Shujiang Xie,Lian Li,Yian Zhu

DOI: https://doi.org/10.1016/j.cose.2024.104075

IF: 5.105

2024-01-01

Computers & Security

Abstract:Effective anomaly detection in multivariate time series data is critical to ensuring the security of Internet of Things (IoT) devices and systems. However, building a high precision and low false positive rate anomaly detection model for the complex and volatile IoT environment is a challenging task. This is often due to issues such as a lack of anomaly labeling, high data volatility, and the complexity of device mechanisms. Traditional machine learning algorithms and sequence models frequently fail to account for feature correlation and temporal dependency in anomaly detection. Although deep learning-based anomaly detection methods have progressed, there is still room for improvement in precision, recall, and generalization ability. In this paper, we propose an anomaly detection model called Meta-MWDG to address these issues. The model is based on a multi-scale discrete wavelet decomposition and a dual graph attention network, which can effectively extract feature correlation and temporal dependency in multivariate time series data. Additionally, model-agnostic meta-learning (MAML) is introduced to improve the model’s generalization performance, enabling it to perform well on new tasks even with a few samples. A gated recurrent unit (GRU) is combined with a multi-head self-attention network to output both prediction and reconstruction results in a joint optimization strategy, improving the precision of anomaly detection. Extensive experimental studies demonstrate that Meta-MWDG outperforms the state-of-the-art methods in anomaly detection.

Wunjun Huo,Wei Wang,Wen Li

DOI: https://doi.org/10.1007/978-3-030-23499-7_5

2019-01-01

Abstract:Anomaly detection is a key challenge in data mining, which refers to finding patterns in data that do not conform to expected behavior. It has a wide range of applications in many fields as diverse as finance, medicine, industry, and the Internet. In particular, intelligent operation has made great progress in recent years and has an urgent need for this technology. In this paper, we study the problem of anomaly detection in the context of intelligent operation and find the practical need for high-accuracy, online and universal anomaly detection algorithms in time series database. Based on the existing algorithms, we propose an innovative online distance-based anomaly detection algorithm. K-means and time-space trade-off mechanism are used to reduce the time complexity. Through the experiments on Yahoo! Web-scope S5 dataset we show that our algorithm can detect anomalies accurately. The comparative study of several anomaly detectors verifies the effectiveness and generality of the proposed algorithm.

Baojiang Cui,Shanshan He,Haifeng Jin

DOI: https://doi.org/10.1109/imis.2015.43

2015-01-01

Abstract:the large number of internet traffic has highlighted the importance of traffic detection. Anomaly detection is playing an increasingly important role in network security. Feature matching, statistics rules and data mining are widely used in traditional anomaly detection systems, but they have numerous disadvantages, such as low accuracy, over consumption of processing resources. For the complexities of irregular situation, we propose a new model for anomaly traffic detection in this paper. This study combine feature matching module, statistics rules module and data mining module under fully considering the advantages and disadvantages of these three detection methods. Moreover, a multi-layer detection scheme was introduced to enhance system accuracy and reduce the complexity at the same time. Data mining module is the core of the model, Naive Bayes, decision tree and clustering algorithms are used in this module. The results of this system are produced by integrating the detection results of multi detection modules and proved that it has more accuracy than separate module.

Baojiang Cui,Shanshan He

DOI: https://doi.org/10.1109/imis.2016.50

2016-01-01

Abstract:Anomaly detection is playing an increasingly important role in network security, and the ability to detect and process anomalies for big data in real-time is a difficult task. In this conditions, this paper presents a model which combine cloud computing with machine learning. Hadoop is a widely used open source cloud computing framework to big data. The traffic data stored in HDFS and processed by MapReduce. Besides these, machine learning module selected best performance algorithm from multiple algorithms by called Weka interface. Moreover, naïve Bayes, decision tree and SVM are used to validate the accuracy and efficiency. Finally, experimental results demonstrate that this method has a good performance in detection with above 90% of accuracy.

Yang Shi,Maoran Xu,Rongwen Zhao,Hao Fu,Tongshuang Wu,Nan Cao

DOI: https://doi.org/10.1109/THMS.2019.2925195

2019-01-01

IEEE Transactions on Human-Machine Systems

Abstract:Automatic anomaly detection techniques have been extensively used to support decision making in abnormal situations. However, existing approaches are limited in their capacity of effectively identifying anomalies due to the complexity of the real-world environment, the uncertainty of the data input, and the unavailability of ground truth. In this paper, we propose an interactive context-aware anomaly detection algorithm framework that incorporates human judgment in searching for anomalous regions within a large geographic environment. In specific, our framework, 1) estimates a focal region and detect anomalous situations in real time, through which the user can observe and analyze suspicious entities, 2) leverages user feedback to refine results and guide further analysis, and 3) tolerates potential fault feedback provided by the users and resignal dubious anomalous points. Based on the framework, we propose two algorithm implementations, respectively, employ Bayes’ theorem and metric learning. We demonstrate the effectiveness of the proposed framework and corresponding implementations through two controlled user studies and a case study with a domain expert.

Lianyong Qi,Yihong Yang,Xiaokang Zhou,Wajid Rafique,Jianhua Ma

DOI: https://doi.org/10.1109/tii.2021.3139363

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Various cyber attacks often occur in logistics network of the Industry 4.0, which poses a threat to Internet security. Intrusion detection can intelligently detect anomalous activities and secure the Internet with the help of anomaly detection algorithms. Different from static data, intrusion detection data are a dynamic data form and have the following characteristics. First, it is multiaspect. Second, it contains point anomalies and group anomalies. Third, there are correlations between different attributes. Nevertheless, these properties pose a challenge on existing anomaly detection approaches. Thus, a novel anomaly detection approach MDS_AD is proposed in this article to deal with the challenges. It combines locality-sensitive hashing (LSH), isolation forest, and PCA techniques. MDS_AD has the following properties. 1) The introduced LSH can operate on multiaspect data. 2) MDS_AD can effectively catch group anomalies from the experimental results. 3) The PCA is utilized to reduce dimensionality for correlations between different attributes. 4) MDS_AD is a streaming approach, which can perform model update and process data in constant memory and time. To confirm the performance of MDS_AD, multiple experiments are designed and implemented on UNSW-NB15 dataset. Experimental results show that MDS_AD outperforms state-of-the-art baselines.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Yang Li,Li Guo,Zhi-Hong Tian,Tian-Bo Lu

DOI: https://doi.org/10.1016/j.comcom.2008.08.009

IF: 5.047

2008-01-01

Computer Communications

Abstract:World Wide Web (WWW) is one of the most popular applications currently running on the Internet and web server is a crucial component for this application. However, network anomalies especially Distributed Denial-of-Service (DDoS) attacks bombard web server, degrade its Quality of Service (QoS) and even deny the legitimate users' requests. Traditional network anomaly detection methods often lead to high false positives and expensive computational cost, thus unqualified for real-time web server anomaly detection. To solve these problems, in this paper we first propose an efficient network anomaly detection method based on Transductive Confidence Machines for K-Nearest Neighbors (TCM-KNN) algorithm. Secondly, we integrate a lot of objective and efficient anomalies impact metrics from the perceptions of the end users into TCM-KNN algorithm to build a robust web sever anomaly detection mechanism. Finally, Genetic Algorithm (GA) based instance selection method is introduced to boost the real-time detection performance of our method. We evaluate our method on a series of experiments both on well-known KDD Cup 1999 dataset and concrete dataset collected from real network traffic. The results demonstrate our methods are actually effective and lightweight for real-time web server anomaly detection.

Ying Lin,Bo Li

DOI: https://doi.org/10.1007/978-3-319-78816-6_12

2018-01-01

Abstract:Anomalies in network are complicated and fast-changing, which pose serious threats to network security. In an intrusion detection system (IDS), achieving high detection rate and low false alarm rate is an essential requirement. Furthermore, faced with the explosive growth of network data, rapid recognition counts for as much as accuracy. In this paper, we propose a two-stage cascading model, named WebAD\(^{2}\), for detecting web attacks. WebAD\(^{2}\) applies machine learning techniques to detect anomalous behaviors. However, unlike traditional approaches, WebAD\(^{2}\) divided machine learning process into two stages. In the first stage, partial but key features are selected for training and detecting to accelerate the detection speed. The intermediate results are passed to the second stage and all features are applied to refine the detection results, therefore improve the accuracy of the model. We conduct comprehensive experiments to evaluate the effectiveness and efficiency of WebAD\(^{2}\). The results show that WebAD\(^{2}\) could significantly improve the model efficiency without sacrificing the detection accuracy. The processing speed is reduced up to more than 70% on average, with an accuracy decrease less than 1%. What’s more, the performance results on NSL-KDD also verify that WebAD\(^{2}\) could be universal to detect network flow traffics.

Zheng Liming,Zou Peng,Jia Yan,Han Weihong

2012-01-01

China Communications

Abstract:Detecting traffic anomalies is essential. for diagnosing attacks. High-Speed Backbone Networks (HSBN) require Traffic Anomaly Detection Systems (TADS) which are accurate (high detection and low false positive rates) and efficient. The proposed approach utilizes entropy as traffic distributions metric over some traffic dimensions. An efficient algorithm, having low computational and space complexity, is used to estimate entropy. Entropy values over all dimensions are collected to form a detection vector for every sliding window. One class support vector machine classifies all detection vectors into one of two groups: abnormal vectors and normal vectors. A Multi-Windows Correlation Algorithm (MWCA) calculates comprehensive anomaly scores observed in a sequence of windows in order to reduce false positive rates and obtain high detection rates. Some real-world traffic traces have been used to validate and evaluate the efficiency and accuracy of this system through three experiments. In Experiment 1, the estimating algorithm of entropy which costs less memory and runs faster than traditional algorithms is more suitable for detection anomalies. In Experiment 2, the classification and correlation algorithms can improve the detection accuracy significantly. Experiment 3 compares the subject system and three well-known systems. Ours system is the most accurate one. Those results have indicated that the proposed system significantly improves the accuracy and efficiency.

Fei Wang,Hongliang Zhu,Bin Tian,Yang Xin,Xinxin Niu,Yu Yang

DOI: https://doi.org/10.1109/icbnmt.2011.6155940

2011-01-01

Abstract:Intrusion-detection systems (IDSs) are essential tools for the security of computer systems. Anomaly detection, which uses knowledge about normal behaviors and attempts to detect intrusions by noting significant deviations, has been paid more and more attention. In this paper, we introduce a HMM-based method for anomaly detection. The proposed method is composed of two important stages: off-line training stage and on-line testing stage. In the off-line training stage, we train the normal behaviors by hidden Markov models (HMMs). In the on-line testing stage, we make the final decision based on the minimum risk Bayesian decision theory. We deploy the method on an IDS system to evaluate its performance, and the experimental results demonstrate that our method can achieve satisfying results.

Jingxi Liang,Wen Zhao,Wei Ye

DOI: https://doi.org/10.1145/3171592.3171594

2017-01-01

Abstract:As the era of cloud technology arises, more and more people are beginning to migrate their applications and personal data to the cloud. This makes web-based applications an attractive target for cyber-attacks. As a result, web-based applications now need more protections than ever. However, current anomaly-based web attack detection approaches face the difficulties like unsatisfying accuracy and lack of generalization. And the rule-based web attack detection can hardly fight unknown attacks and is relatively easy to bypass. Therefore, we propose a novel deep learning approach to detect anomalous requests. Our approach is to first train two Recurrent Neural Networks (RNNs) with the complicated recurrent unit (LSTM unit or GRU unit) to learn the normal request patterns using only normal requests unsupervisedly and then supervisedly train a neural network classifier which takes the output of RNNs as the input to discriminate between anomalous and normal requests. We tested our model on two datasets and the results showed that our model was competitive with the state-of-the-art. Our approach frees us from feature selection. Also to the best of our knowledge, this is the first time that the RNN is applied on anomaly-based web attack detection systems.

Yizhen Sun,Yiman Xie,Weiping Wang,Shigeng Zhang,Jun Gao,Yating Chen

DOI: https://doi.org/10.1109/MSN50589.2020.00125

2020-01-01

Abstract:servers in the Internet are vulnerable to Web attacks, to detect Web attacks, a commonly used method is to detect anomalies in the request parameters by making regular-expression-based matching rules for the parameters based on known security threats. However, such methods cannot detect unknown anomalies well and they can also be easily bypassed by using techniques like transcoding. Moreover, existing anomaly detection methods are usually based on a single HTTP request, which is easy to ignore the attack behavior within a period of time, such as brute-force password cracking attack. In this paper, we propose an unsupervised W eb S ession A nomaly D etection method called WSAD. WSAD uses ten features of web session to perform anomaly detection. After extracting the ten features, WSAD uses the DBSCAN algorithm to cluster the features of each session and outputs the outliers found in the clustering process as anomalies. We evaluate the performance of WSAD on several datasets from multiple real websites of a company. The results indicate that WSAD could detect malicious behaviors that could not be detected by Web Application Firewall, and it almost has no false positives.

Liang Hu,Wei-wu Ren,Fei Ren

DOI: https://doi.org/10.1109/icise.2009.225

2009-01-01

Abstract:Traditional anomaly detection methods lack adaptive captivity in complex and heterogeneous network. Especially while facing high noise environments or the situation of updating profiles not in time, intrusion detection systems will have high false alarm rate. In this paper, a new anomaly detection algorithm based on hierarchical clustering, called ADBHC, is proposed. ADBHC generates clusters using density-based partitioning method which has less computational cost. It uses the improved hierarchical clustering tree to implement fast scalable and adaptive anomaly detection. The improved hierarchical clustering tree supports updating profiles at any time. We extend the clustering algorithm and apply branch and bound mechanism for filtering noise. With the help of two advantages: filtering noise and updating profiles at any time, our algorithm is effective enough to meet adaptive requirements. A series of experiment results on well known KDD Cup 1999 dataset indicate that ADBHC has low false alarm rate, high detection rate and a certain adaptive captivity in the progress of self-updating.

Jinyang Liu,Tianyi Yang,Zhuangbin Chen,Yuxin Su,Cong Feng,Zengyin Yang,Michael R. Lyu

2023-08-19

Abstract:As modern software systems continue to grow in terms of complexity and volume, anomaly detection on multivariate monitoring metrics, which profile systems' health status, becomes more and more critical and challenging. In particular, the dependency between different metrics and their historical patterns plays a critical role in pursuing prompt and accurate anomaly detection. Existing approaches fall short of industrial needs for being unable to capture such information efficiently. To fill this significant gap, in this paper, we propose CMAnomaly, an anomaly detection framework on multivariate monitoring metrics based on collaborative machine. The proposed collaborative machine is a mechanism to capture the pairwise interactions along with feature and temporal dimensions with linear time complexity. Cost-effective models can then be employed to leverage both the dependency between monitoring metrics and their historical patterns for anomaly detection. The proposed framework is extensively evaluated with both public data and industrial data collected from a large-scale online service system of Huawei Cloud. The experimental results demonstrate that compared with state-of-the-art baseline models, CMAnomaly achieves an average F1 score of 0.9494, outperforming baselines by 6.77% to 10.68%, and runs 10X to 20X faster. Furthermore, we also share our experience of deploying CMAnomaly in Huawei Cloud.

Software Engineering,Machine Learning

CHEN Ping,SONG Yu-rong,JIANG Guo-ping

DOI: https://doi.org/10.3969/j.issn.1673-629x.2012.07.037

2012-01-01

Abstract:Network anomaly detection which is a very important issue in network management has been extensively studied in recent years.Although people in the field made a number of advanced works,the accuracy of automatic classification of network traffic to detect and identify abnormal network traffic is still a very challenging problem.It presents a multidimensional clustering based anomaly detection method,by two stages to achieve anomaly detection.The first phase,through multidimensional clustering algorithms,network traffic is automatically mined into different multidimensional clusters.The second phase calculates the degree of multidimensional clusters to achieve anomaly detection.By this method,the abnormal network traffic is automatically classified into different meaningful clusters,and then these clusters can be used to find network anomalies.Finally,this algorithm was validated through experiments,the results show that the method can effectively identify abnormal network traffic.

Mehrnoosh Monshizadeh,Vikramajeet Khatri,Buse Gul Atli,Raimo Kantola,Zheng Yan

DOI: https://doi.org/10.1109/access.2019.2930832

IF: 3.9

2019-01-01

IEEE Access

Abstract:Hybrid Anomaly Detection Model (HADM) is a platform that filters network traffic and identifies malicious activities on the network. The platform applies data mining techniques to tackle effectively the security issues in high load communication networks. The platform uses a combination of linear and learning algorithms combined with protocol analyzer. The linear algorithms filter and extract distinctive attributes and features of the cyber-attacks while the learning algorithms use these attributes and features to identify new types of cyber-attacks. The protocol analyzer in this platform classifies and filters vulnerable protocols to avoid unnecessary computation load. The use of linear algorithms in conjunction with learning algorithms and protocol analyzer allows the HADM to achieve improved efficiency in terms of accuracy and computation time to detect cyber-attacks over existing solutions. While authors' previous paper evaluated HADM efficiency (accuracy and computation time) against related studies, this paper, concentrates on HADM robustness and scalability. For this purpose, five datasets, including ISCX-2012, UNSW-NB15 Jan, UNSW-NB15 Feb, ISCX-2017, and MAWILab-2018, with various size and diverse attacks have been used. Different feature selection methods are applied to find the best features. The feature selection methods are selected based on the algorithms' computation time and detection rate. The best algorithms are then selected through a benchmark on applied datasets and based on the metrics such as cross-entropy loss, precision, recall, and computation time. The result of HADM platform shows robustness and scalability against datasets with different size and diverse attacks.

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Min Yang,Huanguo Zhang,Jianming Fu,Fei Yan

DOI: https://doi.org/10.1007/978-3-540-30141-7_62

2004-01-01

Abstract:To improve the efficiency and usability of adaptive anomaly detection system, we propose a new framework based on Support Vector Data Description (SVDD) method. This framework includes two main techniques: online change detection and unsupervised anomaly detection. The first one enables automatically obtain model training data by measuring and distinguishing change caused by intensive attacks from normal behavior change and then filtering most intensive attacks. The second retrains model periodically and detects the forthcoming data. Results of experiments with the KDD'99 network data show that these techniques can handle intensive attacks effectively and adapt to the concept drift while still detecting attacks. As a result, false positive rate is reduced from 13.43% to 4.45%.

Xiaohui Jin,Baojiang Cui,Dong Li,Zishuai Cheng,Congxin Yin

DOI: https://doi.org/10.1016/j.jnca.2018.01.002

IF: 7.574

2018-01-01

Journal of Network and Computer Applications

Abstract:Payload-based anomaly detection can find out the malicious behavior hidden in network packets rather efficiently. It is quite suitable for securing web applications, which are used widely and a major concern of cyber security nowadays. Our research is based on McPAD. We argue that the assumption about the probability distribution of features in outlier class is not appropriate and figure out a more suitable distribution by analyzing the common types of web attacks. Furthermore, we propose a new mapping algorithm for dimensionality reduction in order to improve the performance of the original one. Finally, we try to speed up the training process without significantly affect the detection performance. The experimental results show that the training time can be reduced by an average of 24.75%.

Yi Xie,Shun-Zheng Yu

DOI: https://doi.org/10.1109/cscwd.2006.253054

2006-01-01

Abstract:It is difficult for the existing anomaly detection methods to distinguish the burst of normal traffic from the anomalous traffic in a large-scale Web site. This paper uses hidden semi-Markov model to describe the browsing behaviors of Web users. An efficient recursive algorithm for this model is presented for the online implementation of model update, which is used to track the Web users' browsing behaviors dynamically. An anomaly detection scheme is proposed for the application of this model. Likelihood of an observation sequence on a user browsing behaviors fitting to the model is used as a measure of normality of the user. Finally, an experiment is conducted to validate our model and algorithms, which is based on a real traffic data and an emulated distributed denial of service attack