Xiao Yang,Yan Liu,Zunhe Liu,Buyang Cao

DOI: https://doi.org/10.3233/978-1-61499-484-8-541

2014-01-01

Abstract:With the widely adoption of Hadoop-based big data platfom in industry, monitoring and maintaining Hadoop clusters has become increasingly critical, which also brings high demands on automatic or semi-automatic health checking and diagonostics. Anomaly detection plays an essential role for monitoring Hadoop clusters and provides basis for automatic alerts generation. Most existing methods for anomaly detection for Hadoop clusters are rule-based and relies on characterizing of anomalies with domain-knowledge and understanding of the specific target system, which bring barriers for practical application in complex business platform. In this paper, we leverage statistical analysis to discover critical components in execution data collected through Hadoop JobTracker. A two-stage anomaly detection method is proposed by integrating PCA and DBSCAN. This new method has no requirements on prior knowledge of target nodes and jobs. Experiments are conducted to detect buggy jobs based on real execution data collected from three Hadoop clusters provided by one of the largest E-Commerce company in the world. The results show our method is effective to detect anomalies without specifying the features of anomalies in advance.

Jing Zhang

DOI: https://doi.org/10.48550/arXiv.1901.09294

2019-01-27

Abstract:Anomaly detecting as an important technical in cloud computing is applied to support smooth running of the cloud platform. Traditional detecting methods based on statistic, analysis, etc. lead to the high false-alarm rate due to non-adaptive and sensitive parameters setting. We presented an online model for anomaly detecting using machine learning theory. However, most existing methods based on machine learning linked all features from difference sub-systems into a long feature vector directly, which is difficult to both exploit the complement information between sub-systems and ignore multi-view features enhancing the classification performance. Aiming to this problem, the proposed method automatic fuses multi-view features and optimize the discriminative model to enhance the accuracy. This model takes advantage of extreme learning machine (ELM) to improve detection efficiency. ELM is the single hidden layer neural network, which is transforming iterative solution the output weights to solution of linear equations and avoiding the local optimal solution. Moreover, we rank anomies according to the relationship between samples and the classification boundary, and then assigning weights for ranked anomalies, retraining the classification model finally. Our method exploits the complement information between sub-systems sufficiently, and avoids the influence from imbalance dataset, therefore, deal with various challenges from the cloud computing platform. We deploy the privately cloud platform by Openstack, verifying the proposed model and comparing results to the state-of-the-art methods with better efficiency and simplicity.

Machine Learning

Wunjun Huo,Wei Wang,Wen Li

DOI: https://doi.org/10.1007/978-3-030-23499-7_5

2019-01-01

Abstract:Anomaly detection is a key challenge in data mining, which refers to finding patterns in data that do not conform to expected behavior. It has a wide range of applications in many fields as diverse as finance, medicine, industry, and the Internet. In particular, intelligent operation has made great progress in recent years and has an urgent need for this technology. In this paper, we study the problem of anomaly detection in the context of intelligent operation and find the practical need for high-accuracy, online and universal anomaly detection algorithms in time series database. Based on the existing algorithms, we propose an innovative online distance-based anomaly detection algorithm. K-means and time-space trade-off mechanism are used to reduce the time complexity. Through the experiments on Yahoo! Web-scope S5 dataset we show that our algorithm can detect anomalies accurately. The comparative study of several anomaly detectors verifies the effectiveness and generality of the proposed algorithm.

Wenhao Wang,Chen Zhang,Quan Zhang

DOI: https://doi.org/10.1007/978-3-662-43908-1_15

2014-01-01

Abstract:In order to solve non-real time problem in traditional intrusion detection technologies, this paper proposes an anomaly detection model based on cloud model and danger theory. First using cloud model as a tool to evaluate the diversity factors between test data and the standard data set, then covert it into signal input of DCA to detect abnormality degree of system. Meanwhile, a dendritic cell algorithm based on data segmented detection is proposed in order to raise real-time response of the system. The paper use KDDCUP99 data sets to validate membership of normal data and detection rate of this model. Experimental results show that the model can effectively distinguish between normal data and abnormal data, and also improve the system anomaly detection capabilities.

Jin Gao,Jiaquan Liu,Sihua Guo,Qi Zhang,Xinyang Wang

DOI: https://doi.org/10.1155/2020/6343705

IF: 1.43

2020-11-19

Mathematical Problems in Engineering

Abstract:Aiming at problems such as slow training speed, poor prediction effect, and unstable detection results of traditional anomaly detection algorithms, a data mining method for anomaly detection based on the deep variational dimensionality reduction model and MapReduce (DMAD-DVDMR) in cloud computing environment is proposed. First of all, the data are preprocessed by a dimensionality reduction model based on deep variational learning and based on ensuring complete data information as much as possible, the dimensionality of the data is reduced, and the computational pressure is reduced. Secondly, the data set stored on the Hadoop Distributed File System (HDFS) is logically divided into several data blocks, and the data blocks are processed in parallel through the principle of MapReduce, so the k-distance and LOF value of each data point can only be calculated in each block. Thirdly, based on stochastic gradient descent, the concept of k-neighboring distance is redefined, thus avoiding the situation where there are greater than or equal to k-repeated points and infinite local density in the data set. Finally, compared with CNN, DeepAnt, and SVM-IDS algorithms, the accuracy of the scheme is increased by 10.3%, 18.0%, and 17.2%, respectively. The experimental data set verifies the effectiveness and scalability of the proposed DMAD-DVDMR algorithm.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Baojiang Cui,Shanshan He,Haifeng Jin

DOI: https://doi.org/10.1109/imis.2015.43

2015-01-01

Abstract:the large number of internet traffic has highlighted the importance of traffic detection. Anomaly detection is playing an increasingly important role in network security. Feature matching, statistics rules and data mining are widely used in traditional anomaly detection systems, but they have numerous disadvantages, such as low accuracy, over consumption of processing resources. For the complexities of irregular situation, we propose a new model for anomaly traffic detection in this paper. This study combine feature matching module, statistics rules module and data mining module under fully considering the advantages and disadvantages of these three detection methods. Moreover, a multi-layer detection scheme was introduced to enhance system accuracy and reduce the complexity at the same time. Data mining module is the core of the model, Naive Bayes, decision tree and clustering algorithms are used in this module. The results of this system are produced by integrating the detection results of multi detection modules and proved that it has more accuracy than separate module.

Jianfeng Guan,Jiawei Li,Zhongbai Jiang

DOI: https://doi.org/10.31209/2018.100000050

2019-01-01

Abstract:The traditional web anomaly detection systems face the challenges derived from the constantly evolving of the web malicious attacks, which therefore result in high false positive rate, poor adaptability, easy over-fitting, and high time complexity. Due to these limitations, we need a new anomaly detection system to satisfy the requirements of enterprise-level anomaly detection. There are lots of anomaly detection systems designed for different application domains. However, as for web anomaly detection, it has to describe the network accessing behaviours characters from as many dimensions as possible to improve the performance. In this paper we design and implement a Multidimensional and Hierarchical Web Anomaly Detection System (MHWADS) with the objectives to provide high performance, low latency, multi-dimension and adaptability. MHWADS calculates the statistical characteristics, and constructs the corresponding statistical model, detects the behaviour characteristics to generate the multidimensional correlation eigenvectors, and adopts several classifications to build an ensemble model. The system performance is evaluated based on realistic dataset, and the experimental results show that MHWADS yields substantial improvements than the previous single model. More important, by using 2-fold Stacking as the ensemble architecture, the detection precision and recall are 0.99988 and 0.99647, respectively.

Yang Shi,Maoran Xu,Rongwen Zhao,Hao Fu,Tongshuang Wu,Nan Cao

DOI: https://doi.org/10.1109/THMS.2019.2925195

2019-01-01

IEEE Transactions on Human-Machine Systems

Abstract:Automatic anomaly detection techniques have been extensively used to support decision making in abnormal situations. However, existing approaches are limited in their capacity of effectively identifying anomalies due to the complexity of the real-world environment, the uncertainty of the data input, and the unavailability of ground truth. In this paper, we propose an interactive context-aware anomaly detection algorithm framework that incorporates human judgment in searching for anomalous regions within a large geographic environment. In specific, our framework, 1) estimates a focal region and detect anomalous situations in real time, through which the user can observe and analyze suspicious entities, 2) leverages user feedback to refine results and guide further analysis, and 3) tolerates potential fault feedback provided by the users and resignal dubious anomalous points. Based on the framework, we propose two algorithm implementations, respectively, employ Bayes’ theorem and metric learning. We demonstrate the effectiveness of the proposed framework and corresponding implementations through two controlled user studies and a case study with a domain expert.

王飞,徐本连,钱玉文,戴跃伟,王执铨

DOI: https://doi.org/10.16182/j.cnki.joss.2012.04.037

2012-01-01

Abstract:In view of the disadvantage,of an anomaly detection which can not provide more useful information about the unknown intrusions,an anomaly detection model based on hybrid SVM/SOM was proposed.At first,support vector machine（SVM） was used to detect anomalous connections,and then the detected anomalies were as input of the clustering module to get more information.The clustering module consisted of self-organizing map（SOM） algorithm and information acquisition algorithm.Through the method of acquire information about the detected anomalies,more valuable information about the unknown intrusions could be obtained.Finally,the kddcup99 data sets were used for simulation.The experimental results show that the detection model has a better detection efficiency and low false alarm rate,and the model for getting information of unknown intrusions is valid.

Simin Zhang,Bo Li,Jianxin Li,Mingming Zhang,Yang Chen

DOI: https://doi.org/10.1109/cscloud.2015.46

2015-01-01

Abstract:In recent years, web-based attacks increase and become the top threat in cloud environments. To detect unknown web-based attacks, many studies resort to anomaly detection through analyzing web logs. This paper presents an anomaly detection approach, which includes a transforming model and a classifier model. The transforming model converts every entry into a vector, and every value in vector is obtained by training extracted features in statistical techniques and Naive Bayes, which can analyze URI or URL without query in web logs and establish a unified normal standard for different websites. A big real-life dataset of about 50.1GB web logs has been used to verify the effectiveness of our approach, and the experimental results show that our approach can achieve detection rate over 98% and false alarm rate less than 1.5%.

Jishen Yu,Feng Liu,Wenli Zhou,Hua Yu

DOI: https://doi.org/10.1109/ccis.2014.7175718

2014-01-01

Abstract:This paper presents a distributed system for real-time anomaly detection in backbone. The backbone traffic is so huge that it is difficult to monitor abnormal traffic by traditional methods. Our system is based on Hadoop, an open source framework, and used to detect the abnormal traffic. Firstly, We establish a precise regression model to describe the network traffic. Secondly, distributed system Hadoop is used to detect the abnormal traffic. Finally, the experimental results prove that our system can detect the abnormal traffic accurately and efficiently in the real-world network environment.

Yong-xu HOU,Lei DUAN,Jiang-long QIN,Pan QIN,Chang-jie TANG

DOI: https://doi.org/10.3969/j.issn.1007-130X.2017.02.003

2017-01-01

Abstract:Anomaly detection,which is used in a variety of applications,attracts attention both in industry and academia.Among numerous methods for anomaly detection,the Isolation Forest algorithm,whose characteristics include high efficiency,sound detection accuracy,has wide real-world applications.However,the conventional Isolation forest algorithm can hardly deal with large-scale data sets.To break this limitation,we propose a cloud computing platform based algorithm.Specifically,we design and implement a parallel algorithm for anomaly detection based on Isolation Forest,named PIFH,using the Hadoop distributed storage system and the MapReduce distributed computational framework.By parallelizing the processes of detection model construction and anomaly evaluation,its efficiency is improved,and the application range is also extended.Experiments using real-world data sets demonstrate that the proposed algorithm is efficient and scalable.

H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

Xueshuo Xie,Zongming Jin,Qingqi Han,Shenwei Huang,Tao Li

DOI: https://doi.org/10.1007/978-3-030-37352-8_8

2019-01-01

Abstract:Log data contains very rich and valuable information that records system states and behavior, which can be used to diagnose system failures. Anomaly detection from large-scale log data plays a key role in building secure and trustworthy systems. Anomaly detection model based on machine learning has achieved good results in practical applications. However, logs generated by modern large-scale distributed systems are more complex than ever before in terms of data size and variety. Therefore, the traditional single-machine learning anomaly detection model faces the model aging problem. We design an anomaly detection model that combines multiple machine learning algorithms. By using a conformal prediction, we can calculate the confidence of each algorithm for each log to be detected and use statistical analysis to tag them with a trusted label. The approach was tested on the public HDFS 100k log dataset, and the results show that our model is more accurate.

Waqas Haider,Jiankun Hu,Yi Xie,Xinghuo Yu,Qianhong Wu

DOI: https://doi.org/10.1109/tbdata.2017.2736555

2017-01-01

IEEE Transactions on Big Data

Abstract:Anomaly detection for cloud servers is important for detecting zero-day attacks. However, it is very challenging due to the large amount of accumulated data. In this paper, a new mathematical model for modeling dynamic usage behavior and detecting anomalies is proposed. It is constructed using state summarization and a novel nested-arc hidden semi-Markov model (NAHSMM). State summarization is designed to extract usage behavior reflective states from a raw sequence. The NAHSMM is comprised of exterior and interior hidden Markov chains. The exterior controls the propagation of raw sequences of system calls and, conditional on it, the interior one controls the summarized observation process from the transition less usage behavior reflective states. An anomaly detection algorithm is derived by integrating state summarization and NAHSMM. During training the algorithm is assisted by a forensic module to tune the behavioral threshold. Experimental data is collected using IXIA Perfect Storm in conjunction with the commercial security-test hardware platform cyber range. To evaluate the reliability of the proposed model, first, its accuracy and training costs are compared with those of existing machine-learning models and then its scalability and resistance capabilities are tested. The results indicate that this model could be used as a method for detecting anomalies in cloud servers.

Meng-Xian Wang,Jian-Qiang Wang

DOI: https://doi.org/10.3233/jifs-16254

2017-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Anomaly detection is an important task for applications involving Big Data. Comparing with traditional method, anomaly detection in Big Data confronts growing amounts of data with high dimensionality and complex structures, which require more real-time analysis. This paper presents a fuzzy input-output system for anomalous data using electronic consumer records (ECR), a trapezium-cloud-map-filtration (TCMF) framework and a value mining model. ECRs are used to add or remove criteria based on consumers' consumption. In addition, MapReduce framework and trapezium clouds generated from each subsample are aggregated by using the aggregated trapezium cloud as a filter for each subsample. Then, a fuzzy logic-based value mining model is proposed based on Takagi-Sugeno model (T-S model) and trapezium clouds. This paper establishes a system that can improve decision-making accuracy by filtering large-scale data, and an illustrative example using a hotel booking situation is presented to verify the validity and feasibility of the proposed model. Finally, a comparative analysis is conducted between the proposed approach and existing methods.

Yang Shi,Shupei Wang,Qinpei Zhao,Jiangfeng Li

DOI: https://doi.org/10.1007/978-3-319-69781-9_13

2017-01-01

Abstract:Security technology in computer network including anomaly detection is increasingly playing an important role in the government and protection of Internet along with its popularity. Anomaly detection uses data mining techniques to detect the unknown malicious behavior. Various hybrid approaches have been proposed in order to detect outliers more accurately recently. This paper proposes a novel hybrid of clusterings and graph to detect anomaly. We introduce a new holistic approach in a common bipartite scenario of users from intranet accessing to Internet that utilizes different types of clusterings for the individual feature data to find the outliers and then a graph model to take advantage of the relational data naming network to enhance anomaly detection. The framework solution has several advantages: taking consideration of individual feature data and relational data, keeping open to extend different types of clusterings, easily appending more domain knowledge.

Chenghua Tang,Yang Xiang,Yu Wang,Junyan Qian,Baohua Qiang

DOI: https://doi.org/10.1002/sec.1547

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Anomaly detection as a kind of intrusion detection is good at detecting the unknown attacks or new attacks, and it has attracted much attention during recent years. In this paper, a new hierarchy anomaly intrusion detection model that combines the fuzzy c-means FCM based on genetic algorithm and SVM is proposed. During the process of detecting intrusion, the membership function and the fuzzy interval are applied to it, and the process is extended to soft classification from the previous hard classification. Then a fuzzy error correction sub interval is introduced, so when the detection result of a data instance belongs to this range, the data will be re-detected in order to improve the effectiveness of intrusion detection. Experimental results show that the proposed model can effectively detect the vast majority of network attack types, which provides a feasible solution for solving the problems of false alarm rate and detection rate in anomaly intrusion detection model. Copyright © 2016 John Wiley & Sons, Ltd.

Xiao-Feng Wang,Jing-Li Zhou,Sheng-Sheng Yu,Long-Zheng Cai

DOI: https://doi.org/10.1007/11540007_39

2006-01-01

Abstract:HTTP request exploitations take substantial portion of network-based attacks. This paper presents a novel anomaly detection framework, which uses data mining technologies to build four independent detection models. In the training phase, these models mine specialty of every web program using web server log files as data source, and in the detection phase, each model takes the HTTP requests upon detection as input and calculates at least one anomalous probability as output. All the four models totally generate eight anomalous probabilities, which are weighted and summed up to produce a final probability, and this probability is used to decide whether the request is malicious or not. Experiments prove that our detection framework achieves close to perfect detection rate under very few false positives.

Hua Peng,Liang Liu,Jiayong Liu,Johnwb R. Lewis

DOI: https://doi.org/10.3233/jifs-179072

2019-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Now, the classifier network anomaly traffic detection method is generally considered to be a general method of good detection effect and high detection precision. In order to detect abnormal network traffic more efficiently, so as to ensure the security of Internet users, a network traffic anomaly detection algorithm based on Mahout Classifier is studied. Aiming at the problem of time correlation and the influence of abnormal samples on accuracy of detection statistics, and the first detection point is eliminated and the applicable detection point is added. The BP neural network algorithm and Bayesian network model are used to predict the abnormal probability of the anomaly node, the detection precision is optimized, and the exception points of the training set are reorganized. In view of the anomalies detected by anomaly detection models, an emergency response method is proposed, which not only detects anomalies, but also handles anomalies.