Hongyang Chen,Pengfei Chen,Benran Wang,Xian Yu,Xiaofan Chen,Dandan Ma,Zibin Zheng

DOI: https://doi.org/10.1016/j.comnet.2023.110135

IF: 5.493

2024-02-01

Computer Networks

Abstract:Software-Defined Network (SDN) has been widely employed in data center networks to host various software systems such as microservice systems. A microservice system is constructed by a microservice architecture composed of dozens of services running in different lightweight virtual machines (e.g., containers) and relying on overlay networks for connectivity. However, with the increase of the system scale and the network traffic volume, the network becomes more complex and common to behave anomalously. Therefore, it is error-prone to manually investigate anomalies. To tackle this problem, we propose a non-intrusive monitoring system to help network operators obtain deep insights from the network traffic generated by the running system. Based on the monitoring system, we propose an anomaly detection method to automatically detect network anomalies. The core idea is to learn behavior patterns of inter/intra-components by modeling spatial–temporal relationships amongst collected network metrics with the proposed model STCell-VAE. The pattern will be leveraged to reconstruct the input data. Subsequently, the reconstruction probability is used to determine anomalies. Additionally, STCell-VAE can assimilate network information from new components as the network evolves, eliminating the necessity for retraining. Experiments are conducted within a real networking system and four simulated large-scale networks. The results demonstrate that our system can detect anomalies with about 0.7 F1-score, which outperforms state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xinshuo Bai,Jun Bai,Xu Yang,Hongri Liu,Bailing Wang,Yang Liu

DOI: https://doi.org/10.1109/ICAIT51223.2020.9315471

2020-01-01

Abstract:Software-Defined Network (SDN), an innovating technique, endows flexibility and programmability to the network in contrast to the conventional one. Its idea of decoupling control and data plane brings convenience to manage networks like load balancing, traffic engineering, virtual firewall etc. Nevertheless, the separated plane structure results in novel threats, composed by the common in conventional network and the specialized in SDN. In this paper, we propose a deep learning approach to detect anomaly in SDN with OpenFlow by analyzing multiple metrics extracted from OpenFlow switch metadata. Evaluated by four trained deep learning models to classify the multivariate time series, we obtained an average accuracy of 83.8%.

Hao Yan,Qianzhen Zhang,Deming Mao,Ziyue Lu,Deke Guo,Sheng Chen

DOI: https://doi.org/10.1109/icccn52240.2021.9522263

2021-01-01

Abstract:We consider cyber security as one of the most significant technical challenges in current times. One of the main tasks is to detect anomalous patterns in the network streams as soon as they appear. In order to solve the above problem, previous propositions use statistical or machine learning-based methods to detect anomalous patterns in the network streams. However, these solutions incur significant low efficiency and precision due to the frequent recomputation of the results from scratch and unreasonable assumptions. In graph theory, dense subgraphs can be used to model the anomalous patterns if we abstract the network streams as a dynamic graph. This motivates us to explore dense subgraph discovery under the scenario where the network is updating. In this paper, we propose a graph-based framework, referred to as SAD, towards continuous dense subgraph discovery over network streams. In specific, we design an auxiliary data structure that is a concise representation of intermediate results, and its execution model allows a fast incremental maintenance strategy. In this way, we can detect anomalous patterns in the network streams in near real-time. Experiments demonstrate that SAD can not only get a higher accuracy of 90.2% but also faster than $11.4\times$ times compared to the state-of-the-art anomaly detection algorithms.

Xiaoyu Wang,Yongwang Zhou,Dongbiao Li,Chi Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681973

2024-01-01

Abstract:Anomaly detection in dynamic and temporal graphs is frequently accomplished using unsupervised learning. This involves clustering to group similar data instances and identify outliers. Nonetheless, the accuracy of unsupervised learning algorithms is limited when anomalous data instances exhibit similar features. Existing graph theory-based methods can only detect significant anomalies that affect the entire network structure but fail to detect subtle anomalies such as small-scale DDoS attacks within node groups. Conversely, monitoring the behavior of every node in a real-time network can be expensive. In this paper, we propose a real-time anomaly detection method that leverages community detection and graph spectral theory. Specifically, each graph is partitioned into groups of densely connected nodes, which serve as detection objects to identify subtle anomalies. To address the challenge of detecting anomalies with similar features, we measured changes in communities between adjacent time steps, allowing us to identify outlier time points. Finally, to strike a balance between accuracy and cost, we utilize a novel graph spectral theory method as a graph distance function. Experimental evaluations demonstrate the efficacy of our approach in detecting subtle anomalies.

Yang Qin,Junjie Wei,Weihong Yang

DOI: https://doi.org/10.23919/apnoms.2019.8892873

2019-01-01

Abstract:Software Defined Networking (SDN) has attracted more and more attention due to its prominent features that are different from the traditional network. SDN is programmable through which controller can modify the rules in the switch. However, security was not considered in its initial design, and many manufacturers no longer support Transport Layer Security (TLS) due to the cost. Although many machine learning based approaches have been implemented in SDN, they all need features that experts extract from original data. However, the manual extraction increases the level of human interaction and decreases detection accurate. This paper presents a malicious network traffic classification method based on Convolutional Neural Network (CNN) and Recurrent Neural Network (RNN) to address these concerns. Our proposed method is implemented in Graphic Process Unit (GPU) enabled TensorFlow. We evaluated our proposal on three datasets. The results demonstrate that our proposal achieves improvements in term of detection accuracy and stability over existing approaches and strong potential for user in SDN security.

Renyu Liu,Qingsheng Zhu

DOI: https://doi.org/10.1109/ijcnn.2018.8489336

2018-01-01

Abstract:As a kind of network security protection technology, intrusion detection technology has become one of the hot topics in the field of network security. In order to solve the problem that the methods of network anomaly detection have a high requirement on the purity of the normal data-set, and that the existing methods based on outlier detection need to set an anomaly threshold manually. Combining with the idea of Natural Neighborhood Graph, a network anomaly detection method (NAD-NNG) is proposed. In order to eliminate noise points or mislabel points and reduce the time complexity of anomalies detection, the algorithm uses the Natural Neighborhood Graph to cluster the normal data-set. Also, the algorithm can adaptively obtain a percentage value β for setting the anomaly threshold. Experiments on KDDCUP99 show that compared with the other two algorithms, the proposed method can achieve a higher detection rate based on a tolerable false alarm rate.

Yunhe Cui,Qing Qian,Huanlai Xing,Saifei Li

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00113

2020-01-01

Abstract:As an emerging architecture, Software-Defined Networking (SDN) is suffering from a lot of security issues. Network anomaly detection technology plays a crucial role in addressing SDN security issues. In SDN, the network status can be denoted by the packets or flow entries. Hence, the existing network anomaly detection methods are commonly designed based on inspecting packets or flow entries. Subsequently, these anomaly detection methods have to collect packets or flow entries from the underlying switches. More seriously, some anomaly detection methods even need to add extra modules to the switches. Unlike these existing network anomaly detection methods, this work proposes a lightweight network anomaly detection method. The main design principle of the proposed method is mining the inherent OpenFlow messages in SDN to represent the network status and further detect the network anomaly. The proposed method does not need to collect any additional messages from the underlying switches or add any additional modules to the underlying switches. The evaluation results demonstrate that the proposed network anomaly detection method can afford high detection accuracy and reduce the overhead of SDN controller.

Peng Zhang,Fangzheng Zhang,Shimin Xu,Zuoru Yang,Hao Li,Qi Li,Huanzhao Wang,Chao Shen,Chengchen Hu

DOI: https://doi.org/10.1109/tnet.2020.3033588

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:A crucial requirement for Software Defined Network (SDN) is that data plane forwarding behaviors should always agree with control plane policies. Such requirement cannot be met when there are forwarding anomalies, where packets deviate from the paths specified by the controller. Most anomaly detection methods for SDN install dedicated rules to collect statistics of each flow, and check whether the statistics conform to the “flow conservation principle”. We find these methods have a limited detection scope: they look at one flow each time, thus can only check a small number of flows simultaneously. In addition, dedicated rules for statistics collection can impose a large overhead on flow tables of SDN switches. To this end, this paper presents FOCES, a network-wide forwarding anomaly detection and localization method in SDN. Different from previous methods, FOCES applies a new kind of flow conservation principle at network wide, and can check forwarding behaviors of all flows in the network simultaneously, without installing any dedicated rules. Finally, FOCES applies a voting-based method to localize malicious switches when anomalies are detected. Experiments with four network topologies show that FOCES can achieve a detection precision higher than 90%, when the packet loss rate is no larger than 10%, and a localization accuracy of around 80% when the packet loss rate is no larger than 5%.

Weisong He,Guangmin Hu,Yingjie Zhou

DOI: https://doi.org/10.1007/s11235-010-9384-1

2010-01-01

Telecommunication Systems

Abstract:In this paper, a substructure-based network behavior anomaly detection approach, called WFS (Weighted Frequent Subgraphs), is proposed to detect the anomalies of a large-scale IP networks. With application of WFS, an entire graph is examined, unusual substructures of which are reported. Due to additional information given by the graph, the anomalies are able to be detected more accurately. With multivariate time series motif association rules mining (MTSMARM), the patterns of abnormal traffic behavior are able to be obtained. In order to verify the above proposals, experiments are conducted and, together with application of backbone networks (Internet2) Netflow data, show some positive results.

Yingjie Zhou,Guangmin Hu

DOI: https://doi.org/10.1587/transcom.E94.B.2239

2011-01-01

IEICE Transactions on Communications

Abstract:Detecting distributed anomalies rapidly and accurately is critical for efficient backbone network management. In this letter, we propose a novel anomaly detection method that uses router connection relationships to detect distributed anomalies in the backbone Internet. The proposed method unveils the underlying relationships among abnormal traffic behavior through closed frequent graph mining, which makes the detection effective and scalable.

Yang Li,Binxing Fang,Li Guo

DOI: https://doi.org/10.1007/978-3-540-72383-7_150

2007-01-01

Abstract:Network anomaly detection has been a hot topic in the past years. However, high false alarm rate, difficulties in obtaining exact clean data for the modeling of normal patterns and the deterioration of detection rate because of "unclean" training set always make it not as good as we expect. Therefore, we propose a novel data mining method for network anomaly detection in this paper. Experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positives, low false positives as well as with high confidence than the state-of-the-art anomaly detection methods. Furthermore, even provided with not purely "clean" data (unclean data), the proposed method is still robust and effective.

Ming-Tsung Kao,Dian-Ye Sung,Shang-Juh Kao,Fu-Min Chang

DOI: https://doi.org/10.3390/electronics11101531

IF: 2.9

2022-05-12

Electronics

Abstract:Unknown cyber-attacks have appeared constantly. Several anomaly detection techniques based on semi-supervised learning have been proposed to detect these unknown cyber-attacks. Among them, the Denoising Auto-Encoder (DAE) scheme performs better than others in accuracy but is not good enough in precision. This paper proposes a novel two-stage deep learning structure for network flow anomaly detection by combining the models of Gate Recurrent Unit (GRU) and DAE. By using supervised anomaly detection with a selection mechanism to assist semi-supervised anomaly detection, the precision and accuracy of the anomaly detection system are improved. In the proposed structure, we first use the GRU model to analyze the network flow and then take the outcome from the Softmax function as a confidence score. When the score is more than or equal to the predefined confidence threshold, the GRU model outputs the flow as a positive result, no matter the flow is classified as normal or abnormal. When the score is less than the confidence threshold, GRU model outputs the flow as a negative result and passes the flow to DAE model for flow classification. DAE then determines a reconstruction error threshold by learning the pattern of normal flows. Accordingly, the flow is normal or abnormal depending on whether it is under or over the reconstruction error threshold. A comparative experiment is performed using NSL-KDD dataset as benchmark. The results revealed that the precision using the proposed scheme is 0.83% better than DAE. The accuracy using the proposed approach is 90.21%, which is better than Random Forest, Naïve Bayes, One-Dimensional Convolutional Neural Network, two-stage Auto-Encoder, etc. In addition, the proposed approach is also applied to the environment of software defined network (SDN). By adopting our approach in SDN environment, the precision and F-measure are significantly improved.

engineering, electrical & electronic,computer science, information systems,physics, applied

H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

Wang Mingxin,Zhou Huachun,Chen Jia,Zhang Hongke

DOI: https://doi.org/10.11959/j.issn.1000-0801.2015217

2015-01-01

Abstract:SDN（software defined networking）is a novel network infrastructure which separate the control plane from the data plane. Taking advantage of the idea of SDN, a central security center was built which collected traffic from the SDN data plane entity for analyzing. The attacks can be detected based on the entropy variation of the identifier and locate the type of attack with the classification algorithm. As the anomaly patterns were detected, the security center would cooperate with the central controller to install the flow table to alleviate the influence of the attack. The anomaly traffic can be detected early and can't influence the performance of the controller. Besides, the controller can be protected from attack based on our system.

Daojing He,Sammy Chan,Xiejun Ni,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2017.2694702

IF: 10.6

2017-01-01

IEEE Internet of Things Journal

Abstract:Traffic anomaly detection has been a principal direction in the network security field, which aims to identify attacks based on significant deviations from the established normal usage profiles. Recently, a new networking paradigm, software defined networking (SDN), has emerged to facilitate effective network control and management. In this paper, we present the advantages of leveraging SDN to detect traffic anomaly, and review recent progresses in this direction. Despite their effectiveness for traditional traffic, SDN-based traffic anomaly detection methods have to face the challenge of continuously increasing network traffic. To this end, we propose two refined algorithms to be used in an anomaly detection framework which can handle voluminous data, and report some experimental results to demonstrate their performance.

LIU Hui,WANG Jun-feng,SHE Chun-dong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.03.093

2011-01-01

Abstract:To overcome the limitation that off-line learning process was overly dependent upon the amount of training data in traditional anomaly intrusion detection methods,introduced frequent subgraph mining theory,combining with the unique derivative ability of the directed graph transformed from the system call sequence,could obtain large quantities of derivative patterns via a relatively small scale of training data.Experimental results indicate that the extended pattern set can effectively increase the detecting ability for the unknown behavior.Meanwhile,with the integrated consideration of local and global characteristic in system call sequence,proposed a reasonable method for constructing the variable-length patterns.

Wei SUN,Yu ZHANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1908003

2020-01-01

Abstract:Evidence of malicious activity on the intranet is often hidden in large data streams, such as system logs that accumulate over months or years, whereas data flows are often unbounded, changing, and unlabeled. Therefore, in order to achieve highly accurate anomaly detection, this paper proposes an intranet anomaly detection method that integrates flow mining and graph mining, which not only gives full play to the unsupervised advantages of graph mining, but also integrates the good adaptive ability of flow mining. Through the ensemble classification and update, when the concept drift occurs, this paper uses the ensemble-based method to ensure that the ensemble adapts to the current concept, so that it can detect the malicious behavior of the intranet. Experiments show that this method is more effective than the traditional single-model based method, and can effectively detect the intranet anomalies, which changes their behavior over time to hide malicious activities. The method based on flow mining and graph mining proposed in this paper is very meaningful for the abnormal and unlabeled data of the intranet hidden in a large number of data streams.

Hangyu Hu,Xuemeng Zhai,Mingda Wang,Guangmin Hu

DOI: https://doi.org/10.1007/978-3-030-24268-8_7

2019-01-01

Abstract:With the continuous development and wide application of various network technologies, such as the mobile, wireless and sensors network, network services are becoming more and more high-speed, diversified and complex. Also, network attacks and infrequent events have emerged, making the promotion of network anomaly detection more and more significant. In order to control and manage the networks and establish a credible network environment, it is critical to facilitate an accurate behavioral characteristic analysis for networks, proactively identify abnormal events associated with network behavior, and improve the capacity of responding to abnormal events. In this paper, we use Network Connection Graphs (NCGs) to model flow activities during network operation. After we construct a NCG in a time-bin, then we can extract graph metric features for quantitative or semi-quantitative analysis of flow activities. And we also could build a series of NCGs to describe the evolution process of network operation. During these NCGs, we have conducted dynamic analysis to find out the outlier points of graph metric features by using Z-score analysis method so that we can detect the hidden abnormal events. The experiment results based on real network traces have demonstrated that the effectiveness of our method in network flow behavior analysis and abnormal event identification.

Xiaoxiao Ma, Jia Wu, Shan Xue, Jian Yang, Chuan Zhou, Quan Z Sheng, Hui Xiong, Leman Akoglu

2021-10-08

Abstract:Anomalies are rare observations (e.g., data records or events) that deviate significantly from the others in the sample. Over the past few decades, research on anomaly mining has received increasing interests due to the implications of these occurrences in a wide range of disciplines - for instance, security, finance, and medicine. For this reason, anomaly detection, which aims to identify these rare observations, has become one of the most vital tasks in the world and has shown its power in preventing detrimental events, such as financial fraud, network intrusions, and social spam. The detection task is typically solved by identifying outlying data points in the feature space, which, inherently, overlooks the relational information in real-world data. At the same time, graphs have been prevalently used to represent the structural/relational information, which raises the graph anomaly detection problem - identifying …

Yulong Pei,Fang Lyu,Werner van Ipenburg,Mykola Pechenizkiy

DOI: https://doi.org/10.1145/3383455.3422548

2020-01-01

Abstract:Effective anomaly detection is crucial for the success of many AI-based solutions in the financial domain, including e.g. fraud detection and risk modeling. Identifying anomaly from financial transaction networks is one of the challenging tasks that can be cast as a special instance of anomaly detection in networks. Existing methods typically attempt to detect only node-level anomalies, and assume prior knowledge to extract representative features for identifying anomalies. However, there exist collective fraudulent behaviors at the level of subgraphs rather than individual node. A ring structure for money laundering and a tree structure for pyramid schemes would be common examples. Also, in practice it is difficult to decide which features are more representative beforehand. In this paper, we introduce SADE (Subgraph Anomaly DEtection) framework that addresses these needs. SADE consists of two steps: 1) role-guided subgraph embedding, and 2) subgraph anomaly detection. Our approach for learning the subgraph embeddings allows to preserve both the local structure of subgraphs and the global structure of entire network by making use of global roles and local connections of nodes. The learnt representation allows effective use of the state of art anomaly detection approaches. Our extensive experiments on synthetic and real-world financial transaction networks demonstrate the effectiveness of SADE in learning subgraph embeddings without requiring any prior knowledge and detecting anomalous subgraphs.