Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Ziyu Wang,Jiahai Yang,Fuliang Li

DOI: https://doi.org/10.1007/978-3-319-23802-9_10

2014-01-01

Abstract:Network anomalies have been a serious challenge for the Internet nowadays. In this paper, two new metrics, IGTE (Inter-group Traffic Entropy) and IGFE (Inter-group Flow Entropy), are proposed for network anomaly detection. It is observed that IGTE and IGFE are highly correlated and usually change synchronously when no anomaly occurs. However, once anomalies occur, this highly linear correlation would be destroyed. Based on this observation, we propose a linear regression model built upon IGTE and IGFE, to detect the network anomalies. We use both CERNET2 netflow data and synthetic data to validate the regression model and its corresponding detection method. The results show that the regression-based method works well and outperforms the well known wavelet-based detection method.

Ziyu Wang,Jiahai Yang,Fuliang Li

DOI: https://doi.org/10.1109/APNOMS.2014.6996537

2014-01-01

Abstract:Anomaly detection has been a hot topic in recent years due to its capability of detecting zero attacks. In this paper, we propose a new on-line anomaly detection method based on LMS algorithm. The basic idea of the LMS-based detector is to predict IGTE using IGFE, given the high linear correlation between them. Using the artificial synthetic data, it is shown that the LMS-based detector possesses strong detection capability, and its false positive rate is within acceptable scope.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Mayra Alexandra Macas Carrasco,Chunming Wu

DOI: https://doi.org/10.1109/icmla.2019.00212

2019-01-01

Abstract:Current Cyber-Physical Systems (CPSs) are sophisticated, complex, and equipped with networked sensors and actuators. As such, they have become further exposed to cyber-attacks. Recent catastrophic events have demonstrated that standard, human-based management of anomaly detection in complex systems is not efficient enough and have underlined the significance of automated detection, intelligent and rapid response. Nevertheless, existing anomaly detection frameworks usually are not capable of dealing with the dynamic and complicated nature of the CPSs. In this study, we introduce an unsupervised framework for anomaly detection based on an Attention-based Spatio-Temporal Autoencoder. In particular, we first construct statistical correlation matrices to characterize the system status across different time steps. Next, a 2D convolutional encoder is employed to encode the patterns of the correlation matrices, whereas an Attention-based Convolutional LSTM Encoder-Decoder (ConvLSTM-ED) is used to capture the temporal dependencies. More precisely, we introduce an input attention mechanism to adaptively select the most significant input features at each time step. Finally, the 2D convolutional decoder reconstructs the correlation matrices. The differences between the reconstructed correlation matrices and the original ones are used as indicators of anomalies. Extensive experimental analysis on data collected from all six stages of Secure Water Treatment (SWaT) testbed, a scaled-down version of a real-world industrial water treatment plant, demonstrates that the proposed model outperforms the state-of-the-art baseline techniques.

Bing Tu,Xianchang Yang,Xianfeng Ou,Guoyun Zhang,Jun Li,Antonio Plaza

DOI: https://doi.org/10.1109/tgrs.2021.3116681

IF: 8.2

2022-01-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:In hyperspectral anomaly detection, anomalies are rare targets that exhibit distinct spectral signatures from the background. Thus, anomalies are with low probabilities of occurrence in hyperspectral images. In this article, we develop a new technique for hyperspectral anomaly detection that adopts a new information theory perspective, to fully utilize the aforementioned concepts. Our goal is to transform system entropy into quantitative metrics of anomaly conspicuousness of pixels. To do so, two tasks are first completed: first, the construction of occurrence probability of pixels based on the density peak clustering algorithm, and second, the valid system definitions for pixels in specific anomaly detection problems with multiviews. Specifically, three types of systems are separately established by pixel pairs to conform to the definitions of three entropy definitions in information theory, i.e., Shannon entropy, joint entropy, and relative entropy. Then, three individual entropy-based metrics that assess the anomaly conspicuousness are defined. In addition, we design a standard deviation-based ensemble strategy for the integrated representation of the three individual metrics, which considers both logic "OR" and "AND" operations to simultaneously improve the detection rate and reduce the false alarm rate. Our experimental results obtained on two publicly available datasets with anomalies of different sizes and shapes demonstrate the superiority of our newly proposed anomaly detection method.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Geng Tian,Zhiliang Wang,Xia Yin,Zimu Li,Xingang Shi,Ziyi Lu,Chao Zhou,Yingya Guo

DOI: https://doi.org/10.1109/infcomw.2015.7179342

2015-01-01

Abstract:Traditional information entropy has been proved to be an effective metric on network traffic anomaly detection. However, such a metric shows some limitations in large scale networks with constantly changing flow numbers, and it makes the traditional entropy inefficient for traffic anomaly detection. To address this problem, we propose Adjustable Piecewise Entropy to improve traditional entropy for traffic anomaly detection.

A.S.Syed Navaz,S.Gopalakrishnan,R.Meena

DOI: https://doi.org/10.48550/arXiv.1308.5310

2013-08-24

Abstract:Introducing Internet traffic anomaly detection mechanism based on large deviations results for empirical measures. Using past traffic traces we characterize network traffic during various time-of-day intervals, assuming that it is anomaly-free. Throughout, we compare the two approaches presenting their advantages and disadvantages to identify and classify temporal network anomalies. We also demonstrate how our framework can be used to monitor traffic from multiple network elements in order to identify both spatial and temporal anomalies. We validate our techniques by analyzing real traffic traces with time-stamped anomalies.

Networking and Internet Architecture

Jing Zhang,Yige Yuan,Jiahong Zhang,Yang Yang,Wenjin Xie

DOI: https://doi.org/10.1016/j.jksuci.2023.101860

IF: 9.006

2023-11-27

Journal of King Saud University - Computer and Information Sciences

Abstract:Real-time system status detection must be accurate and reliable due to the close coupling of Cyber-Physical Systems (CPS) components. In order to improve the effectiveness of the CPS anomaly detection method, this paper proposes a real-time detection method based on the least squares algorithm and conditional entropy. To address the issue of overfitting and insufficient generalization of least squares, the penalty term of least squares is optimized by two different functions. Meanwhile, the K-S test is introduced in the time window entropy detection model to tackle the problem of setting threshold. The two detection mechanisms proposed operate in parallel and the initial localization of anomaly source is achieved by the time window entropy mechanism. The proposed method for anomaly detection is assessed using six evaluation metrics and demonstrates an accurate and effective detection capability on both the SWaT dataset and the CICIDS2017 dataset.

computer science, information systems

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Tao Qin,Zhaoli Liu,Pinghui Wang,Shancang Li,Xiaohong Guan,Lixin Gao

DOI: https://doi.org/10.1109/tifs.2019.2933731

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Anomaly detection is an important technique used to identify patterns of unusual network behavior and keep the network under control. Today, network attacks are increasing in terms of both their number and sophistication. To avoid causing significant traffic patterns and being detected by existing techniques, many new attacks tend to involve gradual adjustment of behaviors, which always generate incomplete sessions due to their running mechanisms. Accordingly, in this work, we employ the behavior symmetry degree to profile the anomalies and further identify unusual behaviors. We first proposed a symmetry degree to identify the incomplete sessions generated by unusual behaviors; we then employ a sketch to calculate the symmetry degree of internal hosts to improve the identification efficiency for online applications. To reduce the memory cost and probability of collision, we divide the IP addresses into four segments that can be used as keys of the hash functions in the sketch. Moreover, to further improve detection accuracy, a threshold selection method is proposed for dynamic traffic pattern analysis. The hash functions in the sketch are then designed using Chinese remainder theory, which can analytically trace the IP addresses associated with the anomalies. We tested the proposed techniques based on traffic data collected from the northwest center of CERNET (China Education and Research Network); the results show that the proposed methods can effectively detect anomalies in large-scale networks.

Chen Yang

DOI: https://doi.org/10.1007/s10586-018-1755-5

2018-01-16

Cluster Computing

Abstract:In recent years, there are more and more abnormal activities in the network, which greatly threaten network security. Hence, it is of great importance to collect the data which indicate the running statement of the network, and distinguish the anomaly phenomena of the network in time. In this paper, we propose a novel anomaly network traffic detection algorithm under the cloud computing environment. Firstly, the framework of the anomaly network traffic detection system is illustrated, and six type of network traffic features are consider in this work, that is, (1) number of source IP address, (2) number of source port number, (3) number of destination IP address, (4) number of destination port number, (5) Number of packet type, and (6) number of network packets. Secondly, we propose a novel hybrid information entropy and SVM model to tackle the proposed problem by normalizing values of network features and exploiting SVM detect anomaly network behaviors. Finally, experimental results demonstrate that the proposed algorithm can detect anomaly network traffic with high accuracy and it can also be used in the large scale dataset.

Pelumi Oluwasanya

DOI: https://doi.org/10.48550/arXiv.1708.08813

2017-08-29

Abstract:Anomalies are strange data points; they usually represent an unusual occurrence. Anomaly detection is presented from the perspective of Wireless sensor networks. Different approaches have been taken in the past, as we will see, not only to identify outliers, but also to establish the statistical properties of the different methods. The usual goal is to show that the approach is asymptotically efficient and that the metric used is unbiased or maybe biased. This project is based on a work done by [1]. The approach is based on the principle that the entropy of the data is increased when an anomalous data point is measured. The entropy of the data set is thus to be estimated. In this report however, preliminary efforts at confirming the results of [1] is presented. To estimate the entropy of the dataset, since no parametric form is assumed, the probability density function of the data set is first estimated using data split method. This estimated pdf value is then plugged-in to the entropy estimation formula to estimate the entropy of the dataset. The data (test signal) used in this report is Gaussian distributed with zero mean and variance 4. Results of pdf estimation using the k-nearest neighbour method using the entire dataset, and a data-split method are presented and compared based on how well they approximate the probability density function of a Gaussian with similar mean and variance. The number of nearest neighbours chosen for the purpose of this report is 8. This is arbitrary, but is reasonable since the number of anomalies introduced is expected to be less than this upon data-split. The data-split method is preferred and rightly so.

Machine Learning

Sihan Wang,Zhong Yuan,Chuan Luo,Hongmei Chen,Dezhong Peng

DOI: https://doi.org/10.1016/j.ijar.2023.109087

IF: 4.452

2024-02-01

International Journal of Approximate Reasoning

Abstract:Anomaly detection has been used in a wide range of fields. However, most of the current detection methods are only applicable to certain data, ignoring uncertain information such as fuzziness in the data. Fuzzy rough set theory, as an essential mathematical model for granular computing, provides an effective method for processing uncertain data such as fuzziness. Fuzzy rough entropy has been proposed in fuzzy rough set theory and has been employed successfully in data analysis tasks such as feature selection. However, it mainly uses the intersection operation, which may not effectively reflect the similarity between high-dimensional objects. In response to the two challenges mentioned above, distance-based fuzzy rough entropy and its correlation measures are proposed. Further, the proposed fuzzy rough entropy is used to construct the anomaly detection model and the Fuzzy Rough Entropy-based Anomaly Detection (FREAD) algorithm is designed. Finally, the FREAD algorithm is compared and analyzed with some mainstream anomaly detection algorithms (including COF, DIS, INFLO, LDOF, LoOP, MIX, ODIN, SRO, and VarE algorithms) on some publicly available datasets. Experimental results indicate that the FREAD algorithm significantly outperforms other algorithms in terms of performance and flexibility. The code is publicly available online at https://github.com/optimusprimeyy/FREAD.

computer science, artificial intelligence

ZM Cai,XH Guan,P Shao,QK Peng,GJ Sun

DOI: https://doi.org/10.1111/1468-0394.00249

IF: 3.3

2003-01-01

Expert Systems

Abstract:Abstract: Intrusion detection is important in the defense‐in‐depth network security framework. This paper presents an effective method for anomaly intrusion detection with low overhead and high efficiency. The method is based on rough set theory to extract a set of detection rules with a minimal size as the normal behavior model from the system call sequences generated during the normal execution of a process. It is capable of detecting the abnormal operating status of a process and thus reporting a possible intrusion. Compared with other methods, the method requires a smaller size of training data set and less effort to collect training data and is more suitable for real‐time detection. Empirical results show that the method is promising in terms of detection accuracy, required training data set and efficiency.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Keisuke Yoshihara,Kei Takahashi

DOI: https://doi.org/10.1371/journal.pone.0262463

IF: 3.7

2022-01-11

PLoS ONE

Abstract:We propose a simple anomaly detection method that is applicable to unlabeled time series data and is sufficiently tractable, even for non-technical entities, by using the density ratio estimation based on the state space model. Our detection rule is based on the ratio of log-likelihoods estimated by the dynamic linear model, i.e. the ratio of log-likelihood in our model to that in an over-dispersed model that we will call the NULL model. Using the Yahoo S5 data set and the Numenta Anomaly Benchmark data set, publicly available and commonly used benchmark data sets, we find that our method achieves better or comparable performance compared to the existing methods. The result implies that it is essential in time series anomaly detection to incorporate the specific information on time series data into the model. In addition, we apply the proposed method to unlabeled Web time series data, specifically, daily page view and average session duration data on an electronic commerce site that deals in insurance goods to show the applicability of our method to unlabeled real-world data. We find that the increase in page view caused by e-mail newsletter deliveries is less likely to contribute to completing an insurance contract. The result also suggests the importance of the simultaneous monitoring of more than one time series.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Tirthankar Ghosh,Sikha Bagui,Subhash Bagui,Martin Kadzis,Jackson Bare

DOI: https://doi.org/10.3390/jcp3040041

2023-12-01

Journal of Cybersecurity and Privacy

Abstract:This article presents a statistical approach using entropy and classification-based analysis to detect anomalies in industrial control systems traffic. Several statistical techniques have been proposed to create baselines and measure deviation to detect intrusion in enterprise networks with a centralized intrusion detection approach in mind. Looking at traffic volume alone to find anomalous deviation may not be enough—it may result in increased false positives. The near real-time communication requirements, coupled with the lack of centralized infrastructure in operations technology and limited resources of the sensor motes, require an efficient anomaly detection system characterized by these limitations. This paper presents extended results from our previous work by presenting a detailed cluster-based entropy analysis on selected network traffic features. It further extends the analysis using a classification-based approach. Our detailed entropy analysis corroborates with our earlier findings that, although some degree of anomaly may be detected using univariate and bivariate entropy analysis for Denial of Service (DOS) and Man-in-the-Middle (MITM) attacks, not much information may be obtained for the initial reconnaissance, thus preventing early stages of attack detection in the Cyber Kill Chain. Our classification-based analysis shows that, overall, the classification results of the DOS attacks were much higher than the MITM attacks using two Modbus features in addition to the three TCP/IP features. In terms of classifiers, J48 and random forest had the best classification results and can be considered comparable. For the DOS attack, no resampling with the 60–40 (training/testing split) had the best results (average accuracy of 97.87%), but for the MITM attack, the 80–20 non-attack vs. attack data with the 75–25 split (average accuracy of 82.81%) had the best results.

computer science, information systems, interdisciplinary applications, software engineering

Bin Zhang,Jiahai Yang,Jianping Wu,Ziyu Wang

DOI: https://doi.org/10.1093/comjnl/bxr134

2013-01-01

Abstract:In this paper, we present a statistical analysis of six traffic features based on entropy and distinct feature number at the packet level, and we find that, although these traffic features are unstable and show seasonal patterns like traffic volume for a long period, they are stable and consistent with Gaussian distribution in a short time period. However, this equilibrium property will be violated by some anomalies. Based on this observation, we propose a Multi-dimensional Clustering method for Short-time scale Traffic(MCST) to classify abnormal and normal traffic. We compare our new method to the well known wavelet technique. The detection result on synthetic anomaly traffic shows MCST can better detect the low-rate attacks than wavelet-based method, and detection result on real traffic demonstrates that MCST can detect more anomalies with low false alarm rate.