Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

ZHENG Li-ming,ZOU Peng,HAN Wei-hong,LI Ai-ping,JIA Yan

DOI: https://doi.org/10.3969/j.issn.1000-436x.2011.12.020

2011-01-01

Abstract:For the special requirements of anomaly detection in backbone networks,an anomaly detection method was proposed based in the summary data structure: Filter-ary-Sketch.It recorded the network traffic information in Fil-ter-are-Sketch online and detected anomalies based on multi-dimensional entropy at every circle.If an anomaly was detected,the anomaly point located according to data stream recorded in Filter-ary-Sketch.Finally,malicious traffic blocked using the source IPs recorded in Bloom filter.The method was effective in detecting a variety of network at-tacks;especially it could block the malicious traffic.Evaluated by the experiment,the method can detect anomaly in the backbone network with small computing and memory resource and block the IP flows that are responsible for the anomaly.

Weiwei Chen,Fangang Kong,Feng Mei,Guiqin Yuan,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity.2017.56

2017-01-01

Abstract:Network Anomaly Detection plays an important part in network security. Among the state-of-the-art approaches, unsupervised anomaly detection is effective when dealing with unlabelled data. However, these approaches also suffer from high false positive rate. We observed that different methods have their own defects and advantages. Inspired by this observation, we provide a new ensemble clustering(NEC) method to detect novel anomalies. In our system,we can get higher detection rate and lower false positive rate compared with existed apporaches as verified over NSL-KDD 2009 dataset.

Qinghao Zhang,Miao Ye,Xiaofang Deng

DOI: https://doi.org/10.1080/09540091.2022.2078281

2022-06-16

Connection Science

Abstract:Anomaly detection is a critical technique that ensures the reliability of WSNs. However, most existing anomaly detectionmethods only consider the case of single modal data flow anomaly detection for each node or multiple modal time series data flowanomaly detection for a single node and do not consider the case of multiple nodes and multiple time series data flow simultaneously,and it limited the ability of anomaly detection. In this paper, a novel anomaly detection model is proposed for multimodal WSN data flows. First, the temporal features and modal correlation features extracted from each sensor node are fused into one vectorrepresentation, then it is further aggregated with the spatial features represented the spatial position relationship of the nodes; finally,the current time-series data of WSN nodes are predicted, and abnormal states are identified according to the fusion features. Thesimulation results obtained on a public dataset show that the proposed approach can significantly improve upon existing methods interms of robustness, and its F1 score reaches 0.90, which is 14.2% higher than that of the graph convolution network (GCN) with longshort-term memory (LSTM).

computer science, artificial intelligence, theory & methods

zheng hong xiao,zhi gang chen,xiao heng deng

DOI: https://doi.org/10.4028/www.scientific.net/AMM.121-126.3745

2012-01-01

Applied Mechanics and Materials

Abstract:Based on the principle that the same class is adjacent, an anomaly intrusion detection method based on K-means and Support Vector Machine (SVM) is presented. In order to overcome the disadvantage that k-means algorithm requires initializing parameters, this paper proposes an improved K-means algorithm with a strategy of adjustable parameters. According to the location of wireless sensor networks (WSN), we can obtain clustering results by applying improved K-means algorithm to WSN, and then SVM algorithm is applied to different clusters for anomaly intrusion detection. Simulation results show that the proposed method can detect abnormal behaviors efficiently and has high detection rate and low false positive rate than the current typical intrusion detection schemes of WSN.

YANG Yu-zhou,ZHANG Feng-li,WANG Yong

DOI: https://doi.org/10.3969/j.issn.1002-137x.2012.04.012

2012-01-01

Computer Science

Abstract:Network anomaly detection has become one of the focus research topics in the field of intrusion detection.However,issues on accurate selection of key date in training set,the long selection time,and the high rate of detection misstatement are still unresolved.Regarding to those problems,to integrate K-MEANS and Branch and Bound Algorithm,and to build up a network anomaly detection model on it can significantly improve the accuracy of key data selection,and reduce time consumption as well.A series of experiments on well known KDD Cup 1999 dataset demonstrate that the model can achieve a high detection accuracy and efficiently constrain the false alarms caused by detection.

Aiping Li,Yi Han,Bin Zhou,Weihong Han,Yan Jia

2012-01-01

Applied Mathematics & Information Sciences

Abstract:Monitoring network data streams in real-time to check security event become more and more important along with the rapid growth of Internet applications. The detection typically treats the traffic as a collection of flows that need to be examined for significant changes in traffic pattern (e.g., volume, number of connections). However, as link speeds and the number of flows increase, keeping per-flow state is either too expensive or too slow. We propose building compact summaries of the traffic data using the notion of sketches. In this paper, we proposed an IP address traceability network anomaly detection method at right time based on the summary data structure. In this method, the network traffic information is recorded into sketch online in every circle which is used to detect anomalies. By using EWMA forecasting model to get each circle forecast value, it computes the error sketch between the recoded value and forecast value and detects heavy network traffic change based on Mean-Standard deviation in the error sketch. The method is effective in detecting DDoS attack, scan attack. And it can trace the IP address of victim host. Evaluated by the experiment, the results show that this method takes up little computing and memory resources and is suitable for anomaly detection under the high-speed network traffic.

Xiaoyu Wang,Yongwang Zhou,Dongbiao Li,Chi Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681973

2024-01-01

Abstract:Anomaly detection in dynamic and temporal graphs is frequently accomplished using unsupervised learning. This involves clustering to group similar data instances and identify outliers. Nonetheless, the accuracy of unsupervised learning algorithms is limited when anomalous data instances exhibit similar features. Existing graph theory-based methods can only detect significant anomalies that affect the entire network structure but fail to detect subtle anomalies such as small-scale DDoS attacks within node groups. Conversely, monitoring the behavior of every node in a real-time network can be expensive. In this paper, we propose a real-time anomaly detection method that leverages community detection and graph spectral theory. Specifically, each graph is partitioned into groups of densely connected nodes, which serve as detection objects to identify subtle anomalies. To address the challenge of detecting anomalies with similar features, we measured changes in communities between adjacent time steps, allowing us to identify outlier time points. Finally, to strike a balance between accuracy and cost, we utilize a novel graph spectral theory method as a graph distance function. Experimental evaluations demonstrate the efficacy of our approach in detecting subtle anomalies.

Qian Ma,Cong Sun,Baojiang Cui

DOI: https://doi.org/10.1155/2021/2170788

IF: 1.968

2021-11-20

Security and Communication Networks

Abstract:New vulnerabilities and ever-evolving network attacks pose great threats to today’s cyberspace security. Anomaly detection in network traffic is a promising and effective technique to enhance network security. In addition to traditional statistical analysis and rule-based detection techniques, machine learning models are introduced for intelligent detection of abnormal traffic data. In this paper, a novel model named SVM-C is proposed for the anomaly detection in network traffic. The URLs in the network traffic log are transformed into feature vectors via statistical laws and linear projection. The obtained feature vectors are fed into a support vector machine (SVM) classifier and classified as normal or abnormal. Based on the idea of SVM and clustering, we construct an optimization model to train the parameters of the feature extraction method and traffic classifier. Numerical tests indicate that the proposed model outperforms the state of the arts on all the tested datasets.

computer science, information systems,telecommunications

Yong Feng,Jiang Zhong,Zhong-Yang Xiong,Chun-Xiao Ye,Kai-Gui Wu

DOI: https://doi.org/10.1007/978-3-540-72393-6_113

2007-01-01

Abstract:An approach to network anomaly detection is investigated, based on dynamic self-organizing maps (DSOM) and ant colony optimization (ACO) clustering. The basic idea of the method is to produce the cluster by DSOM and ACO. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM and ACO clustering can settle these problems effectively. The experiment results show that our approach can detect unknown intrusions efficiently in the real network connections.

Renyu Liu,Qingsheng Zhu

DOI: https://doi.org/10.1109/ijcnn.2018.8489336

2018-01-01

Abstract:As a kind of network security protection technology, intrusion detection technology has become one of the hot topics in the field of network security. In order to solve the problem that the methods of network anomaly detection have a high requirement on the purity of the normal data-set, and that the existing methods based on outlier detection need to set an anomaly threshold manually. Combining with the idea of Natural Neighborhood Graph, a network anomaly detection method (NAD-NNG) is proposed. In order to eliminate noise points or mislabel points and reduce the time complexity of anomalies detection, the algorithm uses the Natural Neighborhood Graph to cluster the normal data-set. Also, the algorithm can adaptively obtain a percentage value β for setting the anomaly threshold. Experiments on KDDCUP99 show that compared with the other two algorithms, the proposed method can achieve a higher detection rate based on a tolerable false alarm rate.

Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1109/INFOCOM.2014.6848076

2014-01-01

Abstract:Real-time characterization of traffic anomalies, such as heavy hitters and heavy changers, is critical for the robustness of operational networks, but its accuracy and scalability are challenged by the ever-increasing volume and diversity of network traffic. We address this problem by leveraging parallelization. We propose LD-Sketch, a data structure designed for accurate and scalable traffic anomaly detection using distributed architectures. LD-Sketch combines the classical counter-based and sketch-based techniques, and performs detection in two phases: local detection, which guarantees zero false negatives, and distributed detection, which reduces false positives by aggregating multiple detection results. We derive the error bounds and the space and time complexity for LD-Sketch. We compare LD-Sketch with state-of-the-art sketch-based techniques by conducting experiments on traffic traces from a real-life 3G cellular data network. Our results demonstrate the accuracy and scalability of LD-Sketch over prior approaches.

Xiao-Dong Zang,Jian Gong,Xiao-Yan Hu

DOI: https://doi.org/10.1109/access.2019.2914303

IF: 3.9

2019-01-01

IEEE Access

Abstract:Anomaly detection is the first step with a challenging task of securing a communication network, as the anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting different anomalies, such as volume based (e.g., DDoS or Flash crowd) and spatial based (e.g., network scan), that arise simultaneously in the wild but also of attributing the anomalous point to a single-anomaly event causing it. Besides, we also tackle the problem of low-detection accuracy caused by the phenomenon of traffic drift. To this end, a novel adaptive profile-based anomaly detection scheme is proposed. More specifically, a more comprehensive metrics set is defined from the dimensions of temporal, spatial, category, and intensity to compose IP traffic behavior characteristic spectrum for fine-grained traffic characterization. Then, the digital signature matrix obtained by using the ant colony optimization (ACO) algorithm is applied to construct the baseline profile of the normal traffic behavior. Anomalous points are identified and analyzed by using confidence bands and a generic clustering technique, respectively. Finally, a lightweight updating strategy is applied to reduce the number of false positives. Real-world data of China Education Research Network backbone and synthetic data are collected to verify our proposal. The experimental results demonstrate that our approach provides a fine-grained behavior description ability and has significantly increased the detection accuracy compared with other similar alternatives.

Yingjie Zhou,Guangmin Hu

DOI: https://doi.org/10.1587/transcom.E94.B.2239

2011-01-01

IEICE Transactions on Communications

Abstract:Detecting distributed anomalies rapidly and accurately is critical for efficient backbone network management. In this letter, we propose a novel anomaly detection method that uses router connection relationships to detect distributed anomalies in the backbone Internet. The proposed method unveils the underlying relationships among abnormal traffic behavior through closed frequent graph mining, which makes the detection effective and scalable.

罗娜,李爱平,吴泉源,陆华彪

DOI: https://doi.org/10.3724/sp.j.1001.2009.03685

2009-01-01

Journal of Software

Abstract:In this paper,an anomaly detection method is proposed based on the summary data structure—sketch.It records the network traffic information in sketch online and detects anomalies at every circle.After using EWMA forecasting model to get each circle's forecast sketch,this paper computes the errors between the recoded sketch and forecast sketch.Then,the network traffic change reference is constructed by establishing the Mean-Standard deviation model on the error sketch.The method is effective in detecting DDOS attack,scan attack and so on.Particularly,it can track the IP address of anomaly.Evaluated by the experiment,this method can detect anomaly in the backbone network with small computing and memory resource.

Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Liang Hu,Nurbol,Zhiyu Liu,Jinshan He,Kuo Zhao

DOI: https://doi.org/10.4103/0256-4602.62784

2010-01-01

IETE Technical Review

Abstract:Anomaly detection, as an important complement to misuse detection, has the capability of finding and foiling both known and "zero day" attacks. Performing anomaly detection in real time places hard requirement on the algorithms used. It makes many detection techniques based on proposed data mining algorithms less suitable to be used under real-time network circumstances. To address the problem, a novel anomaly detection algorithm using time-stamped clustering is proposed. In this paper, the normality model used for detection is the clustering result of BIRCH. Once a cluster is generated or modified in the tree index of BIRCH, it will be marked by a lasted modified time-stamp and frequent item. Using each clusters time-stamp and frequent item, the algorithm can dynamically remove some expired clusters from the model, and can also produce some new clusters that makes our clustering method more suitable for the real network environment. Experiments with the KDDCUP 1999 dataset show that our algorithm is less sensitive to noise data objects than ADWICE and has lower computer resource consumption.

Yishan Guo,Mandan Liu

DOI: https://doi.org/10.3233/ida-216185

IF: 1.7

2023-02-01

Intelligent Data Analysis

Abstract:With the development of wireless communication technology, when users use wireless networks to meet various needs, wireless networks also record a large number of users' spatial-temporal trajectory data. In order to better pay attention to the healthy development of students and promote the information construction on campus, a spectral clustering algorithm based on the multi-scale threshold and density combined with shared nearest neighbors (MSTDSNN-SC) is proposed. Firstly, it improves the affinity distance function based on the shortest time dis-tance-shortest time distance sub-sequence (STD-STDSS) by adding location popularity and uses this model to construct the initial adjacency matrix. Then it introduces the covariance scale threshold and spatial scale threshold to perform 0–1 processing on the adjacency matrix to obtain more accurate sample similarity. Next, it constructs an eigenvector space by eigenvalue decom-position of the adjacency matrix. Finally, it uses DBSCAN clustering algorithm with shared nearest neighbors to avoid to manually determine the number of clusters. Taking Internet usage data on campus as an example, multiple clustering algorithms are used for anomaly detection and four evaluation metrics are applied to estimate the clustering results. MSTDSNN-SC algorithm reflects better clustering performance. Furthermore, the abnormal trajectories list is verified to be effective and credible.

Xiejun Ni,Daojing He,Sammy Chan,Farooq Ahmad

DOI: https://doi.org/10.1007/978-3-319-39555-5_12

2016-01-01

Abstract:Intrusion detection systems (IDSs) play a significant role to effectively defend our crucial computer systems or networks against attackers on the Internet. Anomaly detection is an effective way to detect intrusion, which can discover patterns that do not conform to expected behavior. The mainstream approaches of ADS (anomaly detection system) are using data mining technology to automatically extract normal pattern and abnormal ones from a large set of network data and distinguish them from each other. However, supervised or semi-supervised approaches in data mining rely on data label information. This is not practical when the network data is large-scale. In this paper, we propose a two-stage approach, unsupervised feature selection and density peak clustering to tackle label lacking situations. First, the density-peak based clustering approach is introduced for network anomaly detection, which considers both distance and density nature of data. Second, to achieve better performance of clustering process, we use maximal information coefficient and feature clustering to remove redundant and irrelevant features. Experimental results show that our method can get rid of useless features of high-dimensional data and achieves high detection accuracy and efficiency in the meanwhile.