Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Ganesh Subramaniam,Huan Chen,Ravi Varadhan,Robert Archibald

DOI: https://doi.org/10.48550/arXiv.2108.08924

2021-08-19

Cryptography and Security

Abstract:Cybersecurity, security monitoring of malicious events in IP traffic, is an important field largely unexplored by statisticians. Computer scientists have made significant contributions in this area using statistical anomaly detection and other supervised learning methods to detect specific malicious events. In this research, we investigate the detection of botnet command and control (C&C) hosts in massive IP traffic. We use the NetFlow data, the industry standard for monitoring of IP traffic for exploratory analysis and extracting new features. Using statistical as well as deep learning models, we develop a statistical intrusion detection system (SIDS) to predict traffic traces identified with malicious attacks. Employing interpretative machine learning techniques, botnet traffic signatures are derived. These models successfully detected botnet C&C hosts and compromised devices. The results were validated by matching predictions to existing blacklists of published malicious IP addresses.

Khloud Al Jallad,Mohamad Aljnidi,Mohammad Said Desouki

DOI: https://doi.org/10.48550/arXiv.2209.13961

2022-09-28

Cryptography and Security

Abstract:With the growing use of information technology in all life domains, hacking has become more negatively effective than ever before. Also with developing technologies, attacks numbers are growing exponentially every few months and become more sophisticated so that traditional IDS becomes inefficient detecting them. This paper proposes a solution to detect not only new threats with higher detection rate and lower false positive than already used IDS, but also it could detect collective and contextual security attacks. We achieve those results by using Networking Chatbot, a deep recurrent neural network: Long Short Term Memory (LSTM) on top of Apache Spark Framework that has an input of flow traffic and traffic aggregation and the output is a language of two words, normal or abnormal. We propose merging the concepts of language processing, contextual analysis, distributed deep learning, big data, anomaly detection of flow analysis. We propose a model that describes the network abstract normal behavior from a sequence of millions of packets within their context and analyzes them in near real-time to detect point, collective and contextual anomalies. Experiments are done on MAWI dataset, and it shows better detection rate not only than signature IDS, but also better than traditional anomaly IDS. The experiment shows lower false positive, higher detection rate and better point anomalies detection. As for prove of contextual and collective anomalies detection, we discuss our claim and the reason behind our hypothesis. But the experiment is done on random small subsets of the dataset because of hardware limitations, so we share experiment and our future vision thoughts as we wish that full prove will be done in future by other interested researchers who have better hardware infrastructure than ours.

Sajjad Arshad,Maghsoud Abbaspour,Mehdi Kharrazi,Hooman Sanatkar

DOI: https://doi.org/10.1109/ICCAIE.2011.6162198

2018-11-02

Abstract:Botnets (networks of compromised computers) are often used for malicious activities such as spam, click fraud, identity theft, phishing, and distributed denial of service (DDoS) attacks. Most of previous researches have introduced fully or partially signature-based botnet detection approaches. In this paper, we propose a fully anomaly-based approach that requires no a priori knowledge of bot signatures, botnet C&C protocols, and C&C server addresses. We start from inherent characteristics of botnets. Bots connect to the C&C channel and execute the received commands. Bots belonging to the same botnet receive the same commands that causes them having similar netflows characteristics and performing same attacks. Our method clusters bots with similar netflows and attacks in different time windows and perform correlation to identify bot infected hosts. We have developed a prototype system and evaluated it with real-world traces including normal traffic and several real-world botnet traces. The results show that our approach has high detection accuracy and low false positive.

Cryptography and Security

Zhenping Shi,Jie Li,Chentao Wu,Jinyuan Li

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00335

2019-01-01

Abstract:With the explosion of network traffic volume, high efficient and large-scale network traffic anomaly detection methods becomes necessary. However, existing methods often fail to take into account both the detection delay and the detection accuracy. We propose a novel method, focusing on period-wise detection. We use Long Short-Term Memory (LSTM) to establish abnormal traffic detection model. Besides, We use some big data processing frameworks for online network traffic collection and preprocessing. Performance evaluation shows that our online anomaly detection model outperforms other anomaly detection methods based on traditional anomaly detection methodologies.

Yun-Chun Chen,Yu-Jhe Li,Aragorn Tseng,Tsungnan Lin

DOI: https://doi.org/10.48550/arXiv.1802.03358

IF: 5.414

2018-02-09

Machine Learning

Abstract:Cyber security has grown up to be a hot issue in recent years. How to identify potential malware becomes a challenging task. To tackle this challenge, we adopt deep learning approaches and perform flow detection on real data. However, real data often encounters an issue of imbalanced data distribution which will lead to a gradient dilution issue. When training a neural network, this problem will not only result in a bias toward the majority class but show the inability to learn from the minority classes. In this paper, we propose an end-to-end trainable Tree-Shaped Deep Neural Network (TSDNN) which classifies the data in a layer-wise manner. To better learn from the minority classes, we propose a Quantity Dependent Backpropagation (QDBP) algorithm which incorporates the knowledge of the disparity between classes. We evaluate our method on an imbalanced data set. Experimental result demonstrates that our approach outperforms the state-of-the-art methods and justifies that the proposed method is able to overcome the difficulty of imbalanced learning. We also conduct a partial flow experiment which shows the feasibility of real-time detection and a zero-shot learning experiment which justifies the generalization capability of deep learning in cyber security.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Rongsheng Shan,Jianhua Li,MINGZHENG WANG

DOI: https://doi.org/10.3969/j.issn.1003-7985.2004.01.004

2004-01-01

Abstract:This paper presents a novel mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-attacks. In this paper, SYN-flooding, as an instance of flooding-attack, is used to illustrate the anomaly detection mechanism. The mechanism applies an exponentially weighted moving average (EWMA) method to detect the abrupt net flow and applies a symmetry analysis method to detect the anomaly activity of the network flow. Experiment shows that the mechanism has high detection accuracy and low detection latency.

Paul Barford,Jeffery Kline,David Plonka,Amos Ron

DOI: https://doi.org/10.1145/637201.637210

2002-01-01

Abstract:Identifying anomalies rapidly and accurately is critical to the efficient operation of large computer networks. Accurately characterizing important classes of anomalies greatly facilitates their identification; however, the subtleties and complexities of anomalous traffic can easily confound this process. In this paper we report results of signal analysis of four classes of network traffic anomalies: outages, flash crowds, attacks and measurement failures. Data for this study consists of IP flow and SNMP measurements collected over a six month period at the border router of a large university. Our results show that wavelet filters are quite effective at exposing the details of both ambient and anomalous traffic. Specifically, we show that a pseudo-spline filter tuned at specific aggregation levels will expose distinct characteristics of each class of anomaly. We show that an effective way of exposing anomalies is via the detection of a sharp increase in the local variance of the filtered data. We evaluate traffic anomaly signals at different points within a network based on topological distance from the anomaly source or destination. We show that anomalies can be exposed effectively even when aggregated with a large amount of additional traffic. We also compare the difference between the same traffic anomaly signals as seen in SNMP and IP flow data, and show that the more coarse-grained SNMP data can also be used to expose anomalies effectively.

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Zong-Lin Li,Guang-Min Hu,Xingmiao Yao

DOI: https://doi.org/10.1109/icacia.2009.5361117

2009-01-01

Abstract:Distributed anomalous traffic is difficult to detect, since it is simultaneously dispersed in many links and tend to not present any obvious anomalous features in a single link. This paper proposed a multi-scale spatial detection method against distributed stealthy traffic anomaly, it can deploy early-stage detection on key nodes of network. Multi-scale wavelet packet analysis is performed separately on links at which information is available on each node, with the aim of getting abnormal frequency ranges at different time sections and reconstructing signals with anomalous features. Then from a spatial point of view, evaluate deviation degree of high dimension vectors that composed of reconstructions by kernel density estimation as anomaly indicator. Detection results on both real anomalies of American education backbone network and synthetic distributed anomalies shows, our method performs better than existing method.

Dingde Jiang,Jindi Liu,Zhengzheng Xu,Wenda Qin

DOI: https://doi.org/10.1109/iceceng.2011.6057677

2011-01-01

Abstract:Abnormal network traffic has a very great harm to the network, so we need to quickly detect abnormal traffic. However, the existing detection methods take a lot of computational overhead, which will make it hard to meet the real-time requirement. This paper presents a distributed network traffic anomaly detection algorithm based on sliding window, which uses decomposable principal component analysis to handle network traffic signals. Through sliding time window, traffic anomaly detection will be limited to the specified scope of time. This significantly reduces the amount of data analysis to improve the speed of anomaly detection. Using the dataset from real network to simulate, we validate that the proposed algorithm is effective and feasible.

Tieming Chen,Xuebo Qiu,Zhengqiu Weng,Tiantian Zhu,Mingqi Lv,Keda Sun

DOI: https://doi.org/10.1155/2024/6964759

IF: 1.968

2024-11-08

Security and Communication Networks

Abstract:Anomaly detection is essential to ensuring system security and reliability. As one of the basic techniques in the cyberattack, the existing malicious traffic classification method has been facing diverse challenges such as insufficient samples, poor denoising ability, and weak generalization of the classification model. In this paper, we propose a novel method for detecting malicious HTTP traffic based on a framework (HTTPSmell; it refers to the sniffing of some network attacks launched by exploiting the HTTP protocol.)), and XSS dataset obtained from GitHub that automatically applies a deep learning model with high generalization ability even under a small training dataset. With HTTPSmell, we are able to achieve positive results from a semisupervised model that leverages the unsupervised data augmentation (UDA) and the keywords library avoidance (KLA)‐based data augmentation method that holds higher learning generalization, higher scenario coverage rate, and better detection efficiency in the smaller training samples. Finally, we demonstrate through comprehensive experiments in the realistic enterprise environment that HTTPSmell can achieve an accuracy of 96.77% for identifying complex and advanced cyberattacks, while only maintaining a constant 60 MB of memory and sustaining up to 27 k/s throughput.

computer science, information systems,telecommunications

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Minghui Gao,Li Ma,Heng Liu,Zhijun Zhang,Zhiyan Ning,Jian Xu

DOI: https://doi.org/10.3390/s20051452

IF: 3.9

2020-03-06

Sensors

Abstract:Anomaly detection systems can accurately identify malicious network traffic, providing network security. With the development of internet technology, network attacks are becoming more and more sourced and complicated, making it difficult for traditional anomaly detection systems to effectively analyze and identify abnormal traffic. At present, deep neural network (DNN) technology achieved great results in terms of anomaly detection, and it can achieve automatic detection. However, there still exists misclassified traffic in the prediction results of deep neural networks, resulting in redundant alarm information. This paper designs a two-level anomaly detection system based on deep neural network and association analysis. We made a comprehensive evaluation of experiments using DNNs and other neural networks based on publicly available datasets. Through the experiments, we chose DNN-4 as an important part of our system, which has high precision and accuracy in identifying malicious traffic. The Apriori algorithm can mine rules between various discretized features and normal labels, which can be used to filter the classified traffic and reduce the false positive rate. Finally, we designed an intrusion detection system based on DNN-4 and association rules. We conducted experiments on the public training set NSL-KDD, which is considered as a modified dataset for the KDDCup 1999. The results show that our detection system has great precision in malicious traffic detection, and it achieves the effect of reducing the number of false alarms.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zecheng Li,Shengyuan Chen,Hongshu Dai,Dunyuan Xu,Cheng-Kang Chu,Bin Xiao

DOI: https://doi.org/10.1109/tr.2022.3204349

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Abnormal traffic detection is the core component of the network intrusion detection system. Although semisupervised methods can detect zero-day attack traffic, previous work suffers from high false alarms because the trained model is simply based on normal traffic. In this article, we propose an accurate abnormal traffic detection method using pseudoanomaly, consisting of an efficient feature extraction framework and a novel denoise autoencoder-generative adversarial network (DAE-GAN) model. The feature extraction framework adopts an innovative packet window scheme to extract spatial and temporal features from traffic flows. The DAE-GAN model has multiple DAEs to achieve efficient data augmentation and generate high-quality pseudoanomalies. The pseudoanomalies are obtained by adding noise on normal traffic and enhanced by adversarial learning in DAE-GAN. Our semisupervised detection method, exploiting both normal data and generated pseudoanomalies, achieves a precision of 98.6 on the NSL-KDD dataset and 98.5 on the UNSW-NB15 dataset. Compared with the state-of-the-art, the detection precision and recall under different user behaviors are significantly improved. The evaluation on four attack datasets shows that our method has a high flow-wise precision of over 99 and a high recall of 60.6.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Tahereh Babaie,Sanjay Chawla,Sebastien Ardon

DOI: https://doi.org/10.48550/arXiv.1403.0157

2014-03-02

Abstract:In this paper we focus on the detection of network anomalies like Denial of Service (DoS) attacks and port scans in a unified manner. While there has been an extensive amount of research in network anomaly detection, current state of the art methods are only able to detect one class of anomalies at the cost of others. The key tool we will use is based on the spectral decomposition of a trajectory/hankel matrix which is able to detect deviations from both between and within correlation present in the observed network traffic data. Detailed experiments on synthetic and real network traces shows a significant improvement in detection capability over competing approaches. In the process we also address the issue of robustness of anomaly detection systems in a principled fashion.

Machine Learning,Networking and Internet Architecture

Jun Li,Noel B. Linsangan,Huiguo Dong

DOI: https://doi.org/10.62677/ijetaa.2407123

2024-08-25

Abstract:This paper proposes an intelligent solution for network traffic prediction and anomaly detection in campus networks, addressing the increasingly severe network security challenges. The proposed approach innovatively integrates Convolutional Neural Networks (CNN) and Long Short-Term Memory networks (LSTM) to simultaneously extract local features and capture dynamic temporal dependencies of network traffic, significantly improving prediction accuracy. Based on this, an adaptive threshold anomaly detection algorithm is designed to automatically adjust detection sensitivity according to traffic variations, achieving a better balance between accuracy and recall rates. Additionally, an anomaly visualization scheme is presented, intuitively displaying the spatiotemporal distribution of network anomalies through heatmaps, assisting administrators in decision-making. Large-scale experiments demonstrate that this approach can effectively identify various security threats such as DDoS attacks, scanning probes, and botnets, with an overall detection rate exceeding 90% while maintaining a low false positive rate. Compared to traditional statistical and machine learning methods, the proposed approach exhibits stronger adaptability and generalization capabilities, providing crucial support for building an intelligent, precise, and reliable campus network security protection system. Future work will focus on further improving the real-time performance and robustness of the solution, expanding its application in new network scenarios such as IoT and edge computing.