlation analysis on all traffics. Simulation result indicates that this kind of method can detect the anomaly.

Yuan LI,Zhanpeng ZHANG,Mingyuan XU,Bingzhen CHEN,Jinsong ZHAO

DOI: https://doi.org/10.11949/j.issn.0438-1157.20150803

2015-01-01

Abstract:Alarm correlation mining is a key part of alarm management which plays an important role for chemical process safety. According to the traditional alarm correlation mining algorithms which is based on hierarchical clustering schemes, this paper proposed a non-regular alarm correlation calculation method to make up the deficiency that the traditional algorithms have, in dealing with the situation of delayed time change and asymmetry of alarms. Moreover, the value of alarm correlation was determined in the form of probability, which made the alarm correlation among different tags comparable. Furthermore, case studies based on simulation and real industrial process data were performed to demonstrate the effectiveness of the proposed methods in mining alarm correlation.

Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

Ping Yi,Hongkai Xing,Yue Wu,Linchun Li

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

GUO Shan-qing,YANG Xue-lin,ZENG Ying-pei,XIE Li,GAO Cong

2005-01-01

Abstract:security devices(e.g.firewalls,IDS's,anti-virus tools etc) that have been widely adopted in enterprise environments may generate huge amounts of independent,raw attack alerts,which are characterized by high false positive ratio and false negative ratio.As a result,it is difficult for users to understand these alerts and respond correspondingly.Therefore,handling the huge number of alerts produced by security devices is becoming a critical and challenging task in network security research.A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario.A general survey of the contemporary alerts correlation algorithms was given in this paper by a straight forward classification paradigm,and some problems for future research were addressed.

Mingxin Tang,Wei Chen,Wen Yang

DOI: https://doi.org/10.1080/09540091.2022.2092594

2022-01-01

Connection Science

Abstract:Anomaly detection of multi-dimensional time-series data is a key research area, and the analysis of control, switching, and other state signals (i.e., industrial state quantity time series) is of particular importance to the operational sciences. When only the limited values of industrial state quantities are taken in the discrete set, there is no continuous change trend, making it difficult to achieve good results when applying analogue anomaly detection methods directly. In this study, assuming a correlation between the time series of state and analogue quantities in industrial systems, a model for anomaly detection in state quantity time-series data is built through a correlation supported by long short-term memory, and the model is verified using real physical process data. These results demonstrate that the proposed method is superior to extant industrial time-series models. Thus far, no studies focusing on the anomaly detection of two-state quantity time-series outliers have been performed. We believe that the research problem addressed herein and the proposed method contribute an interesting design methodology for the anomaly detection of time-series data in IIoT.

Xin Shi,Robert Qiu,Zenan Ling,Fan Yang,Haosen Yang,Xing He

DOI: https://doi.org/10.1109/tsg.2019.2929219

IF: 10.275

2019-01-01

IEEE Transactions on Smart Grid

Abstract:The online monitoring data in distribution networks contain rich information on the running states of the networks. By leveraging the data, this paper proposes a spatio-temporal correlation analysis approach for anomaly detection and location in distribution networks. First, spatio-temporal matrix for each feeder line in a distribution network is formulated and the spectrum of its covariance matrix is analyzed. The spectrum is complex and exhibits two aspects: 1) bulk, which arises from random noise or fluctuations and 2) spikes, which represents factors caused by anomaly signals or fault disturbances. Then, by connecting the estimation of the number of factors to the limiting empirical spectral density of covariance matrices of residuals, the spatio-temporal parameters are accurately estimated, during which free random variable techniques are used. Based on the estimators, anomaly indicators are designed to detect and locate the anomalies by exploring the variations of spatio-temporal correlations in the data. The proposed approach is sensitive to the anomalies and robust to random fluctuations, which makes it possible for detecting early anomalies and reducing false alarming rate. Case studies on both synthetic data and real-world online monitoring data verify the effectiveness and advantages of the proposed approach.

Jianwei Ding,Yingbo Liu,Li Zhang,Jianmin Wang,Yonghong Liu

DOI: https://doi.org/10.1007/s10489-015-0713-7

IF: 5.3

2015-01-01

Applied Intelligence

Abstract:Condition monitoring systems are widely used to monitor the working condition of equipment, generating a vast amount and variety of monitoring data in the process. The main task of surveillance focuses on detecting anomalies in these routinely collected monitoring data, intended to help detect possible faults in the equipment. However, with the rapid increase in the volume of monitoring data, it is a nontrivial task to scan all the monitoring data to detect anomalies. In this paper, we propose an approach called latent correlation-based anomaly detection (LCAD) that efficiently and effectively detects potential anomalies from a large number of correlative isomerous monitoring data series. Instead of focusing on one or more isomorphic monitoring data series, LCAD identifies anomalies by modeling the latent correlation among multiple correlative isomerous monitoring data series, using a probabilistic distribution model called the latent correlation probabilistic model, which helps to detect anomalies according to their relations with the model. Experimental results on real-world data sets show that when dealing with a large number of correlative isomerous monitoring data series, LCAD yields better performances than existing anomaly detection approaches.

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

王沐贤,丁小欧,王宏志,李建中

DOI: https://doi.org/10.3778/j.issn.1673-9418.2008100

2020-01-01

Abstract:This paper proposes a multi-dimensional time series anomaly data detection method based on correlation analysis, to trace the cause of anomaly detection: system failure data and sensor quality problem data are classified, and then real system failures are identified to avoid false detection. Firstly, the time series correlation graph model is proposed, which is further summarized as the time series correlation loop model. The time series correlation set is obtained by extracting the features in the time series correlation cycle, the cause of abnormality is detected, and the system failure is judged according to the result. Through a large number of experiments on real industrial data sets, the effectiveness of the method in the detection of abnormal sources of high-dimensional time series data is verified. Through comparative experiments, it is verified that the method is superior to fundamental algorithms based on statistics and machine learning models in terms of stability and efficiency. The higher dimensionality of time series, the more obvious improvement of the method compared with the fundamental algorithms. This method not only saves the cost, but also realizes the accurate identification of multi-dimensional abnormal data.

Zheng Chen,Xinli Yu,Yuan Ling,Bo Song,Wei Quan,Xiaohua Hu,Erjia Yan

DOI: https://doi.org/10.48550/arXiv.1812.09387

2019-01-15

Abstract:Correlated anomaly detection (CAD) from streaming data is a type of group anomaly detection and an essential task in useful real-time data mining applications like botnet detection, financial event detection, industrial process monitor, etc. The primary approach for this type of detection in previous researches is based on principal score (PS) of divided batches or sliding windows by computing top eigenvalues of the correlation matrix, e.g. the Lanczos algorithm. However, this paper brings up the phenomenon of principal score degeneration for large data set, and then mathematically and practically prove current PS-based methods are likely to fail for CAD on large-scale streaming data even if the number of correlated anomalies grows with the data size at a reasonable rate; in reality, anomalies tend to be the minority of the data, and this issue can be more serious. We propose a framework with two novel randomized algorithms rPS and gPS for better detection of correlated anomalies from large streaming data of various correlation strength. The experiment shows high and balanced recall and estimated accuracy of our framework for anomaly detection from a large server log data set and a U.S. stock daily price data set in comparison to direct principal score evaluation and some other recent group anomaly detection algorithms. Moreover, our techniques significantly improve the computation efficiency and scalability for principal score calculation.

Machine Learning

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

DUAN Hai-xin,YU Xue-li,WANG Lan-jia

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.032

2005-01-01

Abstract:The alert flood of current IDSes often overwhelms the security administrators,which largely decreases the effectiveness of IDS.The correlation of original alerts plays an important role in distributed IDS,which can draw out the effective attacks from a large number of alerts,and analyze the real intension of attackers.In this paper,the merits and defects of typical correlation algorithms are analyzed.An algorithm of alert correlation based on address correlation graph(ACG) is proposed here.The algorithm can be used to analyze the original alerts with ACG model,which can get the intrusion path of attackers through the relation and steps of different attacks,and then analyze the intension of attackers.The algorithm is easy to be implemented because it does not depend on a predefined base of correlation knowledge or a forehand training of correlation model.

Ning Chen,Xiao-Su Chen,Bing Xiong,Hong-Wei Lu

DOI: https://doi.org/10.1109/embeddedcom-scalcom.2009.50

2009-01-01

Abstract:Based on TCP protocol, this paper aims at TCP flows, discusses the effects of multivariate correlation analysis on network traffic, obtains the quantitative relationship between different types of TCP packets in each time unit by correlation coefficient matrix, and finally proposes an anomaly detection and analysis method based on the correlation coefficient matrix. The experimental results show that our method can efficiently distinguish normal and abnormal traffic, and accurately detect and classify various anomaly behaviors (such as network scanning and DDoS attacks) in network traffic. The linear complexity of our method makes real-time detection and analysis practical.

ZHANG Hong-bing,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.09.059

2007-01-01

Abstract:As the problem of network security is getting worse, more and more IDSs have been used for networK protection However, so many security administrators are overwhelmed by thousands of alerts generated by IDSs everyday. Therefore, it has become a key development for IDS to automatically correlate these alerts and thus reduce their numbers. In this paper, a novel method is proposed, which is based on description logics and is used to define the attacks. This method takes attack scenarios as carriers to match the in-succession alerts and sets of abilities as bridges to construct attack scenarios. By this way, the inherent logic relations between different alerts can be displayed clearly and thus the basis for realization of the alert correlation and merge-sort is provided.