Songtao Peng,Jiaqi Nie,Xincheng Shu,Zhongyuan Ruan,Lei Wang,Yunxuan Sheng,Qi Xuan

DOI: https://doi.org/10.1016/j.comnet.2022.109129

IF: 5.493

2022-01-01

Computer Networks

Abstract:As the default protocol for exchanging routing reachability information on the Internet, the abnormal behavior in traffic of Border Gateway Protocols (BGP) is closely related to Internet anomaly events. The BGP anomalous detection model ensures stable routing services on the Internet through its real-time monitoring and alerting capabilities. Previous studies either focused on the feature selection problem or the memory characteristic in data, while ignoring the relationship between features and the precise time correlation in feature (whether it is long or short term dependence). In this paper, we propose a multi-view model for capturing anomalous behaviors from BGP update traffic, in which Seasonal and Trend decomposition using Loess (STL) method is used to reduce the noise in the original time-series data, and Graph Attention Network (GAT) is used to discover feature relationships and time correlations in feature, respectively. Our results outperform the state-of-the-art methods at the anomaly detection task, with the average F1 score up to 96.3% and 93.2% on the balanced and imbalanced datasets respectively. Meanwhile, our model can be extended to classify multiple anomalous and to detect unknown events.

Lu Chen,Tao Zhang,Yuanyuan Ma,Mu Chen

DOI: https://doi.org/10.1109/iist62526.2024.00098

2024-01-01

Abstract:With the increasing complexity, automation, and intelligence of network attacks, new types of attacks are constantly emerging in the network, posing great challenges to network attack detection and timely response based on prior rules. In order to more effectively and accurately identify abnormal traffic, a network abnormal traffic detection algorithm based on improved convolutional neural networks is proposed. The algorithm first inputs the key features of traffic anomaly monitoring, converts them into color images through visualization technology, extracts higher dimensional features, and then uses neural structure search technology to find a lightweight convolutional network structure with high accuracy and less time consumption. The optimal model is used to output the type of traffic anomaly. The results indicate that the algorithm has a higher accuracy and the shortest classification time for a single image.

Dejing Dou,Jun Li,Han Qin,Shiwoong Kim,Sheng Zhong

DOI: https://doi.org/10.1137/1.9781611972771.46

2007-01-01

Abstract:Abnormal events, such as security attacks, misconfigurations, or electricity failures, could have severe consequences toward the normal operation of the Border Gateway Protocol (BGP) that is in charge of the delivery of packets between different autonomous domains, a key operation for the Internet to function. Unfortunately, it has been a difficult task for network security researchers and engineers to classify and detect these events. In our previous work, we have shown that with classification (which relies on the labeling with domain knowledge from BGP experts), it is feasible to effectively detect and distinguish some worms and blackouts from normal BGP behaviors. In this paper, we move one important step forward we show that we can automatically detect and classify between different abnormal BGP events based on a hierarchy discovered by clustering. As a systematic application of data mining, we devise a clustering method based on normalized BGP data that forms a tree-like hierarchy of abnormal BGP event classes. We then obtain a set of classification rules for each class (node) in the hierarchy, thus able to label unknown BGP data to a closest class. Our method works even as the BGP dynamics evolve over time, as shown in our experiments with seven different abnormal events during a four-year period. Our work, in a more general context, shows it is promising to conduct an interdisciplinary research between network security and data mining in solving real-world problems.

Yutao Dong,Qing Li,Richard O. Sinnott,Yong Jiang,Shutao Xia

DOI: https://doi.org/10.1109/icnp52444.2021.9651957

2021-01-01

Abstract:The Border Gateway Protocol (BGP) is arguably the most important and irreplaceable protocol in the network. However, the lack of routing authentication and validation makes it vulnerable to attacks, including routing leaks, route hijacking, prefix hijacking, etc. Therefore, in this paper we propose a generalized framework for ISP self-operated BGP anomaly detection based on weakly supervised learning. To tackle the problem of insufficient data in BGP anomaly detection, we propose an approach to learn from the other anomaly detection systems through knowledge distillation. To reduce the impact of inaccurate supervision, we design a self-attention-based Long Short-Term Memory (LSTM) model to self-adaptively mine the differences between BGP anomaly categories, including both feature and time dimensions. Finally, we implement a system and demonstrate the performance through a set of comprehensive experiments. Compared with the state-of-the-art schemes, our scheme has better generalization on various anomaly types.

Yi Li,Zhangbing Zhou,Shuiguang Deng,Xiao Sun,Xiao Xue,Sami Yangui,Walid Gaaloul

DOI: https://doi.org/10.1109/icws62655.2024.00077

2024-01-01

Abstract:Anomaly detection is a long-standing research topic to support the prompt remedy of potential risks for dependency-aware tasks, where Graph Neural Networks (GNNs) models have been adopted to differentiate anomalies from normal patterns. Generally, GNN models utilize time series data to construct graph structures for capturing task dependencies between Internet of Things (IoT) devices, such that deviations from predicted behaviours are assumed as anomalies. Current forecasting-based anomaly detection methods can hardly detect anomalies, which are uncovered by historical sensory data, but are explicitly specified by domain knowledge. To solve this issue, this paper proposes a Knowledge-enhanced graph attention-based Anomaly Detection (KeAD) method. Specifically, a knowledge-enhanced graph structure is constructed by incorporating domain-specific knowledge to represent spatio-temporal dependencies between IoT devices. Thereafter, a knowledge-enhanced graph attention-based forecasting network is developed to predict future behaviours of IoT devices. Anomalies are detected by analyzing deviations from these predicted behaviours, taking domain-specific knowledge into account. Extensive experiments are conducted based on publicly-available datasets, and evaluation results demonstrate that our KeAD outperform the state-of-the-art techniques in terms of the accuracy of anomaly detection.

Chen Shen,Ruixin Wang,Xiang Li,Peiying Zhang,Kai Liu,Lizhuang Tan

DOI: https://doi.org/10.3390/electronics13204072

IF: 2.9

2024-10-17

Electronics

Abstract:In the Internet, ASs are interconnected using BGP. However, due to a lack of security considerations in the design of BGP, a series of security issues arise during the propagation of routing information, such as prefix hijacking, route leakage, and AS path tampering. Therefore, this paper conducts research on the detection of route leakage. By analyzing BGP routing information, we abstract the routing propagation relationship between ASs into a network topology graph, and extract graph features from the graph abstracted from routing data at certain time intervals. Based on the structural robustness features and centrality measurement features of the graph, we determine whether a route leakage has occurred during the current time period. To this end, we use machine learning methods and propose a weighted voting model. This model trains multiple single models and assigns weights to them, and through the weighted analysis of the results of multiple models, it can determine whether a route leakage has occurred. In addition, to determine the corresponding weights, we use genetic algorithms for identifying route leaks. The experimental results show that the method used in this paper has a high accuracy rate, and compared with a single model, it performs better on multiple datasets.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wen Si,Jiang-Hai Li,Xiao-Jin Huang

DOI: https://doi.org/10.1007/978-981-15-1876-8_51

2020-01-01

Abstract:Anomaly detection is significant in the cyber security of industrial control systems. Unsupervised learning neural networks approach is applicable for the anomaly detection of industrial control systems. The large amount of network packets produced from systems every time are suitable source for training data acquisition. However, the packets contains many layers following different protocols. Thus, extracting effective features from packets will make sense. First the structure of a network packet is analyzed, and one packet is divided into two parts, the header part which includes layers following IT network protocols and the data part which includes layers following ICS protocols. Then IT network features are extracted from the header part. Third, the data part is processed by conversation correspondence and physical meaning reverting, so that industrial control features are extracted from this part. Finally, how to apply the extracted features in neural network approaches for ICS anomaly detection is discussed.

Aiguo Chen,Yang Fu,Xu Zheng,Guoming Lu

DOI: https://doi.org/10.1016/j.cose.2021.102600

2022-03-01

Abstract:The Internet environment is exposed to diverse and increasingly numerous intrusion attacks due to its continuously expanding scale, threatening the information and assets of individuals and companies. The application of machine learning and deep learning methods has significantly improved the performance of network behavior anomaly detection (NBAD). However, existing NBAD methods based on machine learning classify network behaviors with hand-selected feature vectors, which are not flexible enough to adapt to various cyber environments and new categories of attacks, resulting in low accuracy. Moreover, high-dimensional and large-scale data have significantly increased the training, retraining, and detection time, resulting in low scalability. To solve these problems, an efficient NBAD algorithm based on deep belief networks (DBN) and long short-term memory (LSTM) networks is proposed. First, a nonlinear feature extraction method using a DBN is applied to extract features automatically and reduce the dimension of the original data while guaranteeing accuracy. Then, a light-structure LSTM network is used to obtain the classification results. The results of multiple experiments show that the proposed approach performs well in feature learning and has high accuracy while obtaining results in a timely manner and easily updating the model.

computer science, information systems

Xisong Chen,Kaihong Yan,Tao Fu,Jin Zhang,D. Niu,Li Wang

DOI: https://doi.org/10.1109/CAC51589.2020.9327030

2020-11-06

Abstract:With the rapid development of information network, network security is becoming more and more important. Intrusion detection is an important component of the network security system. The traditional signature-based matching detection method is difficult to cope with the increasingly complex network environment. On the contrary, anomaly detection which is based on network traffic pattern analysis has obvious advantages in dealing with encryption attacks, zero-day attacks and other new attacks. This paper studies the network traffic anomaly detection, and proposes a traffic anomaly detection model which combines convolution neural network and eXtreme Gradient Boosting algorithm. First, the collected traffic data is preprocessed into appropriate format that meets the input requirements of the model. Then the improved LeNet-5 convolution neural network is used for feature learning, and finally XGBoost algorithm is used to classify the learning features. Experimental results show that the proposed network traffic anomaly detection method based on CNN and XGBoost has a high accuracy, and good experimental results have been achieved in both two- classification and multi-classification.

Computer Science

Zecheng Li,Shengyuan Chen,Hongshu Dai,Dunyuan Xu,Cheng-Kang Chu,Bin Xiao

DOI: https://doi.org/10.1109/tr.2022.3204349

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Abnormal traffic detection is the core component of the network intrusion detection system. Although semisupervised methods can detect zero-day attack traffic, previous work suffers from high false alarms because the trained model is simply based on normal traffic. In this article, we propose an accurate abnormal traffic detection method using pseudoanomaly, consisting of an efficient feature extraction framework and a novel denoise autoencoder-generative adversarial network (DAE-GAN) model. The feature extraction framework adopts an innovative packet window scheme to extract spatial and temporal features from traffic flows. The DAE-GAN model has multiple DAEs to achieve efficient data augmentation and generate high-quality pseudoanomalies. The pseudoanomalies are obtained by adding noise on normal traffic and enhanced by adversarial learning in DAE-GAN. Our semisupervised detection method, exploiting both normal data and generated pseudoanomalies, achieves a precision of 98.6 on the NSL-KDD dataset and 98.5 on the UNSW-NB15 dataset. Compared with the state-of-the-art, the detection precision and recall under different user behaviors are significantly improved. The evaluation on four attack datasets shows that our method has a high flow-wise precision of over 99 and a high recall of 60.6.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Yihao Chen,Qilei Yin,Qi Li,Zhuotao Liu,Ke Xu,Yi Xu,Mingwei Xu,Ziqian Liu,Jianping Wu

2024-02-25

Abstract:BGP is the de facto inter-domain routing protocol to ensure global connectivity of the Internet. However, various reasons, such as deliberate attacks or misconfigurations, could cause BGP routing anomalies. Traditional methods for BGP routing anomaly detection require significant manual investigation of routes by network operators. Although machine learning has been applied to automate the process, prior arts typically impose significant training overhead (such as large-scale data labeling and feature crafting), and only produce uninterpretable results. To address these limitations, this paper presents a routing anomaly detection system centering around a novel network representation learning model named BEAM. The core design of BEAM is to accurately learn the unique properties (defined as \emph{routing role}) of each Autonomous System (AS) in the Internet by incorporating BGP semantics. As a result, routing anomaly detection, given BEAM, is reduced to a matter of discovering unexpected routing role churns upon observing new route announcements. We implement a prototype of our routing anomaly detection system and extensively evaluate its performance. The experimental results, based on 18 real-world RouteViews datasets containing over 11 billion route announcement records, demonstrate that our system can detect all previously-confirmed routing anomalies, while only introducing at most five false alarms every 180 million route announcements. We also deploy our system at a large ISP to perform real-world detection for one month. During the course of deployment, our system detects 497 true anomalies in the wild with an average of only 1.65 false alarms per day.

Networking and Internet Architecture

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Yi Cui,Wenfeng Shen,Jian Zhang,Weijia Lu,Chuang Liu,Lin Sun,Si Chen

DOI: https://doi.org/10.48550/arXiv.2206.10400

2022-06-21

Cryptography and Security

Abstract:As an active network security protection scheme, intrusion detection system (IDS) undertakes the important responsibility of detecting network attacks in the form of malicious network traffic. Intrusion detection technology is an important part of IDS. At present, many scholars have carried out extensive research on intrusion detection technology. However, developing an efficient intrusion detection method for massive network traffic data is still difficult. Since Generative Adversarial Networks (GANs) have powerful modeling capabilities for complex high-dimensional data, they provide new ideas for addressing this problem. In this paper, we put forward an EBGAN-based intrusion detection method, IDS-EBGAN, that classifies network records as normal traffic or malicious traffic. The generator in IDS-EBGAN is responsible for converting the original malicious network traffic in the training set into adversarial malicious examples. This is because we want to use adversarial learning to improve the ability of discriminator to detect malicious traffic. At the same time, the discriminator adopts Autoencoder model. During testing, IDS-EBGAN uses reconstruction error of discriminator to classify traffic records.

Ben Scott,Michael N. Johnstone,Patryk Szewczyk,Steven Richardson

DOI: https://doi.org/10.1016/j.comnet.2024.110257

IF: 5.493

2024-02-19

Computer Networks

Abstract:The Border Gateway Protocol (BGP), acting as the communication protocol that binds the Internet, remains vulnerable despite Internet security advancements. This is not surprising, as the Internet was not designed to be resilient to cyber-attacks, therefore the detection of anomalous activity was not of prime importance to the Internet creators. Detection of BGP anomalies can potentially provide network operators with an early warning system to focus on protecting networks, systems, and infrastructure from significant impact, improve security posture and resilience, while ultimately contributing to a secure global Internet environment. In this paper, we present a novel technique for the detection of BGP anomalies in different events. This research uses publicly available datasets of BGP messages collected from the repositories, Route Views and Réseaux IP Européens (RIPE). Our contribution is the application of a time series data mining approach, Matrix Profile (MP) , to detect BGP anomalies in all categories of BGP events. Advantages of the MP detection technique compared to extant approaches include that it is domain agnostic, is assumption-free, requires few parameters, does not require training data, and is scalable and storage efficient. The single hyper-parameter analysed in MP shows it is robust to change. Our results indicate the MP detection scheme is competitive against existing detection schemes. A novel BGP anomaly detection scheme is also proposed for further research and validation.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Mengnan Gao,Lifa Wu,Qi Li,Wei Chen

DOI: https://doi.org/10.1016/j.jisa.2023.103532

IF: 4.96

2023-06-17

Journal of Information Security and Applications

Abstract:The number of Internet of Things (IoT) devices is expanding quickly as IoT gradually spreads to all aspects of life. At the same time, IoT devices have emerged as a new attack medium for attack groups, and IoT security becomes an urgent issue to be solved. Attackers often evade intrusion detection using disguises, and attack methods against the IoT continue to evolve over time. To effectively identify malicious traffic, we propose a method for anomaly detection based on attribute graphs to identify potential security vulnerabilities in IoT traffic. The nodes of the attribute graph are values of features extracted from network traffic, with a meta-path-based graph neural network learning the topology and attribute information of the traffic network. To assure the model's performance under large-scale IoT nodes, we develop a Hoffman coding-based data accuracy adjustment strategy to optimize the data, which regulates the size of the attribute graph under various data sizes. Our extensive experiments on datasets of real network traffic show the effectiveness of our method.

computer science, information systems

Wanting Hu,Lu Cao,Qunsheng Ruan,Qingfeng Wu

DOI: https://doi.org/10.3390/s23115059

2023-05-25

Abstract:Network traffic anomaly detection is a key step in identifying and preventing network security threats. This study aims to construct a new deep-learning-based traffic anomaly detection model through in-depth research on new feature-engineering methods, significantly improving the efficiency and accuracy of network traffic anomaly detection. The specific research work mainly includes the following two aspects: 1. In order to construct a more comprehensive dataset, this article first starts from the raw data of the classic traffic anomaly detection dataset UNSW-NB15 and combines the feature extraction standards and feature calculation methods of other classic detection datasets to re-extract and design a feature description set for the original traffic data in order to accurately and completely describe the network traffic status. We reconstructed the dataset DNTAD using the feature-processing method designed in this article and conducted evaluation experiments on it. Experiments have shown that by verifying classic machine learning algorithms, such as XGBoost, this method not only does not reduce the training performance of the algorithm but also improves its operational efficiency. 2. This article proposes a detection algorithm model based on LSTM and the recurrent neural network self-attention mechanism for important time-series information contained in the abnormal traffic datasets. With this model, through the memory mechanism of the LSTM, the time dependence of traffic features can be learned. On the basis of LSTM, a self-attention mechanism is introduced, which can weight the features at different positions in the sequence, enabling the model to better learn the direct relationship between traffic features. A series of ablation experiments were also used to demonstrate the effectiveness of each component of the model. The experimental results show that, compared to other comparative models, the model proposed in this article achieves better experimental results on the constructed dataset.

XiuQing Wang,Yang An,Qianwei Hu

DOI: https://doi.org/10.7717/peerj-cs.2009

2024-07-23

Abstract:With the popularity of Internet applications, a large amount of Internet behavior log data is generated. Abnormal behaviors of corporate employees may lead to internet security issues and data leakage incidents. To ensure the safety of information systems, it is important to research on anomaly prediction of Internet behaviors. Due to the high cost of labeling big data manually, an unsupervised generative model-Anomaly Prediction of Internet behavior based on Generative Adversarial Networks (APIBGAN), which works only with a small amount of labeled data, is proposed to predict anomalies of Internet behaviors. After the input Internet behavior data is preprocessed by the proposed method, the data-generating generative adversarial network (DGGAN) in APIBGAN learns the distribution of real Internet behavior data by leveraging neural networks' powerful feature extraction from the data to generate Internet behavior data with random noise. The APIBGAN utilizes these labeled generated data as a benchmark to complete the distance-based anomaly prediction. Three categories of Internet behavior sampling data from corporate employees are employed to train APIBGAN: (1) Online behavior data of an individual in a department. (2) Online behavior data of multiple employees in the same department. (3) Online behavior data of multiple employees in different departments. The prediction scores of the three categories of Internet behavior data are 87.23%, 85.13%, and 83.47%, respectively, and are above the highest score of 81.35% which is obtained by the comparison method based on Isolation Forests in the CCF Big Data & Computing Intelligence Contest (CCF-BDCI). The experimental results validate that APIBGAN predicts the outlier of Internet behaviors effectively through the GAN, which is composed of a simple three-layer fully connected neural networks (FNNs). We can use APIBGAN not only for anomaly prediction of Internet behaviors but also for anomaly prediction in many other applications, which have big data infeasible to label manually. Above all, APIBGAN has broad application prospects for anomaly prediction, and our work also provides valuable input for anomaly prediction-based GAN.

Bing Liu,Xiaolei Ma,Erlong Tan,Zhenliang Ma

DOI: https://doi.org/10.1098/rsta.2022.0253

2023-09-04

Abstract:Passenger flow anomaly detection in urban rail transit networks (URTNs) is critical in managing surging demand and informing effective operations planning and controls in the network. Existing studies have primarily focused on identifying the source of anomalies at a single station by analysing the time-series characteristics of passenger flow. However, they ignored the high-dimensional and complex spatial features of passenger flow and the dynamic behaviours of passengers in URTNs during anomaly detection. This article proposes a novel anomaly detection methodology based on a deep learning framework consisting of a graph convolution network (GCN)-informer model and a Gaussian naive Bayes model. The GCN-informer model is used to capture the spatial and temporal features of inbound and outbound passenger flows, and it is trained on normal datasets. The Gaussian naive Bayes model is used to construct a binary classifier for anomaly detection, and its parameters are estimated by feeding the normal and abnormal test data into the trained GCN-informer model. Experiments are conducted on a real-world URTN passenger flow dataset from Beijing. The results show that the proposed framework has superior performance compared to existing anomaly detection algorithms in detecting network-level passenger flow anomalies. This article is part of the theme issue 'Artificial intelligence in failure analysis of transportation infrastructure and materials'.

Songtao Peng,Yiping Chen,Xincheng Shu,Wu Shuai,Shenhao Fang,Zhongyuan Ruan,Qi Xuan

2023-12-18

Abstract:In recent years, various international security events have occurred frequently and interacted between real society and cyberspace. Traditional traffic monitoring mainly focuses on the local anomalous status of events due to a large amount of data. BGP-based event monitoring makes it possible to perform differential analysis of international events. For many existing traffic anomaly detection methods, we have observed that the window-based noise reduction strategy effectively improves the success rate of time series anomaly detection. Motivated by this observation, we propose an unsupervised anomaly detection model, MAD-MulW, which incorporates a multi-window serial framework. Firstly, we design the W-GAT module to adaptively update the sample weights within the window and retain the updated information of the trailing sample, which not only reduces the outlier samples' noise but also avoids the space consumption of data scale expansion. Then, the W-LAT module based on predictive reconstruction both captures the trend of sample fluctuations over a certain period of time and increases the interclass variation through the reconstruction of the predictive sample. Our model has been experimentally validated on multiple BGP anomalous events with an average F1 score of over 90\%, which demonstrates the significant improvement effect of the stage windows and adaptive strategy on the efficiency and stability of the timing model.

Cryptography and Security

Yong Sun,Huakun Que,Qianqian Cai,Jingming Zhao,Jingru Li,Zhengmin Kong,Shuai Wang

DOI: https://doi.org/10.3390/en15134751

IF: 3.2

2022-06-29

Energies

Abstract:This paper proposes a novel network anomaly detection framework based on data balance and feature selection. Different from the previous binary classification of network intrusion, the network anomaly detection strategy proposed in this paper solves the problem of multiple classification of network intrusion. Regarding the common data imbalance of a network intrusion detection set, a resampling strategy generated by random sampling and Borderline SMOTE data is developed for data balance. According to the features of the intrusion detection dataset, feature selection is carried out based on information gain rate. Experiments are carried out on three basic machine learning algorithms (K-nearest neighbor algorithm (KNN), decision tree (DT), random forest (RF)), and the optimal feature selection scheme is obtained.

energy & fuels