Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Yunlong Niu,Yunfeia Luo,Feiyun Cong,Huidi Zheng,Xinggao Liu

DOI: https://doi.org/10.2298/ntrp2401047y

2024-01-01

Abstract:The state-controlled radiation environment automatic monitoring stations are important facilities for monitoring the quality and trends of the radiation environment. However, the anal ysis and utilization of monitoring data from these stations have limitations. To address this is sue, this pa per pro poses an ap proach that uti lizes the high-di men sional data vi su al iza tion method based on t-SNE and PCA-BIRCH algorithm's spectrum clustering model to classify historical spectrum data. Subsequently, a local outlier factor-based environmental spectrum abnormal fluctuation detection model is established to enhance discrimination of non-environmental factors causing spectrum anomalies. Results indicate significant differences in spectrum aggregation under different meteorological conditions. The clustering algo rithm ef fec tively sep a rates clear and rainy weather spec tra based on spec tral fea tures, with min i mal time con sump tion and re duced in ter fer ence from mixed spec trum data. By uti liz ing local density features, we establish an anomaly detection model, assigning an abnormal score to each spectrum. Comparative analysis demonstrates improved discriminability of the anomaly detection model for unclassified datasets. Our algorithm accurately identifies spectrum fluctuations caused by non-environmental factors amidst complex backgrounds, offering valuable technical support for environmental quality assurance and nuclear emergency decision-making.

Gerard Shu Fuhnwi,Janet O. Agbaje,Kayode Oshinubi,Olumuyiwa James Peter

DOI: https://doi.org/10.46481/jnsps.2023.1364

2023-04-19

Journal of the Nigerian Society of Physical Sciences

Abstract:In data mining, and statistics, anomaly detection is the process of finding data patterns (outcomes, values, or observations) that deviate from the rest of the other observations or outcomes. Anomaly detection is heavily used in solving real-world problems in many application domains, like medicine, finance , cybersecurity, banking, networking, transportation, and military surveillance for enemy activities, but not limited to only these fields. In this paper, we present an empirical study on unsupervised anomaly detection techniques such as Density-Based Spatial Clustering of Applications with Noise (DBSCAN), (DBSCAN++) (with uniform initialization, k-center initialization, uniform with approximate neighbor initialization, and $k$-center with approximate neighbor initialization), and $k$-means$--$ algorithms on six benchmark imbalanced data sets. Findings from our in-depth empirical study show that k-means-- is more robust than DBSCAN, and DBSCAN++, in terms of the different evaluation measures (F1-score, False alarm rate, Adjusted rand index, and Jaccard coefficient), and running time. We also observe that DBSCAN performs very well on data sets with fewer number of data points. Moreover, the results indicate that the choice of clustering algorithm can significantly impact the performance of anomaly detection and that the performance of different algorithms varies depending on the characteristics of the data. Overall, this study provides insights into the strengths and limitations of different clustering algorithms for anomaly detection and can help guide the selection of appropriate algorithms for specific applications.

Weigang Liu

DOI: https://doi.org/10.1155/2022/4927504

2022-06-10

Wireless Communications and Mobile Computing

Abstract:Attacks on network systems are becoming more and more common, the current state of increasingly sophisticated attack methods, the emergence of intrusion prevention technology is the inevitable result of the development of computer technology and network technology, and research on intrusion prevention has become a new focus of network security technology research in recent years. In order to ensure the security of computer network confidential information, the authors propose a semisupervised clustering intrusion detection algorithm. An overview of machine learning, followed by an explanation of the theory of cluster analysis, simulation experiments were carried out using the K -means algorithm and the semisupervised clustering algorithm proposed by the author, for 10,000 records, the K -means clustering algorithm and the semisupervised clustering algorithm described in this paper are used, respectively, and intrusion detection data tests were performed. At the same time, different K values were selected, three datasets were selected from "kddcup.newtestdata_10_percent_corrected," the test data were tested separately, and their average value was taken as the test result. From the simulation results, the detection rate of the semisupervised clustering algorithm is higher than that of the K -means clustering algorithm, and the false alarm rate and K -means algorithms have also been improved. Therefore, the author's semisupervised algorithm enhances the stability of the system, and the performance of the K -means algorithm is improved to a certain extent. When the value of K gradually increases, the false alarm rate also increases; however, when K is 20, the detection rate is maximized, from this, it can be known that when K is 20, its detection rate reaches 91.76%, and the false alarm rate is 8.54%. The detection rate of the author's algorithm is significantly higher than the other two algorithms, the false positive rate is slightly higher than K -means, and the false positive rate is lower than that of the other algorithm, proving the superior performance of our algorithm.

computer science, information systems,telecommunications,engineering, electrical & electronic

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Weiwu Ren,Jianfei Zhang,Xiaoqiang Di,Yinan Lu,Bochen Zhang,Jianping Zhao,,

DOI: https://doi.org/10.20965/jaciii.2020.p0453

2020-07-20

Journal of Advanced Computational Intelligence and Intelligent Informatics

Abstract:Clustering by fast search and find of density peak (CFSFDP) is a simple and crisp density-clustering algorithm. The original algorithm is not suitable for direct application to anomaly detection. Its clustering results have a high level of redundant density information. If used directly as behavior profiles, the computation and storage costs of anomaly detection are high. Therefore, an improved algorithm based on CFSFDP is proposed for anomaly detection. The improved algorithm uses a few data points and their radius to support behavior profiles, and deletes the redundant data points without supporting profiles. This method not only reduces the large amount of data storage and distance calculation in the process of generating profiles, but also reduces the search space of profiles in the detection process. Numerous experiments show that the improved algorithm generates profiles faster than density-based spatial clustering of application with noise (DBSCAN), and has better profile precision than adaptive real-time anomaly detection with incremental clustering (ADWICE). The improved algorithm inherits the arbitrary shape clusters of CFSFDP, and improves the storage and computation performance. Compared with DBSCAN and ADWICE, the improved anomaly-detection algorithm based on CFSFDP has more balanced detection precision and real-time performance.

Juan Du,Ping Xie,Junlong Zhu,Ruijuan Zheng,Qingtao Wu,Mingchuan Zhang

DOI: https://doi.org/10.1049/iet-net.2017.0127

2018-03-01

IET Networks

Abstract:With the development of cloud computing in the mobile communications industry, the credibility between users and the cloud has become an important obstacle to the development of mobile cloud services. Therefore, the user's abnormal behaviour detection is particularly important. The authors propose a selective clustering ensemble algorithm based on fractal dimension. In their proposed algorithm, they firstly use the sliding window to dynamically obtain data to improve the accuracy of user behaviour acquisition. Secondly, they use the initial clustering stage and incremental clustering stage to produce clustered members. Thirdly, they also use the Duun_index to select the clustered members, then the selection of high‐quality clustered members with the voting algorithm to get the final result. Finally, they use the average difference of change to determine whether the current behaviour is abnormal based on the clustering results. The experimental results show that the proposed scheme has a better performance than the traditional clustering algorithm in clustering accuracy. Moreover, their algorithm can improve the detection rate and accuracy rate, respectively.

Jinkun Geng,Daren Ye,Ping Luo,Pin Lv

DOI: https://doi.org/10.1007/978-3-319-28865-9_45

2015-01-01

Abstract:As a main method in database intrusion detection, database anomaly detection should be able to detect users’ operational behaviours for timely prevention of possible attacks and for guarantee of database security. Aiming at this, we apply cluster analysis techniques to anomaly detection and propose a novel density-based clustering algorithm called DBCAPSIC, which is adopted to clustering database users according to their behavior types and behavior frequencies. Privilege patterns are extracted from the clusters and serve as a reference in anomaly detection. The simulation experiment proves that the algorithm can recognize the anomalous operations with few mistakes.

Ya CHEN

DOI: https://doi.org/10.3969/j.issn.1006-9348.2017.09.079

2017-01-01

Abstract:A detection method for abnormal information under big data environment is put forward based on fuzzy clustering.The subset of original data set via sampling data point in the original data set in proportion is formed,and the pretreatment for the observed value of feature of abnormal information is carried out,then the local extreme point of the objective function is searched and characteristic value of sliding window of the pre-detected abnormal information is extracted.The matrix of time-space relationship among neighbor nodes in assigned section is built,and space -time correlation of characteristic value of neighbor nodes is worked out.According to cluster results,the probability of abnormal mutation of information under big data enviromnent is confirmed.Thus,the detection of abnormal information is completed.Simulation resuhs show that the method has high precision.It lays foundation for improving environmental quality of big data.

Jinbo Li,Hesam Izakian,Witold Pedrycz,Iqbal Jamal

DOI: https://doi.org/10.1016/j.asoc.2020.106919

IF: 8.7

2021-03-01

Applied Soft Computing

Abstract:Multivariate time series data come as a collection of time series describing different aspects of a certain temporal phenomenon. Anomaly detection in this type of data constitutes a challenging problem yet with numerous applications in science and engineering because anomaly scores come from the simultaneous consideration of the temporal and variable relationships. In this paper, we propose a clustering-based approach to detect anomalies concerning the amplitude and the shape of multivariate time series. First, we use a sliding window to generate a set of multivariate subsequences and thereafter apply an extended fuzzy clustering to reveal a structure present within the generated multivariate subsequences. Finally, a reconstruction criterion is employed to reconstruct the multivariate subsequences with the optimal cluster centers and the partition matrix. We construct a confidence index to quantify a level of anomaly detected in the series and apply Particle Swarm Optimization as an optimization vehicle for the problem of anomaly detection. Experimental studies completed on several synthetic and six real-world datasets suggest that the proposed methods can detect the anomalies in multivariate time series. With the help of available clusters revealed by the extended fuzzy clustering, the proposed framework can detect anomalies in the multivariate time series and is suitable for identifying anomalous amplitude and shape patterns in various application domains such as health care, weather data analysis, finance, and disease outbreak detection.

computer science, artificial intelligence, interdisciplinary applications

Feiyi Chen,Yingying zhang,Zhen Qin,Lunting Fan,Renhe Jiang,Yuxuan Liang,Qingsong Wen,Shuiguang Deng

DOI: https://doi.org/10.1109/icde60146.2024.00047

2024-01-01

Abstract:Anomaly detection significantly enhances the robustness of cloud systems.While neural network-based methods have recently demonstrated strongadvantages, they encounter practical challenges in cloud environments: thecontradiction between the impracticality of maintaining a unique model for eachservice and the limited ability to deal with diverse normal patterns by aunified model, as well as issues with handling heavy traffic in real time andshort-term anomaly detection sensitivity. Thus, we propose MACE, a multi-normal-pattern accommodated and efficientanomaly detection method in the frequency domain for time series anomalydetection. There are three novel characteristics of it: (i) a patternextraction mechanism excelling at handling diverse normal patterns with aunified model, which enables the model to identify anomalies by examining thecorrelation between the data sample and its service normal pattern, instead ofsolely focusing on the data sample itself; (ii) a dualistic convolutionmechanism that amplifies short-term anomalies in the time domain and hindersthe reconstruction of anomalies in the frequency domain, which enlarges thereconstruction error disparity between anomaly and normality and facilitatesanomaly detection; (iii) leveraging the sparsity and parallelism of frequencydomain to enhance model efficiency. We theoretically and experimentally provethat using a strategically selected subset of Fourier bases can not only reducecomputational overhead but is also profitable to distinguish anomalies,compared to using the complete spectrum. Moreover, extensive experimentsdemonstrate MACE's effectiveness in handling diverse normal patterns with aunified model and it achieves state-of-the-art performance with highefficiency.

Chuanlei Zhang,Jiangtao Liu,Wei Chen,Jinyuan Shi,Minda Yao,Xiaoning Yan,Nenghua Xu,Dufeng Chen

DOI: https://doi.org/10.1155/2021/7389943

IF: 1.968

2021-10-13

Security and Communication Networks

Abstract:The unsupervised anomaly detection task based on high-dimensional or multidimensional data occupies a very important position in the field of machine learning and industrial applications; especially in the aspect of network security, the anomaly detection of network data is particularly important. The key to anomaly detection is density estimation. Although the methods of dimension reduction and density estimation have made great progress in recent years, most dimension reduction methods are difficult to retain the key information of original data or multidimensional data. Recent studies have shown that the deep autoencoder (DAE) can solve this problem well. In order to improve the performance of unsupervised anomaly detection, we propose an anomaly detection scheme based on a deep autoencoder (DAE) and clustering methods. The deep autoencoder is trained to learn the compressed representation of the input data and then feed it to clustering approach. This scheme makes full use of the advantages of the deep autoencoder (DAE) to generate low-dimensional representation and reconstruction errors for the input high-dimensional or multidimensional data and uses them to reconstruct the input samples. The proposed scheme could eliminate redundant information contained in the data, improve performance of clustering methods in identifying abnormal samples, and reduce the amount of calculation. To verify the effectiveness of the proposed scheme, massive comparison experiments have been conducted with traditional dimension reduction algorithms and clustering methods. The results of experiments demonstrate that, in most cases, the proposed scheme outperforms the traditional dimension reduction algorithms with different clustering methods.

computer science, information systems,telecommunications

Yuan Yuan,Yuangang Li

DOI: https://doi.org/10.1155/2022/5985426

IF: 1.43

2022-10-02

Mathematical Problems in Engineering

Abstract:Data anomaly detection plays a vital role in protecting network security and developing network technology. Aiming at the detection problems of large data volume, complex information, and difficult identification, this paper constructs a modified hybrid anomaly detection (MHAD) method based on the K-means clustering algorithm, particle swarm optimization, and genetic algorithm. First, by designing coding rules and fitness functions, the multiattribute data is effectively clustered, and the inheritance of good attributes is guaranteed. Second, by applying selection, crossover, and mutation operators to particle position and velocity updates, local optima problems are avoided and population diversity is ensured. Finally, the Fisher score expression for data attribute extraction is constructed, which reduces the required sample size and improves the detection efficiency. The experimental results show that the MHAD method has better performance than the K-means clustering algorithm, the support vector machine, decision trees, and other methods in the four indicators of recall, precision, prediction accuracy, and F-measure. The main advantages of the proposed method are that it achieves a balance between global and local search and ensures a high detection rate and a low false positive rate.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Guo Pu,Lijuan Wang,Jun Shen,Fang Dong

DOI: https://doi.org/10.26599/tst.2019.9010051

2021-04-01

Abstract:In recent years, machine learning-based cyber intrusion detection methods have gained increasing popularity. The number and complexity of new attacks continue to rise; therefore, effective and intelligent solutions are necessary. Unsupervised machine learning techniques are particularly appealing to intrusion detection systems since they can detect known and unknown types of attacks as well as zero-day attacks. In the current paper, we present an unsupervised anomaly detection method, which combines Sub-Space Clustering (SSC) and One Class Support Vector Machine (OCSVM) to detect attacks without any prior knowledge. The proposed approach is evaluated using the well-known NSL-KDD dataset. The experimental results demonstrate that our method performs better than some of the existing techniques.

computer science, information systems,engineering, electrical & electronic, software engineering

Rafath Samrin,Devara Vasumathi

DOI: https://doi.org/10.1515/jisys-2016-0105

2018-03-28

Journal of Intelligent Systems

Abstract:Abstract Despite the rapid developments in data technology, intruders are among the most revealed threats to security. Network intrusion detection systems are now a typical constituent of network security structures. In this paper, we present a combined weighted K-means clustering algorithm with artificial neural network (WKMC+ANN)-based intrusion identification scheme. This paper comprises two modules: clustering and intrusion detection. The input dataset is gathered into clusters with the usage of WKMC in clustering module. In the intrusion detection module, the clustered information is trained with the utilization of ANN and its structure is stored. In the testing process, the data are tested by choosing the most suitable ANN classifier, which corresponds to the closest cluster to the test data, according to distance or similarity measures. For experimental evaluation, we used the benchmark database, and the results clearly demonstrated that the proposed technique outperformed the existing technique by having better accuracy.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

N. Pandeeswari,Ganesh Kumar

DOI: https://doi.org/10.1007/s11036-015-0644-x

2015-08-16

Mobile Networks and Applications

Abstract:Cloud computing affords lot of resources and computing facilities through Internet. Cloud systems attract many users with its desirable features. In spite of them, Cloud systems may experience severe security issues. Thus, it is essential to create an Intrusion Detection System (IDS) to detect both insider and outsider attacks with high detection accuracy in cloud environment. This work proposes an anomaly detection system at the hypervisor layer named Hypervisor Detector that uses a hybrid algorithm which is a mixture of Fuzzy C-Means clustering algorithm and Artificial Neural Network (FCM-ANN) to improve the accuracy of the detection system. The proposed system is implemented and compared with Naïve Bayes classifier and Classic ANN algorithm. The DARPA’s KDD cup dataset 1999 is used for experiments. Based on extensive theoretical and performance analysis, it is evident that the proposed system is able to detect the anomalies with high detection accuracy and low false alarm rate even for low frequent attacks thereby outperforming Naïve Bayes classifier and Classic ANN.

computer science, information systems,telecommunications, hardware & architecture

Sihan Wang,Zhong Yuan,Chuan Luo,Hongmei Chen,Dezhong Peng

DOI: https://doi.org/10.1016/j.ijar.2023.109087

IF: 4.452

2024-02-01

International Journal of Approximate Reasoning

Abstract:Anomaly detection has been used in a wide range of fields. However, most of the current detection methods are only applicable to certain data, ignoring uncertain information such as fuzziness in the data. Fuzzy rough set theory, as an essential mathematical model for granular computing, provides an effective method for processing uncertain data such as fuzziness. Fuzzy rough entropy has been proposed in fuzzy rough set theory and has been employed successfully in data analysis tasks such as feature selection. However, it mainly uses the intersection operation, which may not effectively reflect the similarity between high-dimensional objects. In response to the two challenges mentioned above, distance-based fuzzy rough entropy and its correlation measures are proposed. Further, the proposed fuzzy rough entropy is used to construct the anomaly detection model and the Fuzzy Rough Entropy-based Anomaly Detection (FREAD) algorithm is designed. Finally, the FREAD algorithm is compared and analyzed with some mainstream anomaly detection algorithms (including COF, DIS, INFLO, LDOF, LoOP, MIX, ODIN, SRO, and VarE algorithms) on some publicly available datasets. Experimental results indicate that the FREAD algorithm significantly outperforms other algorithms in terms of performance and flexibility. The code is publicly available online at https://github.com/optimusprimeyy/FREAD.

computer science, artificial intelligence

Xiaolan Wang,Md. Manjur Ahmed,Mohd Nizam Husen,Hai Tao,Qian Zhao

DOI: https://doi.org/10.1007/978-981-99-0405-1_5

2023-01-01

Abstract:The identification of anomalies in a data stream is a difficulty for decision-making in real time. A memory-constrained online detection system that is able to quickly detect the concept drift of streaming data is required because the constant arrival of massive amounts of streaming data with changing characteristics makes real-time and efficient anomaly detection a difficult task. This is because of the nature of the data itself, which is constantly changing. In this study, a novel model for detecting anomalies using dynamic micro-clusters scheme is developed. The macro-clusters are generated from a network of connected micro-clusters. When new data items are added, the normal patterns that are formed in macro-clusters will update in tandem with the dynamic micro-clusters in an incremental fashion. An outlier may be understood from both a global and a local perspective by examining the global and local densities respectively. The effectiveness of the suggested approach was evaluated with the use of three different datasets. The findings of the experiment demonstrate that the suggested method is superior to earlier algorithms in terms of both the accuracy of detection and the level of computing complexity it requires.