Yuan Yuan,Yuangang Li

DOI: https://doi.org/10.1155/2022/5985426

IF: 1.43

2022-10-02

Mathematical Problems in Engineering

Abstract:Data anomaly detection plays a vital role in protecting network security and developing network technology. Aiming at the detection problems of large data volume, complex information, and difficult identification, this paper constructs a modified hybrid anomaly detection (MHAD) method based on the K-means clustering algorithm, particle swarm optimization, and genetic algorithm. First, by designing coding rules and fitness functions, the multiattribute data is effectively clustered, and the inheritance of good attributes is guaranteed. Second, by applying selection, crossover, and mutation operators to particle position and velocity updates, local optima problems are avoided and population diversity is ensured. Finally, the Fisher score expression for data attribute extraction is constructed, which reduces the required sample size and improves the detection efficiency. The experimental results show that the MHAD method has better performance than the K-means clustering algorithm, the support vector machine, decision trees, and other methods in the four indicators of recall, precision, prediction accuracy, and F-measure. The main advantages of the proposed method are that it achieves a balance between global and local search and ensures a high detection rate and a low false positive rate.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Guo Pu,Lijuan Wang,Jun Shen,Fang Dong

DOI: https://doi.org/10.26599/tst.2019.9010051

2021-04-01

Abstract:In recent years, machine learning-based cyber intrusion detection methods have gained increasing popularity. The number and complexity of new attacks continue to rise; therefore, effective and intelligent solutions are necessary. Unsupervised machine learning techniques are particularly appealing to intrusion detection systems since they can detect known and unknown types of attacks as well as zero-day attacks. In the current paper, we present an unsupervised anomaly detection method, which combines Sub-Space Clustering (SSC) and One Class Support Vector Machine (OCSVM) to detect attacks without any prior knowledge. The proposed approach is evaluated using the well-known NSL-KDD dataset. The experimental results demonstrate that our method performs better than some of the existing techniques.

computer science, information systems,engineering, electrical & electronic, software engineering

Tao Yang,Jinming Wang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.48550/arXiv.2204.09942

2022-04-21

Cryptography and Security

Abstract:Industrial control systems (ICSs) are facing increasing cyber-physical attacks that can cause catastrophes in the physical system. Efficient anomaly detection models in the industrial sensor networks are essential for enhancing ICS reliability and security, due to the sensor data is related to the operational state of the ICS. Considering the limited availability of computing resources, this paper proposes a hybrid anomaly detection approach in cloud-edge collaboration industrial sensor networks. The hybrid approach consists of sensor data detection models deployed at the edges and a sensor data analysis model deployed in the cloud. The sensor data detection model based on Gaussian and Bayesian algorithms can detect the anomalous sensor data in real-time and upload them to the cloud for further analysis, filtering the normal sensor data and reducing traffic load. The sensor data analysis model based on Graph convolutional network, Residual algorithm and Long short-term memory network (GCRL) can effectively extract the spatial and temporal features and then identify the attack precisely. The proposed hybrid anomaly detection approach is evaluated using a benchmark dataset and baseline anomaly detection models. The experimental results show that the proposed approach can achieve an overall 11.19% increase in Recall and an impressive 14.29% improvement in F1-score, compared with the existing models.

Lincoln Best,Ernest Foo,Hui Tian

DOI: https://doi.org/10.48550/arXiv.2205.04005

2022-05-09

Abstract:The proliferation and variety of Internet of Things devices means that they have increasingly become a viable target for malicious users. This has created a need for anomaly detection algorithms that can work across multiple devices. This thesis suggests a potential alternative to the current anomaly detection algorithms to be implemented within IoT systems that can be applied across different types of devices. This algorithm is comprised of both unsupverised and supervised machine areas of machine learning combining the strongest facet of each. The algorithm involves the initial k-means clustering of attacks and assigns them to clusters. Next, the clusters are then used by the AdaBoosted Naive Bayes supervised learning algorithm in order to teach itself which piece of data should be clustered to which specific attack. This increases the accuracy of the proposed algorithm by adding clustered data before the final classification step, ensuring a more accurate algorithm. The correct indentification percentage scores for this proposed algorithm range anywhere from 90% to 100%, as well as rating the proposed algorithms accuracy, precision and recall. These high scores achieve an accurate, flexible, scalable, optimised algorithm that could potentially be in different IoT devices, ensuring strong data integrity and privacy.

Cryptography and Security

Shashank Gavel,Ajay Singh Raghuvanshi,Sudarshan Tiwari

DOI: https://doi.org/10.1002/nem.2144

2020-12-02

International Journal of Network Management

Abstract:Real‐time sensing plays an important role in ensuring the reliability of industrial wireless sensor networks (IWSNs). Sensor nodes in IWSNs have inherent limitations that give rise to different anomalies in the network. These anomalies can lead to disastrous and harmful situations or even serious system failures. This article presents a formulation to the design of an anomaly detection scheme for detecting the anomalous node along with the type of anomaly. The proposed scheme is divided into two major parts. First, spatiotemporal correlation within a cluster is obtained for the normal and anomalous behavior of sensor nodes. Second, the multilevel hybrid classifier is used by combining the sequential minimal optimization support vector machine (SMO‐SVM) as a binary classifier with optimally pruned extreme learning machine (OP‐ELM) as a multiclass classifier for detection of an anomalous node and type of anomalies, respectively. Mahalanobis distance‐based lightweight K‐Medoid clustering is used to build a new set of training datasets that represents the original training dataset, by significantly reducing the training time of a multilevel hybrid classifier. Results are analyzed using standard WSN datasets. The proposed model shows high accuracy, i.e., 94.79% and detection rate, i.e., 94.6% with a reduced false positive rate as compared to existing hybrid methods.

computer science, information systems,telecommunications

Chen Yang

DOI: https://doi.org/10.1007/s10586-018-1755-5

2018-01-16

Cluster Computing

Abstract:In recent years, there are more and more abnormal activities in the network, which greatly threaten network security. Hence, it is of great importance to collect the data which indicate the running statement of the network, and distinguish the anomaly phenomena of the network in time. In this paper, we propose a novel anomaly network traffic detection algorithm under the cloud computing environment. Firstly, the framework of the anomaly network traffic detection system is illustrated, and six type of network traffic features are consider in this work, that is, (1) number of source IP address, (2) number of source port number, (3) number of destination IP address, (4) number of destination port number, (5) Number of packet type, and (6) number of network packets. Secondly, we propose a novel hybrid information entropy and SVM model to tackle the proposed problem by normalizing values of network features and exploiting SVM detect anomaly network behaviors. Finally, experimental results demonstrate that the proposed algorithm can detect anomaly network traffic with high accuracy and it can also be used in the large scale dataset.

Bilal Ahmad,Wang Jian,Zain Anwar Ali,Sania Tanvir,M. Sadiq Ali Khan

DOI: https://doi.org/10.1007/s11277-018-5721-6

IF: 2.017

2018-04-16

Wireless Personal Communications

Abstract:Performance of wireless sensor network are highly prone to network anomalies particularly to misdirection attacks and blackhole attacks. Therefor intrusion detection system has a key role in WSN and it’s essential in security application. However the identification of active attacks is cumbersome in many cases particularly for remote sensing applications. This paper proposes hybrid anomaly detection method for misdirection and blackhole attacks by employing K-medoid customized clustering technique. A synthetic dataset was established by defining network parameters and threshold values were obtained to detect the anomalies. Experimental work was performed on network simulator (NS-2) and R studio. The proposed algorithm successfully detect the hybrid anomalies with high accuracy. This work is suitable for hybrid anomaly detection including misdirection and blackhole attacks in wireless environment.

telecommunications

Tong Jia,Pengfei Chen,Lin Yang,Ying Li,Fanjing Meng,Jingmin Xu

DOI: https://doi.org/10.1109/icws.2017.12

2017-01-01

Abstract:Detecting runtime anomalies is very important to monitoring and maintenance of distributed services. People often use execution logs for troubleshooting and problem diagnosis manually, which is time consuming and error-prone. In this paper, we propose an approach for automatic anomaly detection based on logs. We first mine a hybrid graph model that captures normal execution flows inter and intra services, and then raise anomaly alerts on observing deviations from the hybrid model. We evaluate the effectiveness of our approach by leveraging logs from an IBM public cloud production platform and two simulated systems in the lab environment. Evaluation results show that our hybrid graph model mining performs over 80% precision and 70% recall and anomaly detection performs nearly 90% precision and 80% recall on average.

Lei Zhang,Jianqing Zhang,Yong Chen,Shaowen Liao

DOI: https://doi.org/10.1109/icicta.2018.00074

2018-01-01

Abstract:In this paper, a hybrid intrusion detection model based on data mining, which is commonly used in network security anomaly detection, is proposed that combines anomaly detection with misuse detection technology. Two test stages were formed and applied to the instrusion detection system in the process of large-scale network traffic detection. On the basis of improving the detection ability of the massive information detection system, the security of the data source of the intrusion detection system was ensured.

Rahul Kale,Zhi Lu,Kar Wai Fok,Vrizlynn L. L. Thing

DOI: https://doi.org/10.48550/arXiv.2212.00966

2022-12-02

Cryptography and Security

Abstract:Cyber intrusion attacks that compromise the users' critical and sensitive data are escalating in volume and intensity, especially with the growing connections between our daily life and the Internet. The large volume and high complexity of such intrusion attacks have impeded the effectiveness of most traditional defence techniques. While at the same time, the remarkable performance of the machine learning methods, especially deep learning, in computer vision, had garnered research interests from the cyber security community to further enhance and automate intrusion detections. However, the expensive data labeling and limitation of anomalous data make it challenging to train an intrusion detector in a fully supervised manner. Therefore, intrusion detection based on unsupervised anomaly detection is an important feature too. In this paper, we propose a three-stage deep learning anomaly detection based network intrusion attack detection framework. The framework comprises an integration of unsupervised (K-means clustering), semi-supervised (GANomaly) and supervised learning (CNN) algorithms. We then evaluated and showed the performance of our implemented framework on three benchmark datasets: NSL-KDD, CIC-IDS2018, and TON_IoT.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Die Zhang,Zhen Zhang

DOI: https://doi.org/10.1109/EIECC60864.2023.10456717

2023-12-22

Abstract:Network abnormal traffic intrusion detection technology is an important research field of network security today. Hybrid intrusion detection technology overcomes the shortcomings of single detection and retains their advantages, achieving high detection rate and high accuracy, so it is widely used in existing network abnormal traffic detection. However, the optimization of the high false alarm rate of anomaly detection in existing hybrid intrusion detection is imperfect, resulting in a large room for improvement in the detection accuracy of hybrid intrusion detection. In response to the above problems, this paper proposes a hybrid intrusion detection method based on Cluster Marking-k-means. By adding a classifier to the anomaly-based detection module, the detection results are secondary classified to reduce False alarm rate, thus improving the overall detection accuracy of the method. The experiment uses NSL-KDD and CICIDS2017 datasets to verify the effectiveness of the method. The results show that the method proposed in this article improves the average F1 score by 1.19% compared to the comparative method.

Computer Science

Yajing Wang,Juan Ma,Ashutosh Sharma,Pradeep Kumar Singh,Gurjot Singh Gaba,Mehedi Masud,Mohammed Baz

DOI: https://doi.org/10.1155/2021/5558860

IF: 2.336

2021-05-28

Journal of Sensors

Abstract:Intrusion detection is crucial in computer network security issues; therefore, this work is aimed at maximizing network security protection and its improvement by proposing various preventive techniques. Outlier detection and semisupervised clustering algorithms based on shared nearest neighbors are proposed in this work to address intrusion detection by converting it into a problem of mining outliers using the network behavior dataset. The algorithm uses shared nearest neighbors as similarity, judges whether it is an outlier according to the number of nearest neighbors of a data point, and performs semisupervised clustering on the dataset where outliers are deleted. In the process of semisupervised clustering, vast prior knowledge is added, and the dataset is clustered according to the principle of graph segmentation. The novelty of the proposed algorithm lies in outlier detection while effectively avoiding the dependence on parameters, thus eliminating the influence of outliers on clustering. This article uses real datasets: lypmphography and glass for simulation purposes. The simulation results show that the algorithm proposed in this paper can effectively detect outliers and has a good clustering effect. Furthermore, the experimentation reveals that the outlier detection-based SCA-SNN algorithm has the best practical effect on the dataset without outliers, clearly validating the clustering performance of the outlier detection-based SCA-SNN algorithm. Furthermore, compared to the other state-of-the-art anomaly detection method, it was revealed that the anomaly detection technology based on outlier mining does not require a training process. Thus, they overcome the current anomaly detection problems caused due to incomplete normal patterns in training samples.

engineering, electrical & electronic,instruments & instrumentation

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Tao Qin,Zhaoli Liu,Pinghui Wang,Shancang Li,Xiaohong Guan,Lixin Gao

DOI: https://doi.org/10.1109/tifs.2019.2933731

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Anomaly detection is an important technique used to identify patterns of unusual network behavior and keep the network under control. Today, network attacks are increasing in terms of both their number and sophistication. To avoid causing significant traffic patterns and being detected by existing techniques, many new attacks tend to involve gradual adjustment of behaviors, which always generate incomplete sessions due to their running mechanisms. Accordingly, in this work, we employ the behavior symmetry degree to profile the anomalies and further identify unusual behaviors. We first proposed a symmetry degree to identify the incomplete sessions generated by unusual behaviors; we then employ a sketch to calculate the symmetry degree of internal hosts to improve the identification efficiency for online applications. To reduce the memory cost and probability of collision, we divide the IP addresses into four segments that can be used as keys of the hash functions in the sketch. Moreover, to further improve detection accuracy, a threshold selection method is proposed for dynamic traffic pattern analysis. The hash functions in the sketch are then designed using Chinese remainder theory, which can analytically trace the IP addresses associated with the anomalies. We tested the proposed techniques based on traffic data collected from the northwest center of CERNET (China Education and Research Network); the results show that the proposed methods can effectively detect anomalies in large-scale networks.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Weiwei Lin,Songbo Wang,Wentai Wu,Dongdong Li,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tetci.2023.3290027

2023-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Anomaly detection, in recent years, has gained increasing attention in the research and practice of time series processing. However, the task is particularly challenging with multivariate time series which complicates the temporal dependency between observations and introduces complex inter-channel correlation. Meanwhile, in order to fit a broader range of applications, robustness during both training and detection is also a critical aspect. In this paper, we propose an unsupervised, hybrid model-driven anomaly detection scheme capable of (1) transforming sequences into a fused representation of temporal dependency embeddings and inter-channel correlation embeddings, and (2) achieving robust anomaly detection using a temporal prediction network for sample-wise posterior estimation combined with a data reconstruction network to assess the source of prediction. On this basis, we develop a probability density-based anomaly scoring mechanism for online detection in multivariate time series, where the anomaly score for each observation is rectified by the reliability of the prediction source. The results of extensive experiments on five publicly available datasets show that our proposed solution outperforms various state-of-the-art anomaly detection algorithms (including DL-based and non-DL-based), achieving a performance improvement (in F1-Score) by up to 10.42%.

David Savage,Xiuzhen Zhang,Xinghuo Yu,Pauline Chou,Qingmai Wang

DOI: https://doi.org/10.48550/arXiv.1608.00301

2016-08-01

Abstract:Anomalies in online social networks can signify irregular, and often illegal behaviour. Anomalies in online social networks can signify irregular, and often illegal behaviour. Detection of such anomalies has been used to identify malicious individuals, including spammers, sexual predators, and online fraudsters. In this paper we survey existing computational techniques for detecting anomalies in online social networks. We characterise anomalies as being either static or dynamic, and as being labelled or unlabelled, and survey methods for detecting these different types of anomalies. We suggest that the detection of anomalies in online social networks is composed of two sub-processes; the selection and calculation of network features, and the classification of observations from this feature space. In addition, this paper provides an overview of the types of problems that anomaly detection can address and identifies key areas of future research.

Social and Information Networks,Physics and Society

Jinfa WANG,Siyuan JIA,Hai ZHAO,Jiuqiang XU,Chuan LIN

DOI: https://doi.org/10.1587/transcom.2017ebp3392

2018-12-01

IEICE Transactions on Communications

Abstract:Detecting anomalies, such as network failure or intentional attack in Internet, is a vital but challenging task. Although numerous techniques have been developed based on Internet traffic, detecting anomalies from the perspective of Internet topology structure is going to be possible because the anomaly detection of structured datasets based on complex network theory has become a focus of attention recently. In this paper, an anomaly detection method for the large-scale Internet topology is proposed to detect local structure crashes caused by the cascading failure. In order to quantify the dynamic changes of Internet topology, the network path changes coefficient (NPCC) is put forward which highlights the Internet abnormal state after it is attacked continuously. Furthermore, inspired by Fibonacci Sequence, we proposed the decision function that can determine whether the Internet is abnormal or not. That is the current Internet is abnormal if its NPCC is out of the normal domain calculated using the previous k NPCCs of Internet topology. Finally the new Internet anomaly detection method is tested against the topology data of three Internet anomaly events. The results show that the detection accuracy of all events are over 97%, the detection precision for three events are 90.24%, 83.33% and 66.67%, when k=36. According to the experimental values of index F1, larger values of k offer better detection performance. Meanwhile, our method has better performance for the anomaly behaviors caused by network failure than those caused by intentional attack. Compared with traditional anomaly detection methods, our work is more simple and powerful for the government or organization in items of detecting large-scale abnormal events.

telecommunications,engineering, electrical & electronic

Amina Mohamed Elmahalwy,Hayam M. Mousa,Khalid M. Amin

DOI: https://doi.org/10.11591/ijece.v13i3.pp3498-3508

2023-06-01

International Journal of Electrical and Computer Engineering (IJECE)

Abstract:Anomaly detection is a significant research area in data science. Anomaly detection is used to find unusual points or uncommon events in data streams. It is gaining popularity not only in the business world but also in different of other fields, such as cyber security, fraud detection for financial systems, and healthcare. Detecting anomalies could be useful to find new knowledge in the data. This study aims to build an effective model to protect the data from these anomalies. We propose a new hyper ensemble machine learning method that combines the predictions from two methodologies the outcomes of isolation forest-k-means and random forest using a voting majority. Several available datasets, including KDD Cup-99, Credit Card, Wisconsin Prognosis Breast Cancer (WPBC), Forest Cover, and Pima, were used to evaluate the proposed method. The experimental results exhibit that our proposed model gives the highest realization in terms of receiver operating characteristic performance, accuracy, precision, and recall. Our approach is more efficient in detecting anomalies than other approaches. The highest accuracy rate achieved is 99.9%, compared to accuracy without a voting method, which achieves 97%.