Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.1109/tnet.2024.3370851

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Nowadays traffic on the Internet has been widely encrypted to protect its confidentiality and privacy. However, traffic encryption is always abused by attackers to conceal their malicious behaviors. Since encrypted malicious traffic is similar to benign flows, it can easily evade traditional detection. In particular, the existing encrypted traffic detection methods are supervised which rely on the prior knowledge of known attacks (e.g., labeled datasets). Detecting unknown encrypted malicious traffic, which does not require prior knowledge, is still an open problem. In this paper, we propose, an unsupervised machine learning (ML) based malicious traffic detection system. Particularly, is able to detect unknown patterns of encrypted malicious traffic by utilizing a graph built upon flow interaction patterns, instead of learning the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the graph features, which allows to detect unknown attacks without requiring any labeled datasets. Moreover, we establish an information theory model to prove the effectiveness of . We show the performance of by real-world experiments with 140 attacks. The experimental results illustrate that outperforms the state-of-the-art methods by 13.9% accuracy improvement. Moreover, achieves 15.82 Mpps detection throughput with the average detection latency of 0.29s.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Zhengbing Hu,Roman Odarchenko,Sergiy Gnatyuk,Maksym Zaliskyi,Anastasia Chaplits,Sergiy Bondar,Vadim Borovik,

DOI: https://doi.org/10.5815/ijcnis.2020.06.01

2021-12-08

International Journal of Computer Network and Information Security

Abstract:Represented paper is currently topical, because of year on year increasing quantity and diversity of attacks on computer networks that causes significant losses for companies. This work provides abilities of such problems solving as: existing methods of location of anomalies and current hazards at networks, statistical methods consideration, as effective methods of anomaly detection and experimental discovery of choosed method effectiveness. The method of network traffic capture and analysis during the network segment passive monitoring is considered in this work. Also, the processing way of numerous network traffic indexes for further network information safety level evaluation is proposed. Represented methods and concepts usage allows increasing of network segment reliability at the expense of operative network anomalies capturing, that could testify about possible hazards and such information is very useful for the network administrator. To get a proof of the method effectiveness, several network attacks, whose data is storing in specialised DARPA dataset, were chosen. Relevant parameters for every attack type were calculated. In such a way, start and termination time of the attack could be obtained by this method with insignificant error for some methods.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Zecheng Li,Shengyuan Chen,Hongshu Dai,Dunyuan Xu,Cheng-Kang Chu,Bin Xiao

DOI: https://doi.org/10.1109/tr.2022.3204349

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Abnormal traffic detection is the core component of the network intrusion detection system. Although semisupervised methods can detect zero-day attack traffic, previous work suffers from high false alarms because the trained model is simply based on normal traffic. In this article, we propose an accurate abnormal traffic detection method using pseudoanomaly, consisting of an efficient feature extraction framework and a novel denoise autoencoder-generative adversarial network (DAE-GAN) model. The feature extraction framework adopts an innovative packet window scheme to extract spatial and temporal features from traffic flows. The DAE-GAN model has multiple DAEs to achieve efficient data augmentation and generate high-quality pseudoanomalies. The pseudoanomalies are obtained by adding noise on normal traffic and enhanced by adversarial learning in DAE-GAN. Our semisupervised detection method, exploiting both normal data and generated pseudoanomalies, achieves a precision of 98.6 on the NSL-KDD dataset and 98.5 on the UNSW-NB15 dataset. Compared with the state-of-the-art, the detection precision and recall under different user behaviors are significantly improved. The evaluation on four attack datasets shows that our method has a high flow-wise precision of over 99 and a high recall of 60.6.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

DOI: https://doi.org/10.18469/ikt.2022.20.4.05

2023-09-22

Infokommunikacionnye tehnologii

Abstract:Anomaly in network traffic can arise from various cyberattacks, malfunction network devices or software flaws. Therefore traffic anomaly detection is an important practical problem especially in the issue of cybersecurity. Many recent anomaly detection techniques are based on machine learning methods. Unsupervised machine learning algorithms generally are more preferable than supervised learning because they can be trained on raw undimensioned data that greatly reduce training expenses. Dimensionality reduction methods are unsupervised learning algorithms that can be used for traffic anomaly detection. This work presents an application of such traffic anomaly detection methods, when faults are caused by some network attacks.

Raja, Nirav M

DOI: https://doi.org/10.1007/s13278-023-01057-0

2023-04-19

Social Network Analysis and Mining

Abstract:Currently, there is an enormous disturbance regarding privacy in information and communication technology around the scientific community. Since any assault or abnormality in the network can seriously disturb numerous realms like national security, private data storage, social welfare, economic issues, and so on. Consequently, one of the domains for detecting intrusion in the network is anomaly detection domain and it is a wide probe area. Various numerous methods and approaches have developed for anomaly detection. In the network security field, traffic anomaly detection has been a main aspect. The network security domain recognizes assaults in terms of significant deviations from the entrenched regular usage profiles. Nowadays, software-defined networking (SDN) is a new networking model has developed to ease effectual network control and management. This view investigates 50 probe papers focused on traffic flow rate prediction-based anomaly detection in SDN. Furthermore, it presents technique wise classifications like flow counting-based techniques, information theory-based approaches, entropy-based techniques, deep learning (DL)-based approaches, hybrid methods and network methods. An examination includes in an overview based on classification research techniques, toolset used, years of publication, datasets, and evaluation metrics for predicting anomaly in the SDN environment. Lastly, the limitations of surveyed techniques are explained, that encourage investigators for inventing more new techniques for predicting anomaly in SDN.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Liyang Wang,Yu Cheng,Hao Gong,Jiacheng Hu,Xirui Tang,Iris Li

2024-09-23

Abstract:The sophistication and diversity of contemporary cyberattacks have rendered the use of proxies, gateways, firewalls, and encrypted tunnels as a standalone defensive strategy inadequate. Consequently, the proactive identification of data anomalies has emerged as a prominent area of research within the field of data security. The majority of extant studies concentrate on sample equilibrium data, with the consequence that the detection effect is not optimal in the context of unbalanced data. In this study, the unsupervised learning method is employed to identify anomalies in dynamic data flows. Initially, multi-dimensional features are extracted from real-time data, and a clustering algorithm is utilised to analyse the patterns of the data. This enables the potential outliers to be automatically identified. By clustering similar data, the model is able to detect data behaviour that deviates significantly from normal traffic without the need for labelled data. The results of the experiments demonstrate that the proposed method exhibits high accuracy in the detection of anomalies across a range of scenarios. Notably, it demonstrates robust and adaptable performance, particularly in the context of unbalanced data.

Machine Learning,Artificial Intelligence,Cryptography and Security

Norihiro Okui,Yusuke Akimoto,A. Kubota,Takuya Yoshida

DOI: https://doi.org/10.1109/COMPSAC57700.2023.00154

2023-06-01

Abstract:With the spread of Internet of Things (IoT) devices, countermeasures against cyber-attacks have become an issue. In this study, we focused on anomaly detection using flow data, which can reduce the data volume, and proposed a new anomaly detection method that combines a new graph composition method that represents a sequence of flow data as a graph and a graph neural network (GNN). Various detection methods, including deep learning, have been proposed for identifying malware such as denial-of-service (DoS) attacks, in which the characteristics of traffic deviate significantly from those of benign communications. We conducted an evaluation experiment with the proposed method using the KDDI-IoT-2019 dataset and discussed its effectiveness and limitations.

Computer Science

Annalisa Pelati,Michela Meo,Paolo Dini

DOI: https://doi.org/10.1109/tvt.2022.3174735

IF: 6.8

2022-09-03

IEEE Transactions on Vehicular Technology

Abstract:In this paper, we design an Anomaly Detection (AD) framework for mobile data traffic, capable of identifying different types of anomalous events generated by flash crowds in metropolitan areas. We state the problem using a semi-supervised approach and exploit the great performance of different Recurrent Neural Network (RNN) models to learn the temporal context of input sequences. Our proposal processes real traffic traces from the unencrypted LTE Physical Downlink Control Channel (PDCCH) of an operative network, gathered during an extensive measurement campaign in two major cities in Spain. The AD framework is designed to perform: i) a-posteriori analysis to understand users' behavior and urban environment variations; ii) real-time analysis to automatically and on-the-fly alert urban anomalies; and iii) estimation of the duration of the periods identified as anomalous. Numerical results show the higher performance of our AD framework compared to classic AD algorithms and confirm that the proposed framework predicts anomalous behaviours with high accuracy and regardless of their cause.

telecommunications,engineering, electrical & electronic,transportation science & technology

Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.48550/arXiv.2301.13686

2023-01-31

Abstract:In this paper, we propose HyperVision, a realtime unsupervised machine learning (ML) based malicious traffic detection system. Particularly, HyperVision is able to detect unknown patterns of encrypted malicious traffic by utilizing a compact inmemory graph built upon the traffic patterns. The graph captures flow interaction patterns represented by the graph structural features, instead of the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the connectivity, sparsity, and statistical features of the graph, which allows HyperVision to detect various encrypted attack traffic without requiring any labeled datasets of known attacks. Moreover, we establish an information theory model to demonstrate that the information preserved by the graph approaches the ideal theoretical bound. We show the performance of HyperVision by real-world experiments with 92 datasets including 48 attacks with encrypted malicious traffic. The experimental results illustrate that HyperVision achieves at least 0.92 AUC and 0.86 F1, which significantly outperform the state-of-the-art methods. In particular, more than 50% attacks in our experiments can evade all these methods. Moreover, HyperVision achieves at least 80.6 Gb/s detection throughput with the average detection latency of 0.83s.

Cryptography and Security

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Tao Yang,Zhenze Jiang,Peiyu Liu,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.knosys.2023.110949

IF: 8.139

2023-01-01

Knowledge-Based Systems

Abstract:In Industrial Cyber-Physical Systems (ICPSs), the attacker can intrude into the cyber system through many penetration tools and attack the physical system. Payload-based traffic anomaly detection is a popular technique against these attacks. Due to the imbalanced distribution of normal and attack samples in ICPS, existing payload-based detection methods are mostly implemented based on unsupervised learning, typically comprising a word segmentation model and an unsupervised classifier. However, existing methods may disrupt semantic correlations and face challenges in extracting com-plex payload dependence relationships. To address these issues, this paper proposes a traffic anomaly detection approach, which consists of a data preprocessing model, an unsupervised word segmentation model, and an unsupervised classification model based on autoencoder. The unsupervised word segmentation model utilizes Long Short-Term Memory (LSTM) to calculate the probability of each word segmentation combination, effectively addressing the issue of inaccurate segmentation results in existing payload segmentation models. The unsupervised classification model, which combines 1D-Convolutional Neural Network (1D-CNN) and Bidirectional Encoder Representation from Transformers (BERT), addresses the challenge of extracting complex payload dependence relationships in existing classification models. The proposed detection approach is evaluated using a Cyber-Physical Attack Dataset (CPAD). Compared with the state-of-the-art detection approaches, the proposed approach has shown a significant improvement in Precision, with an increase of 18.83%. Additionally, the Recall has also been substantially enhanced, with a gain of 22.3%. Overall, the F1 has demonstrated a comprehensive improvement of 20.60%. (c) 2023 Elsevier B.V. All rights reserved.

Sanchita Basak,Afiya Ayman,Aron Laszka,Abhishek Dubey,Bruno Leao

DOI: https://doi.org/10.36001/phmconf.2019.v11i1.861

2019-09-22

Annual Conference of the PHM Society

Abstract:Traffic networks are one of the most critical infrastructures for any community. The increasing integration of smart and connected sensors in traffic networks provides researchers with unique opportunities to study the dynamics of this critical community infrastructure. Our focus in this paper is on the failure dynamics of traffic networks. We are specifically interested in analyzing the cascade effects of traffic congestions caused by physical incidents, focusing on developing mechanisms to isolate and identify the source of a congestion. To analyze failure propagation, it is crucial to develop (a) monitors that can identify an anomaly and (b) a model to capture the dynamics of anomaly propagation. In this paper, we use real traffic data from Nashville, TN to demonstrate a novel anomaly detector and a Timed Failure Propagation Graph based diagnostics mechanism. Our novelty lies in the ability to capture the the spatial information and the interconnections of the traffic network as well as the use of recurrent neural network architectures to learn and predict the operation of a graph edge as a function of its immediate peers, including both incoming and outgoing branches. To study physical traffic incidents, we augment the real data with simulated data generated using SUMO, a microscopic traffic simulator. Our results show that we are able to build LSTM-based traffic-speed predictors with an average loss of 6.55 × 10^−4 compared to Gaussian Process Regression based predictors with an average loss of 1.78 × 10^−2. We are also able to detect anomalies with high precision and recall, resulting in an AUC of 0.8507 for the precision-recall curve. Finally, formulating the cascade propagation problem as a Timed Failure Propagation Graph, we are able to identify the source of a failure accurately.

English Else

Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.

Zhangxuan Dang,Yu Zheng,Xinglin Lin,Chunlei Peng,Qiuyu Chen,Xinbo Gao

2024-03-13

Abstract:With the rapid development of the Internet, various types of anomaly traffic are threatening network security. We consider the problem of anomaly network traffic detection and propose a three-stage anomaly detection framework using only normal traffic. Our framework can generate pseudo anomaly samples without prior knowledge of anomalies to achieve the detection of anomaly data. Firstly, we employ a reconstruction method to learn the deep representation of normal samples. Secondly, these representations are normalized to a standard normal distribution using a bidirectional flow module. To simulate anomaly samples, we add noises to the normalized representations which are then passed through the generation direction of the bidirectional flow module. Finally, a simple classifier is trained to differentiate the normal samples and pseudo anomaly samples in the latent space. During inference, our framework requires only two modules to detect anomalous samples, leading to a considerable reduction in model size. According to the experiments, our method achieves the state of-the-art results on the common benchmarking datasets of anomaly network traffic detection. The code is given in the

Machine Learning,Artificial Intelligence,Cryptography and Security

Jielin Jiang,Shun Wei,Xiaolong Xu,Yan Cui,Xiying Liu

DOI: https://doi.org/10.1109/tim.2024.3457942

IF: 5.6

2024-09-27

IEEE Transactions on Instrumentation and Measurement

Abstract:Unsupervised anomaly detection (UAD) methods are widely used in industrial anomaly detection, primarily since there is a lack of anomalous data available for training. However, these methods still struggle to effectively detect and localize anomalies due to the diverse types of anomalies and frequent variations in their sizes and shapes. To address this challenge, we propose a new flow-based framework called two-hierarchy normalizing flow (THF) for anomaly detection and localization. THF consists of two main components: a masked flow and a constant flow. In the masked flow, we improve the traditional convolutional kernel by masking partial regions of the kernel to prevent excessive minimization of negative log-likelihood. This enhancement greatly helps in effectively detecting and localizing anomalies. The constant flow incorporates dual units (DUs) and a volume-preserving flow (VPF) module. The DUs consist of a characterization unit and a mixture unit. The characterization unit accurately captures both local and global feature information, while the mixture unit learns neighboring feature representations. Unlike traditional flow-based methods, the VPF module maintains the volume of the probability distribution invariable, facilitating precise detection and localization of high-scoring anomalies. Extensive experiments conducted on multiple widely used anomaly detection datasets demonstrate that THF outperforms state-of-the-art (SOTA) methods in both anomaly detection and localization.

engineering, electrical & electronic,instruments & instrumentation

Mohammad Hashem Haghighat,Zohreh Abtahi Foroushani,Jun Li

DOI: https://doi.org/10.1109/icct46805.2019.8947103

2019-01-01

Abstract:Network security becomes a big concern nowadays. Although many solutions have been developed to detect network anomalies, the number of successful attacks like DDoS, Phishing, and Spam are boosting dramatically. In this paper, a novel behavior-based method, called SAWANT, is proposed to detect malicious rate of network traffic. SAWANT uses deep learning architecture to analyze netflow data, in which several meaningful attributes are extracted using a sliding window technique. Extracted attributes are then taken to a deep learning structure to identify malicious rate of each window, that represents the rate of abnormal netflow records per the window size. Experimental results over the well-known labeled botnet traffic CTU 13 showed that SAWANT was highly accurate as more than 99% of predicted malicious rates were correct, while it required a very small number of records for training.

Su Yang,Wenbin Zhou

DOI: https://doi.org/10.1109/PASSAT/SocialCom.2011.10

2011-01-01

Abstract:Some special natural and social events like natural disasters, terrorism attacks, and traffic accidents may have remarkable effect on people's collective behaviors, which means the behaviors of a large number of people viewed as a whole. Analysis of the patterns of collective behaviors in the sense of data mining is an important topic. Solving this problem is crucial and practical in that online detection of abnormal patterns of people's collective behaviors may lead to rapid response to emergent affairs. In terms of technology, the task can be regarded as detection of abnormal particle movement patterns from a global point of view. In this study, we propose a solution to solve this problem. First, the traffic flows observed by more than 4000 sensors are organized as high-dimensional time series. Second, a widely used manifold learning technique referred to as locally linear embedding (LLE) is used to compute the K coefficients in fitting every data point with its K nearest neighbors in the high-dimensional space, which can be regarded as a K-dimensional local feature associated with every data point. Then, the local features of the data points within a time window are summarized by using principal component analysis (PCA) to obtain a global feature to represent the traffic data in every time window. Finally, outlier detection is performed on such PCALLE feature space. The experimental results show that the proposed method can effectively detect abnormal traffic patterns, which correspond with some special days, like the New Year day, the national day of America, and some days with extreme weather. © 2011 IEEE.

Giacomo Zonneveld,Lorenzo Principi,Marco Baldi

2024-02-13

Abstract:Early detection of network intrusions and cyber threats is one of the main pillars of cybersecurity. One of the most effective approaches for this purpose is to analyze network traffic with the help of artificial intelligence algorithms, with the aim of detecting the possible presence of an attacker by distinguishing it from a legitimate user. This is commonly done by collecting the traffic exchanged between terminals in a network and analyzing it on a per-packet or per-connection basis. In this paper, we propose instead to perform pre-processing of network traffic under analysis with the aim of extracting some new metrics on which we can perform more efficient detection and overcome some limitations of classical approaches. These new metrics are based on graph theory, and consider the network as a whole, rather than focusing on individual packets or connections. Our approach is validated through experiments performed on publicly available data sets, from which it results that it can not only overcome some of the limitations of classical approaches, but also achieve a better detection capability of cyber threats.

Machine Learning