Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Xiejun Ni,Daojing He,Farooq Ahmad

DOI: https://doi.org/10.21015/vtse.v9i2.403

2016-01-01

VFAST Transactions on Software Engineering

Abstract:Revised July 2015 ABSTRACT. Network anomaly detection is an effective way to detect intrusions which defends our computer systems or network from attackers on the Internet. In this paper, we introduce the current research works in network anomaly detection and consider several pratical solutions for this issue. Different from signature-based method, data mining techniques can automatically extract normal pattern from a large set of network data and distinguish them from each other. However, those data mining techniques, such as classification, clustering, association rules and feature selection, can not be applied into this problem directly due to the characteristic of network data and technique themselves. We analyze those unfitness and propose some adaptation to detect anomaly timely and accurately.

H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

宋世杰,胡华平,胡笑蕾,金士尧

2003-01-01

Abstract:The key issue of anomaly NIDS is building normal patterns, comparing current system or user behaviors with history behaviors, and then detecting intrusion. We introduced some data mining algorithms, presentd a classification method of IDS based on data mining, and described the process of data mining application in anomaly NIDS from network layer and application layer. We proposed three methods of pattern comparison in detail, and verified that the obtained normal audit data is enough for network layer anomaly NIDS.'

吕志军,袁卫忠,仲海骏,黄皓,曾庆凯,谢立

DOI: https://doi.org/10.3969/j.issn.1002-137x.2004.10.015

2004-01-01

Computer Science

Abstract:Intrusion detection system(IDS)must be capable of detecting new and unknown attacks. In this paper, we propose an Anomaly Detection System based on Data Mining(ADESDM). Firstly, ADESDM mine suspicious behaviors in the protocol header, ports and application data with strong association rules and weak association rules; then, it sends the suspicious behaviors to the Deciding Module based on Bayesian Belief Net (DMBBN). In real network communications, the attributes, such as time, direction, ports and IP addresses, are influencing each other. The DMBBN illustrates the conditional probabilities and relationship among the above attributes, and uses them to determine whether the suspicious behaviors are normal ones or attacks. Thus, system can reduce the false alarm rate.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Lei Zhang,Jianqing Zhang,Yong Chen,Shaowen Liao

DOI: https://doi.org/10.1109/icicta.2018.00074

2018-01-01

Abstract:In this paper, a hybrid intrusion detection model based on data mining, which is commonly used in network security anomaly detection, is proposed that combines anomaly detection with misuse detection technology. Two test stages were formed and applied to the instrusion detection system in the process of large-scale network traffic detection. On the basis of improving the detection ability of the massive information detection system, the security of the data source of the intrusion detection system was ensured.

Hua Tang,Zhuolin Cao

2009-01-01

Journal of Computational Information Systems

Abstract:Machine learning-based intrusion detection approaches have attracted increasing attention in the network intrusion detection research area because of their intrinsic capabilities in discovering novel attacks. In this paper we propose a new approach to detect network attacks, which aims to study the efficiency of the method based on machine learning in intrusion detection, including artificial neural networks and support vector machine. It will provide an important reference for the future research. The experimental results obtained by applying this approach to the KDD CUP'99 data set demonstrate that the proposed approach performs high performance, especially to U2R and U2L type attacks. 1553-9105/ Copyright © 2009 Binary Information Press.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

ZHANG Jin-rong,LIU Feng,ZHAO Zhi-hong,LUO Bin

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.24.052

2009-01-01

Abstract:There are many problems such as poor adaptability,limited extensibility and experts hand-coding in traditional intrusion detection systems.Data mining-based intrusion detection techniques can extract knowledge and patterns of abnormal intrusions and normal user profiles from training data automatically,hence resolving the problems of tradition IDS properly.Main applications of data mining to network intrusion detection are surveied,i.e.clustering analysis,classification analysis,association rule analysis and sequential patterns analysis.Basic principles of each as well as latest research and improvements.At last,a summary of existing problems and future research directions is given.

Xiao-Feng Wang,Jing-Li Zhou,Sheng-Sheng Yu,Long-Zheng Cai

DOI: https://doi.org/10.1007/11540007_39

2006-01-01

Abstract:HTTP request exploitations take substantial portion of network-based attacks. This paper presents a novel anomaly detection framework, which uses data mining technologies to build four independent detection models. In the training phase, these models mine specialty of every web program using web server log files as data source, and in the detection phase, each model takes the HTTP requests upon detection as input and calculates at least one anomalous probability as output. All the four models totally generate eight anomalous probabilities, which are weighted and summed up to produce a final probability, and this probability is used to decide whether the request is malicious or not. Experiments prove that our detection framework achieves close to perfect detection rate under very few false positives.

Lei Zhang,Changjiang Liu,Yong Chen,Shaowen Lao

DOI: https://doi.org/10.1109/ICICTA.2018.00009

2018-01-01

Abstract:This paper introduces the latest development of intrusion detection based on data mining, and studies the key technologies of network intrusion detection based on data mining, especially outlier mining. A anomaly detection model based on outlier mining is proposed. The model firstly preprocesses the data and sets the normal sample set, calculates the outlier score of each sample in the normal sample set, and combines it with the specified outlier value threshold. The normal behavior profile is formed, which can be used as the basis for detection.

Xu Tao,Zhang Wei,Li XuHong,Wang Xia,Pan Wenwen

DOI: https://doi.org/10.2991/iccmcee-15.2015.244

2015-01-01

Abstract:The rapid development of the Internet makes distributed computing has become a mainstream application, network openness, connectivity, shared characteristics, so that the risk of suffering from the growing network intrusions. How to ensure the network and information security has become very important in the field of security issues. From the initial access control mechanisms to combine packet filtering and application layer gateway firewall technology, each is not the perfect solution. Intrusion detection is a network and information security architecture an important part of the intrusion detection system put forward higher requirements. Current greatest weakness of the face of live flowers audit records cannot be quickly mass intrusion detection and high false positive rate of serious impact on system performance. This paper proposes a new intrusion detection method, and on this basis, based on data mining developed based anomaly intrusion detection system prototype network.

ZHAO Hui,ZHANG Peng

DOI: https://doi.org/10.3969/j.issn.1673-629X.2009.08.044

2009-01-01

Abstract:Currently the main technology of intrusion detection system is feature detection,which can only detect the known intrusion,and anomaly detection can be used to detect the unknown intrusion,it is unable to ensure its accuracy and reliability.While anomaly detection is based on uncertain behavior,which can only describe the trend of behavior,feature detection is based on accurate feature locating.In this paper proposed a method which incorporate anomaly detection and feature detection to gain better performance,and also discussed the intrusion detection system model based on feature detection and anomaly detection.

ZHAO Yu-ming,ZHANG Wei,teng SH

2007-01-01

Abstract:The technique of intrusion detection has become a focus in the field ofnetwork security. This paper introduced the categories of intrusion detection and the methods of data mining applied in abnormal detection. It also described the design and implementation of the abnormal IDS based on system call and data mining algorithms.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

杨建华,蒋玉明,彭轮

DOI: https://doi.org/10.3969/j.issn.1008-0570.2009.24.011

2009-01-01

Abstract:In this paper an intrusion detection system based on data mining is proposed,and its main idea is to apply data mining methods to learn rules that can capture normal and intrusion activities from pre-processed audit data that contain network connection information. Put forward a method to improve the Apriori algorithm,whose I/O is quite surprising when scanning the database. To improve the method is feasible;the normal rules in the knowledge database in IDS are mined. And the experiment indicates that the model can produce new rules,which approve the validity and the feasibility of the IDS.

Tianqi Yang

DOI: https://doi.org/10.1109/ICNNB.2005.1614797

2005-01-01

Abstract:Given the widespread use of modern information technology, a large number of time series may be collected during network security applications. The paper use a computer and network security as a case to illustrate how data mining can be applied to such time series, and help network intrusion detection reap the benefits of such an effort. Instead of a traditional approach of principal component analysis (PCA), nature moving average (ARMA) and Hopfield models are employed to analyze the time series. To illustrate the feasibility and simplicity of the above procedures for time series data mining, the problem of measuring normality in HTTP traffic for the purpose of anomaly-based network intrusion detection is addressed. The detection results provided by our approach show important improvements, both in detection ratio and regarding false alarms, in comparison with those obtained using other current techniques

Dingde Jiang,Zhengzheng Xu,Peng Zhang,Ting Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.09.014

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic anomalies contain existing abnormal changes in network traffic, which are derived from malicious and anomalous behaviors of users or network devices, such as network faults, abuses, network attacks, etc. These anomalies often damage our operation networks and even lead to network disruptions. In the present paper, we propose a novel method for detecting traffic anomalies in a network by exacting and capturing their features in the transform domain. Here, we take in consideration network topology information and network-wide traffic jointly. We find that anomalous network-wide traffic usually exhibits distinct high-frequency nature. This motivates us to utilize transform domain analysis theory to characterize network-wide traffic to identify its abnormal components. Besides, we group all origin-destination flows in the network in accordance with common destination nodes. By combining network topology information and transform-domain analysis in the given time window, the specious traffic components can be found and identified. Simulation results show that our detection algorithm exhibits a fairly robust detection ability and provides the better detection performance than previous algorithms. (c) 2013 Elsevier Ltd. All rights reserved.

Rongrong Fu,Kangfeng Zheng,Dongmei Zhang,Yixian Yang

DOI: https://doi.org/10.1049/cp.2011.1014

2011-01-01

Abstract:Internet of things (IOT) is vulnerable to malicious attacks because of opening deployment and limited resources. It's heterogeneous and distributed characters make conventional intrusion detection methodologies hard to deploy. To overcome this problem, this paper shows an intrusion detection scheme based on the anomaly mining. The paper has two parts (i) in the first part an anomaly mining algorithm is developed to detect anomaly data of perception layer, (ii) in the second part a distributed intrusion detection scheme is designed based on the detected anomalies. Since not all anomalies are triggered by malicious intrusion, the intrusion semantic is analyzed to distinguish intrusion behaviors from anomalies. Finally our evaluation and analysis shows that our approach is accurate and extensible.