Yuqi Li,Guosheng Zang,Chunyao Song,Xiaojie Yuan

DOI: https://doi.org/10.1016/j.ipm.2024.103905

IF: 7.466

2024-09-28

Information Processing & Management

Abstract:Graph-based anomaly detection aims to identify anomalous vertices in graph-structured data. It relies on the ability of graph neural networks (GNNs) to capture both relational and attribute information within graphs. However, previous GNN-based methods exhibit two critical shortcomings. Firstly, GNN is inherently a low-pass filter that tends to lead similar representations of neighboring vertices, which may result in the loss of critical anomalous information, termed as low-frequency constraints. Secondly, anomalous vertices that deliberately mimic normal vertices in features and structures are hard to detect, especially when the distribution of labels is unbalanced. To address these defects, we propose a U niversal A daptive A lgorithm for G raph A nomaly D etection ( U-A 2 GAD ), which employs enhanced high frequency filters to overcome the low-frequency constraints, as well as aggregating both k -nearest neighbor ( k NN) and k -farthest neighbor ( k FN) to resolve the vertices' camouflage problem. Extensive experiments demonstrated the effectiveness and universality of our proposed U-A 2 GAD and its constituent components, achieving improvements of up to 6% and an average increase of 2% on AUC-PR over the state-of-the-art methods. The source codes, and parameter setting details can be found at https://github.com/LIyvqi/U-A2GAD .

computer science, information systems,information science & library science

Liang HE,Yongcheng WANG,Yun LI,Yanjie CHU,Chao SHEN

DOI: https://doi.org/10.3778/j.issn.1002-8331.1811-0026

2019-01-01

Abstract:In the fields of network maintenance and operation, it attracts much attention how to detect and prompt the net-work anomalies in time. Anomalous events are less in dataset than the normal ones, leading to the fact that it is difficult to use the two-class classifications for anomaly detection because of the imbalance of data labeled as normal or anomalous. Meanwhile, anomalous events are in various patterns and there is little prior information about the anomaly that the users are concerned with, therefore, it is necessary to model the normal data and use them for anomaly detection by comparing the received data with the normal model. Based on Lindeberg-Feller central limit theorem, a hypothesis test is designed to detect whether the data to be tested is anomalous or not, according to the refusing area calculated by the confidential parameter. Finally, the theorem of this algorithm is simulated and the performance is also tested both on the common and the actual datasets. When the users take the correlation features of the anomalous events as the algorithm input, the recall ratio reaches 90%.

LI Yang,FANG Bin-xing,GUO Li,TIAN Zhi-hong,ZHANG Yong-zheng,JIANG Wei

DOI: https://doi.org/10.1145/1229285.1229292

2007-01-01

Abstract:Intrusion detection is a critical component of secure information systems. Network anomaly detection has been an active and difficult research topic in the field of Intrusion Detection for many years. However, it still has some problems unresolved. They include high false alarm rate, difficulties in obtaining exactly clean data for the modeling of normal patterns and the deterioration of detection rate because of some "noisy" data in the training set. In this paper, we propose a novel network anomaly detection method based on improved TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) machine learning algorithm. A series of experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positive rate, low false positive rate and high confidence than the state-of-the-art anomaly detection methods. In addition, even interfered by "noisy" data (unclean data), the proposed method is robust and effective. Moreover, it still retains good detection performance after employing feature selection aiming at avoiding the "curse of dimensionality".

Lingren Wang,Jingbing Li,Uzair Aslam Bhatti,Yanlin Liu

DOI: https://doi.org/10.1007/978-3-030-24271-8_56

2019-01-01

Abstract:In recent years use of a Wireless Sensor Network (WSN) has become a leading area of research in various applications. Because of WSN limitation of its own features that low ability of calculation, small volume of storage, resource constrain, bad communicational environment of wireless, which lead to WSN be besieged by imminent security problems, the abnormal detection in WSN is vary important at this time. We focus on the quality of data, and aim at the characteristics of wireless sensor network node data with time and spatial similarity, and the current research on anomaly analysis. We use the classification to detect outliers. This paper presents a method of detecting the proximity of distance based on distance, which is the main reason for the study of the anomalous value of the network. The KNN (K-Nearest Neighbor) algorithm is used to analyze and detect the data to achieve the purpose of data anomaly detection in WSN. The algorithm of outlier detection is based on the design and achieve of QualNet simulation platform. It is effective and accurate to evaluate and test. The simulation results show the effectiveness of the proposed KNN algorithm.

Ding De Jiang,Cheng Yao,Wei Han Zhang,Zheng

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1461

2013-01-01

Advanced Materials Research

Abstract:This paper presents a detection algorithm for anomaly network traffic, which is based on spectral kurtosis analysis. Firstly, we turn network traffic into time-frequency signals at different scales. These time-frequency signals hold the more detailed nature corresponding to different scales. Secondly, the time-frequency signals at different scales are transformed into a series of new time signals by time-frequency analysis theory. These new time signals hold obvious narrowband nature and embody the local properties of network traffic. Thirdly, we calculate the spectral kurtosis values of the new time signals and then perform the feature extractions. As a result, the abnormal network traffic can be correctly identified. Simulation results show that our algorithm is feasible and promising.

LI Yang,FANG Bin-Xing,GUO Li,CHEN You

DOI: https://doi.org/10.1360/jos182595

2007-01-01

Journal of Software

Abstract:Network anomaly detection has been an active and difficult research topic in the field of intrusion detection for many years. Up to now, high false alarm rate, requirement of high quality data for modeling the normal patterns and the deterioration of detection rate because of some noisy data in the training set still make it not perform as well as expected in practice. This paper presents a novel network anomaly detection method based on improved TCM-KNN (transductive confidence machines for K-nearest neighbors) machine learning algorithm, which can effectively detect anomalies using normal data for training. A series of experiments on well known KDD Cup 1999 dataset demonstrate that it has lower false positive rate, especially higher confidence under the condition of ensuring high detection rate than the traditional anomaly detection methods. In addition, even provided with training dataset contaminated by noisy data, the proposed method still holds good detection performance. Furthermore, it can be optimized without obvious loss of detection performance by adopting small dataset for training and employing feature selection aiming at avoiding the curse of dimensionality.

Xu Zhang,xuebin sun

DOI: https://doi.org/10.1117/12.2631866

2022-01-01

Abstract:Graph data structures are now widely used and detecting graph anomalies is a challenging task. Traditional anomaly detection methods can achieve good results in the case of low-latitude data, but in the face of today's unstructured graph structure data, they often seem to be powerless. Fortunately,GCN provides an effective method for processing graph data. Based on the idea of GCN network and traditional support vector data description, this paper proposes a graph anomaly detection method and makes corresponding experiments. Compared with traditional methods, better results have been achieved.

Fangyuan Cheng,Xiaofeng Qiu

DOI: https://doi.org/10.1109/icnidc.2016.7974527

2016-01-01

Abstract:In this paper, an anomaly detection method based on frequent sub-graph mining and association analysis is introduced to ensure the security of the SDN. With this method, the network behavior data in SDN are represented as a graph, abnormal sub-graphs of which are readily detectable. And patterns of the detected abnormal behaviors are able to be identified. Furthermore, an ensemble method based on Bagging algorithm is proposed to improve the detection accuracy. Experiment with global flow table data based on SDN indicated that this approach was capable of detecting anomalies in SDN. Moreover, to illustrate the effectiveness of this method in other aspects, comparisons with KDD99 data set were conducted. And the results verified its excellent ability in reducing false alarms and the effect of the ensemble method on improving the detection accuracy.

Amit Roy,Juan Shu,Jia Li,Carl Yang,Olivier Elshocht,Jeroen Smeets,Pan Li

DOI: https://doi.org/10.1145/3616855.3635767

2024-02-06

Abstract:Graph Anomaly Detection (GAD) is a technique used to identify abnormal nodes within graphs, finding applications in network security, fraud detection, social media spam detection, and various other domains. A common method for GAD is Graph Auto-Encoders (GAEs), which encode graph data into node representations and identify anomalies by assessing the reconstruction quality of the graphs based on these representations. However, existing GAE models are primarily optimized for direct link reconstruction, resulting in nodes connected in the graph being clustered in the latent space. As a result, they excel at detecting cluster-type structural anomalies but struggle with more complex structural anomalies that do not conform to clusters. To address this limitation, we propose a novel solution called GAD-NR, a new variant of GAE that incorporates neighborhood reconstruction for graph anomaly detection. GAD-NR aims to reconstruct the entire neighborhood of a node, encompassing the local structure, self-attributes, and neighbor attributes, based on the corresponding node representation. By comparing the neighborhood reconstruction loss between anomalous nodes and normal nodes, GAD-NR can effectively detect any anomalies. Extensive experimentation conducted on six real-world datasets validates the effectiveness of GAD-NR, showcasing significant improvements (by up to 30% in AUC) over state-of-the-art competitors. The source code for GAD-NR is openly available. Importantly, the comparative analysis reveals that the existing methods perform well only in detecting one or two types of anomalies out of the three types studied. In contrast, GAD-NR excels at detecting all three types of anomalies across the datasets, demonstrating its comprehensive anomaly detection capabilities.

Machine Learning

H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

Jiang Zhong,Xiongbing Deng,Luosheng Wen,Yong Feng

DOI: https://doi.org/10.1109/aici.2009.450

2009-01-01

Abstract:Data mining techniques have been successfully applied in intrusion detection because they can detect both misuse and anomaly. One of the unsupervised ways to define anomalies is by saying that anomalies are not concentrated, which depend on the density of data set. In this paper, the anomalies can be specified by choosing a reference measure μ which determines a density and a level value r. In order to reveal the relationship between the distribution of connection feature data sets and the reference measure μ, we proposed a new method to design RBF classifier based on multiple granularities immune network, and apply this algorithm to estimate density level set for the data set, through which the anomaly network connections have been detected. Experimental results on the real network data set showed that the new method is competitive with others in that the false alarm rate is kept low without many missed detections.

Zhiguang Zhu,Ying Xie,Xu Yang,Wei Hu

DOI: https://doi.org/10.1109/Confluence56041.2023.10048869

2023-01-01

Abstract:The k-nearest neighbor algorithm has been widely used in network anomaly detection works, but its query efficiency decreases significantly when the number of samples and feature dimensions increase. To meet the demand for real-time detection, an accurate and timely anomaly detection solution is particularly important. This paper proposes a fast anomaly traffic detection method based on the constrained k-nearest neighbor (CKNN) algorithm. The method uses equilibrium modified k-means and randomized incremental method to optimize the ball tree construction scheme. Specifically, randomized incremental method is used to solve the minimum coverage ball, which optimizes the selection process of the centeroid and radius while reducing the depth of the ball tree. And the equilibrium modified k-means method replaces the original k-center principle used in the division of subtrees, which solves the problem of unbalanced search binary tree division. Meanwhile, by reducing the required number of backtracking to search the K nearest neighbors, which reduces the classification time overhead of the algorithm. We validate the effectiveness of the method on several benchmark datasets. The experimental results show that the CKNN maintains a higher query rate without loss of detection accuracy when dealing with high-dimensional, massive sample data compared with the traditional KNN algorithm. And with the growth ratio of up to 99.68% for some samples, our method also exhibits higher detection accuracy and less time consumption compared with other machine learning algorithms.

Xiaoyu Wang,Yongwang Zhou,Dongbiao Li,Chi Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681973

2024-01-01

Abstract:Anomaly detection in dynamic and temporal graphs is frequently accomplished using unsupervised learning. This involves clustering to group similar data instances and identify outliers. Nonetheless, the accuracy of unsupervised learning algorithms is limited when anomalous data instances exhibit similar features. Existing graph theory-based methods can only detect significant anomalies that affect the entire network structure but fail to detect subtle anomalies such as small-scale DDoS attacks within node groups. Conversely, monitoring the behavior of every node in a real-time network can be expensive. In this paper, we propose a real-time anomaly detection method that leverages community detection and graph spectral theory. Specifically, each graph is partitioned into groups of densely connected nodes, which serve as detection objects to identify subtle anomalies. To address the challenge of detecting anomalies with similar features, we measured changes in communities between adjacent time steps, allowing us to identify outlier time points. Finally, to strike a balance between accuracy and cost, we utilize a novel graph spectral theory method as a graph distance function. Experimental evaluations demonstrate the efficacy of our approach in detecting subtle anomalies.

Yang Li,Binxing Fang,Li Guo

DOI: https://doi.org/10.1007/978-3-540-72383-7_150

2007-01-01

Abstract:Network anomaly detection has been a hot topic in the past years. However, high false alarm rate, difficulties in obtaining exact clean data for the modeling of normal patterns and the deterioration of detection rate because of "unclean" training set always make it not as good as we expect. Therefore, we propose a novel data mining method for network anomaly detection in this paper. Experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positives, low false positives as well as with high confidence than the state-of-the-art anomaly detection methods. Furthermore, even provided with not purely "clean" data (unclean data), the proposed method is still robust and effective.

Qing-Sheng Zhu,Qi Fang

DOI: https://doi.org/10.1109/isai.2016.0096

2016-01-01

Abstract:Training samples of the intrusion detection algorithms based on supervised learning is hard to acquire. The accuracy of the intrusion detection algorithms based on unsupervised learning is low. Common semi-supervised intrusion detection algorithms need parameter k which is selected by human. To solve these problems, a semi-supervised intrusion detection algorithm based on natural neighbor is proposed. Natural neighbor (2N) proposed by us is a novel concept on nearest neighbor. It does not need parameter k when search neighbors of each point. The specific steps of the intrusion detection algorithm are as follows: first, do clustering based on 2N on labeled data. Then, make classification based on 2N on unlabeled data according to the result of clustering. The experimental result shows that the algorithm works well both in detection accuracy and stability.

Yating Liu,Yuantao Gu

DOI: https://doi.org/10.1109/dsw.2018.8439923

2018-01-01

Abstract:Network anomaly detection refers to automatically identifying the flows associated with anomalous events, which is the first line of defense against attacks in network security system. This paper proposes a new reliable unsupervised detector Multiple Sketches and Clustering (MSC) combining sketches (random projections) and clustering to blindly identify anomalies without relying on signatures or labeled traffic data. Multiple random projections and voting strategy alleviate the potential misclassification of single analysis and ensure a lower false positive rate. The K-means++ clustering detection detects both known and unknown anomalies accurately and triggers a higher true positive rate without any prior information about traffic data or anomaly patterns. The results on the MAWILAB backbone network dataset reveal that the novel detector outperforms the state-of-the-art detectors.

Yong Feng,Jiang Zhong,Zhong-Yang Xiong,Chun-Xiao Ye,Kai-Gui Wu

DOI: https://doi.org/10.1007/978-3-540-72393-6_113

2007-01-01

Abstract:An approach to network anomaly detection is investigated, based on dynamic self-organizing maps (DSOM) and ant colony optimization (ACO) clustering. The basic idea of the method is to produce the cluster by DSOM and ACO. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM and ACO clustering can settle these problems effectively. The experiment results show that our approach can detect unknown intrusions efficiently in the real network connections.

Tong Sun,Yan Liu,Jing Chen

DOI: https://doi.org/10.1109/compcomm.2017.8322580

2017-01-01

Abstract:Detecting abnormal behavior during network evolution is an important and challenging data analysis task at present, it is named as dynamic network anomaly detection in this paper. The network abnormal behavior differs from that of normal behavior, the probability of occurrence stays relatively low but may cause serious damages once happened. This paper takes the topological structure of the network as the research object and identifies the network anomaly through the change of network structure. Based on Cox-stuart test, we put forward a new type of method to detect dynamic anomaly. This method refers to an alarm of monitoring the trend change of the network structure parameters. Finally, an experiment was carried out in the real dynamic network-Enron Email Network, which verified that the dynamic network anomaly detection method proposed in this paper can effectively detect the network anomaly behavior.

Kangsheng Li,Quan Yuan,Bowen Jiang,Yulong Xian,Xin Gao

DOI: https://doi.org/10.1117/12.2652852

2022-01-01

Abstract:Accurate anomaly detection of remote maintenance control system of natural gas pipeline is of great significance in ensuring the safe and stable operation of gas pipeline network. A supervised anomaly detection method based on k-nearest neighbors searching and clustering is proposed. Firstly, the labels of neighbor samples are used to determine whether the sample is noise or belongs to an anomaly cluster, and the iterative search is conducted in the neighbor samples until no more abnormal samples belonging to this cluster are found. Then, the noise samples are filtered and the numbers of new abnormal samples to be generated in each cluster are calculated. Finally, SMOTE is used to generate the artificial samples in each cluster to balance the data. The experiment results on public datasets and the remote maintenance control system monitoring dataset show that the proposed method outperforms the compared methods in terms of F-measure and G-mean.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.