Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Zhining Lv,Ziheng Hu,Baifeng Ning,Yu Sun,Gangfeng Yan,Xiasheng Shi

DOI: https://doi.org/10.1109/CAC48633.2019.8996440

2019-01-01

Abstract:Power industrial terminal is a complex system with high reliability and security. Traditional methods for detecting data anomalies of power industrial terminal fail to fully mine the data characteristics. And it has shortcomings such as complex calculation, poor flexibility and low accuracy. In order to solve the problem that it is difficult to predict the operational status of power industrial terminal accurately, a prediction method based on long-term memory (LSTM) neural network is proposed. Considering the variety of data reflecting the operating status of power industrial terminal, choose the ambient temperature system related to the operating status of power industrial terminal as a experiment object. Through experiments, the algorithm has higher prediction effect for the operating status of power industrial terminal.

牛国林,管晓宏,龙毅,秦涛

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.04.009

2009-01-01

Abstract:Based on tradeoffs analysis of abnormal behavior and detection methods,a multi-source traffic features analysis and abnormal detection method was proposed.The distribution characteristics of the flow size,IP addresses and ports were analyzed and found to be efficacious in traffic patterns analysis.The Renyi entropy was employed to fuse the multi-source information captured by different traffic features,and an abnormal behavior detection method was presented.Beacause of using the multi-source information,the models could detect many kinds of abnormal behaviors,which was an impossible mission for many other traditional abnormal detection methods.The experimental results based on actual network data show that the proposed abnormal detection methods are effective in detecting known and unknown attacks with high-accuracy detection rate and low complexity.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Lingxia Lu,Ju-Song Kang,Miao Yu

DOI: https://doi.org/10.35833/MPCE.2023.000901

IF: 4.469

2024-01-01

Journal of Modern Power Systems and Clean Energy

Abstract:Non-intrusive load monitoring (NILM) can provide appliance-level power consumption information without deploying submeters for each load, in which load event detection is one of the crucial steps. However, the existing event detection methods do not efficiently detect both the starting time of an event (STE) and the ending time of an event (ETE), and their adaptability to scenarios with different sampling rates is limited. To address these problems, in this paper, an event detection method based on robust random cut forest (RRCF) algorithm, which is an unsupervised learning method for detecting anomalous data points within a dataset, is proposed. First, mean-pooling preprocessing is applied to the aggregated load power series with a high sampling rate to minimize fluctuations. Then, the power differential series is obtained, and the anomaly score of each data point is calculated using the RRCF algorithm for preliminary detection. If an event has been preliminarily detected, misidentification caused by fluctuation will be further eliminated by using an adaptive power difference threshold approach. Finally, linear fitting is used to finely and accurately adjust the STE and ETE. The proposed method does not require any pretraining of the detection model and has been validated with both the BLUED dataset (with high and low sampling rates) and the REDD dataset (with low sampling rates). The experimental results demonstrate that the proposed method not only meets real-time requirements but also exhibits strong adaptability across multiple scenarios. The precision is greater than 92% in distinct sampling rate scenarios, and the F1 score of phase B on the BLUED dataset reaches 94% in the scenario with a high sampling rate. These results indicate that the proposed method outperforms other state-of-the-art methods.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Chunming Qiu,Guoxiang Shao,Zhenyu Zhang,Chichun Zhou,Yuejie Hou,Enming Zhao,Xiao Guo,Xiaolin Guan

DOI: https://doi.org/10.1109/access.2024.3359302

IF: 3.9

2024-02-16

IEEE Access

Abstract:Sewer networks (SNs) are susceptible to various factors that can lead to failures, resulting in economic losses and environmental pollution. Data-driven approaches based on sewage flow monitoring enhance the awareness and maintenance capabilities of SNs. However, the current research lacks early warning systems for flow anomalies. This presents a challenge for the application of supervised methods, primarily due to the scarcity of anomalous flow datasets. Even with the availability of such datasets, the effectiveness of these methods may vary due to environmental differences, since SNs are situated in diverse environments. Therefore, effectively achieving early warnings for anomalies in unlabeled flow data is a challenge that must be addressed in the field of flow monitoring. To address this challenge, we propose a detection method for effectively warning of anomalies in flow data. Since anomalies typically result in significant deviations from normal data, early warnings can be achieved by comparing the differences between current and historical data. The key to this early warning lies in establishing an adaptive threshold for detecting abnormal data changes. Our detection method employs an unsupervised bagging-based multi-anomaly detection algorithm to detect such abnormal data changes. Experiments conducted on Erhai Lake SNs flow data demonstrate that our method can predict anomalies 5-15 minutes in advance with a precision of 80.00%, a recall of 66.67%, and an F1 score of 0.73. Our approach not only achieves cost-effective and timely anomalies detection but also overcomes the challenges associated with limited dataset availability, making it applicable to various other industries.

computer science, information systems,telecommunications,engineering, electrical & electronic

Liang Shouyu,Kun Zhang,Wenchong Fang,Zhifeng Zhou,Rong Hu,Wen Zhu,Yingchen Li,Yichang Wang,Jian Hou

DOI: https://doi.org/10.1088/1742-6596/1601/2/022010

2020-07-01

Journal of Physics: Conference Series

Abstract:Abstract It is very important to detect abnormal Access IP of power grid dispatching platform accurately and rapidly to ensure the safety of power production. An Isolation Forest and K-means fusion algorithm is proposed, which not only solves the deficiency of Isolation Forest only being able to detect anomalies in binary classification, but also solves the defect of Isolation Forest threshold setting based on artificial experience or prior assumptions by designing a threshold setting strategy for Isolation Forest anomalies. The Access IP data of the southern power grid dispatching platform is taken as an example to evaluate the proposed algorithm and model. Through control experiments, the effectiveness and advancedness of the algorithm are illustrated in terms of AUC-ROC curve, accuracy, recall, and F1 score.

Wang Jianyuan,Gu Chengcheng,Liu Kechen

DOI: https://doi.org/10.3389/fenrg.2022.984473

IF: 3.4

2022-08-31

Frontiers in Energy Research

Abstract:This study aims at investigating the applicability of abnormal electricity consumption data detection method, which is based on the entropy weight method and the isolated forest tree algorithm. The inaccessibility and imbalance of abnormal electricity consumption samples in actual data sets are considered by analyzing smart distribution network power consumption big data. Firstly, the users are classified by the k-means clustering algorithm, and then the characteristics of each type of user are extracted and the feature set is processed by the principal component analysis method to reduce the dimensions, followed by the entropy weight method adaptive configuration of the weight coefficients of each feature index, and finally the abnormal power consumption users are calculated based on the feature-weighted isolated forest algorithm. The algorithm verifies the real electricity consumption data of 6,445 users, and the results show that the method has a high detection accuracy, recall rate and F1 score, which is more suitable for the detection of abnormal electricity consumption in scenarios when there are complex and diverse user power consumption behaviors.

energy & fuels

Liyang Wang,Yu Cheng,Hao Gong,Jiacheng Hu,Xirui Tang,Iris Li

2024-09-23

Abstract:The sophistication and diversity of contemporary cyberattacks have rendered the use of proxies, gateways, firewalls, and encrypted tunnels as a standalone defensive strategy inadequate. Consequently, the proactive identification of data anomalies has emerged as a prominent area of research within the field of data security. The majority of extant studies concentrate on sample equilibrium data, with the consequence that the detection effect is not optimal in the context of unbalanced data. In this study, the unsupervised learning method is employed to identify anomalies in dynamic data flows. Initially, multi-dimensional features are extracted from real-time data, and a clustering algorithm is utilised to analyse the patterns of the data. This enables the potential outliers to be automatically identified. By clustering similar data, the model is able to detect data behaviour that deviates significantly from normal traffic without the need for labelled data. The results of the experiments demonstrate that the proposed method exhibits high accuracy in the detection of anomalies across a range of scenarios. Notably, it demonstrates robust and adaptable performance, particularly in the context of unbalanced data.

Machine Learning,Artificial Intelligence,Cryptography and Security

Yihong Yang,Sheng Ding,Yuwen Liu,Shunmei Meng,Xiaoxiao Chi,Rui Ma,Chao Yan

DOI: https://doi.org/10.48550/arXiv.2107.13353

2021-07-28

Abstract:Edge computing enabled smart greenhouse is a representative application of Internet of Things technology, which can monitor the environmental information in real time and employ the information to contribute to intelligent decision-making. In the process, anomaly detection for wireless sensor data plays an important role. However, traditional anomaly detection algorithms originally designed for anomaly detection in static data have not properly considered the inherent characteristics of data stream produced by wireless sensor such as infiniteness, correlations and concept drift, which may pose a considerable challenge on anomaly detection based on data stream, and lead to low detection accuracy and efficiency. First, data stream usually generates quickly which means that it is infinite and enormous, so any traditional off-line anomaly detection algorithm that attempts to store the whole dataset or to scan the dataset multiple times for anomaly detection will run out of memory space. Second, there exist correlations among different data streams, which traditional algorithms hardly consider. Third, the underlying data generation process or data distribution may change over time. Thus, traditional anomaly detection algorithms with no model update will lose their effects. Considering these issues, a novel method (called DLSHiForest) on basis of Locality-Sensitive Hashing and time window technique in this paper is proposed to solve these problems while achieving accurate and efficient detection. Comprehensive experiments are executed using real-world agricultural greenhouse dataset to demonstrate the feasibility of our approach. Experimental results show that our proposal is practicable in addressing challenges of traditional anomaly detection while ensuring accuracy and efficiency.

Machine Learning,Artificial Intelligence,Signal Processing

Chen Yang

DOI: https://doi.org/10.1007/s10586-018-1755-5

2018-01-16

Cluster Computing

Abstract:In recent years, there are more and more abnormal activities in the network, which greatly threaten network security. Hence, it is of great importance to collect the data which indicate the running statement of the network, and distinguish the anomaly phenomena of the network in time. In this paper, we propose a novel anomaly network traffic detection algorithm under the cloud computing environment. Firstly, the framework of the anomaly network traffic detection system is illustrated, and six type of network traffic features are consider in this work, that is, (1) number of source IP address, (2) number of source port number, (3) number of destination IP address, (4) number of destination port number, (5) Number of packet type, and (6) number of network packets. Secondly, we propose a novel hybrid information entropy and SVM model to tackle the proposed problem by normalizing values of network features and exploiting SVM detect anomaly network behaviors. Finally, experimental results demonstrate that the proposed algorithm can detect anomaly network traffic with high accuracy and it can also be used in the large scale dataset.

Ziyu Wang,Jiahai Yang,Fuliang Li

DOI: https://doi.org/10.1109/TrustCom.2014.16

2014-01-01

Abstract:Anomaly detection has been a hot topic in recent years due to its capability of detecting zero day attacks. In this paper, we propose a new metric called Entropy-Ratio. We validate that the Entropy-Ratio is stationary. Making use of this observation, we combine the Least Mean Square algorithm and the Forward Linear Predictor to propose a new on-line detector called LMS-FLP detector. Using the two synthetic data sets - CEGI-6IX synthetic data and CERNET2 synthetic data, we validate that the LMS-FLP detector is very effective in detecting both anomalies involving many small IP flows and anomalies involving a few large IP flows.

Yifan Feng,Weihong Cai,Haoyu Yue,Jianlong Xu,Yan Lin,Jiaxin Chen,Zijun Hu

DOI: https://doi.org/10.1371/journal.pone.0263423

IF: 3.7

2022-01-31

PLoS ONE

Abstract:Anomaly detection in network traffic is becoming a challenging task due to the complexity of large-scale networks and the proliferation of various social network applications. In the actual industrial environment, only recently obtained unlabelled data can be used as the training set. The accuracy of the abnormal ratio in the training set as prior knowledge has a great influence on the performance of the commonly used unsupervised algorithms. In this study, an anomaly detection algorithm based on X-means and iForest is proposed, named X-iForest, which clusters the standard Euclidean distance between the abnormal points and the normal cluster centre to achieve secondary filtering by using X-means. We compared X-iForest with seven mainstream unsupervised algorithms in terms of the AUC and anomaly detection rates. A large number of experiments showed that X-iForest has notable advantages over other algorithms and can be well applied to anomaly detection of large-scale network traffic data.

multidisciplinary sciences

Lei Wang,Yuan Cheng,XiaoJun Li,Bo Qin

DOI: https://doi.org/10.1088/1742-6596/1648/4/042080

2020-10-01

Journal of Physics: Conference Series

Abstract:Abstract Image technology is widely used in intelligent applications. Based on the intelligent multi-drive patrol inspection of the water environment of cable duct corridors, the original technical methods and corresponding algorithms cannot be effectively solved. This paper mainly studies the intelligent multi-drive patrol inspection technology for the water environment of cable duct corridor based on random forest algorithm. In this paper, a feature that is insensitive to changes in illumination is designed and used for image change detection. At the same time, the Haar-like feature is improved according to this feature. The improved Haar-like feature and random forest calculation are used to detect the change area of the image. The experiment in this paper found that the cable fire of underground comprehensive pipe corridor burned more violently during 200 s-600 s. This stage only accounted for 22.3% of the burning time, but contributed 73.4% of the mass loss. The experimental results in this paper show that the intelligent multi-drive patrol inspection technology for the water environment of cable duct corridors based on the random forest algorithm is in line with the actual application standards and has important significance in practical applications.

Chun-Hui Xiao,Chen Su,Cong-Xiao Bao,Xing Li

DOI: https://doi.org/10.1109/ICNISC.2018.00019

2018-01-01

Abstract:As an important part in network management system, rapid and accurate anomaly detection is one of the preconditions to guarantee the effective work of the network. In general, the network management system will monitor the data of multiple indicators, and the manifestations of network anomalies are complex in the data. Most existing anomaly detection approaches have encountered some trouble in network anomaly detection because of the periodicity of time series data or high time complexity and memory cost working on high-dimensional data. Aiming at the deficiency of present methods of network anomaly detection, we propose an adapted method based on iForest algorithm. We construct some feature extractors through statistical methods to highlight different abnormal behaviors in different indicator and then use the extracted feature data for the construction and prediction of iForest. Combining specific feature extractors, we can eliminate the effects of periodicity, or specify the detection of peaks or troughs to adapt to different indicators. By means of iForest algorithm which has linear time complexity and low memory requirement, our method makes a rapid detection with large dataset and works well in high dimensional network management data.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Jing Zhang,Yong Ma,Yu Lu,Jun Wang

DOI: https://doi.org/10.2478/amns.2023.2.01245

2023-11-25

Applied Mathematics and Nonlinear Sciences

Abstract:Abstract The construction of an intelligent power grid system has promoted innovation and development in the power grid industry, but the distribution network covers a wide range and has more access data, and the network attack risk is the focus of attention. In this regard, the stochastic forest model is introduced to build the distribution network risk detection model based on the software-defined network. The first is to study the power grid system based on a software-defined network, realize the analysis and extraction of the characteristics of abnormal power grid engineering data, and realize the diagnosis of risk data through a random forest model. At the same time, considering the long modeling time of the random forest model and the low classification accuracy in unbalanced samples, the feature selection model is introduced to optimize the random forest model, and the sampling weight function is set to improve the insufficient sampling accuracy of random forest model in small samples. The model classification effect is evaluated during the model performance test. The proposed model is the most accurate of the three data sets. In the three data classification tests of Satimage, Senbased, and Cleveland, the accuracy of MICRO Average is respectively 0.886, 0.986 and 0.856. At the same time, the proposed model is superior to other models in terms of training time and variance stability test. When the data set is 18000, the model accuracy is 0.968, which is better than the other two models. The research content has important reference value for maintaining communication security and improving system stability in distribution networks.