Liang HE,Yongcheng WANG,Yun LI,Yanjie CHU,Chao SHEN

DOI: https://doi.org/10.3778/j.issn.1002-8331.1811-0026

2019-01-01

Abstract:In the fields of network maintenance and operation, it attracts much attention how to detect and prompt the net-work anomalies in time. Anomalous events are less in dataset than the normal ones, leading to the fact that it is difficult to use the two-class classifications for anomaly detection because of the imbalance of data labeled as normal or anomalous. Meanwhile, anomalous events are in various patterns and there is little prior information about the anomaly that the users are concerned with, therefore, it is necessary to model the normal data and use them for anomaly detection by comparing the received data with the normal model. Based on Lindeberg-Feller central limit theorem, a hypothesis test is designed to detect whether the data to be tested is anomalous or not, according to the refusing area calculated by the confidential parameter. Finally, the theorem of this algorithm is simulated and the performance is also tested both on the common and the actual datasets. When the users take the correlation features of the anomalous events as the algorithm input, the recall ratio reaches 90%.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Yue Shi-hong,Li Ping,Guo Ji-dong,Zhou Shui-geng

DOI: https://doi.org/10.1007/bf02842480

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:Clustering, as a powerful data mining technique for discovering interesting data distributions and patterns in the underlying database, is used in many fields, such as statistical data analysis, pattern recognition, image processing, and other business applications. Density-based Spatial Clustering of Applications with Noise (DBSCAN) (Esteret al., 1996) is a good performance clustering method for dealing with spatial data although it leaves many problems to be solved. For example, DBSCAN requires a necessary user-specified threshold while its computation is extremely time-consuming by current method such as OPTICS, etc. (Ankerstet al., 1999), and the performance of DBSCAN under different norms has yet to be examined. In this paper, we first developed a method based on statistical information of distance space in database to determine the necessary threshold. Then our examination of the DBSCAN performance under different norms showed that there was determinable relation between them. Finally, we used two artificial databases to verify the effectiveness and efficiency of the proposed methods.

Yishan Guo,Mandan Liu

DOI: https://doi.org/10.3233/ida-216185

IF: 1.7

2023-02-01

Intelligent Data Analysis

Abstract:With the development of wireless communication technology, when users use wireless networks to meet various needs, wireless networks also record a large number of users' spatial-temporal trajectory data. In order to better pay attention to the healthy development of students and promote the information construction on campus, a spectral clustering algorithm based on the multi-scale threshold and density combined with shared nearest neighbors (MSTDSNN-SC) is proposed. Firstly, it improves the affinity distance function based on the shortest time dis-tance-shortest time distance sub-sequence (STD-STDSS) by adding location popularity and uses this model to construct the initial adjacency matrix. Then it introduces the covariance scale threshold and spatial scale threshold to perform 0–1 processing on the adjacency matrix to obtain more accurate sample similarity. Next, it constructs an eigenvector space by eigenvalue decom-position of the adjacency matrix. Finally, it uses DBSCAN clustering algorithm with shared nearest neighbors to avoid to manually determine the number of clusters. Taking Internet usage data on campus as an example, multiple clustering algorithms are used for anomaly detection and four evaluation metrics are applied to estimate the clustering results. MSTDSNN-SC algorithm reflects better clustering performance. Furthermore, the abnormal trajectories list is verified to be effective and credible.

Gerard Shu Fuhnwi,Janet O. Agbaje,Kayode Oshinubi,Olumuyiwa James Peter

DOI: https://doi.org/10.46481/jnsps.2023.1364

2023-04-19

Journal of the Nigerian Society of Physical Sciences

Abstract:In data mining, and statistics, anomaly detection is the process of finding data patterns (outcomes, values, or observations) that deviate from the rest of the other observations or outcomes. Anomaly detection is heavily used in solving real-world problems in many application domains, like medicine, finance , cybersecurity, banking, networking, transportation, and military surveillance for enemy activities, but not limited to only these fields. In this paper, we present an empirical study on unsupervised anomaly detection techniques such as Density-Based Spatial Clustering of Applications with Noise (DBSCAN), (DBSCAN++) (with uniform initialization, k-center initialization, uniform with approximate neighbor initialization, and $k$-center with approximate neighbor initialization), and $k$-means$--$ algorithms on six benchmark imbalanced data sets. Findings from our in-depth empirical study show that k-means-- is more robust than DBSCAN, and DBSCAN++, in terms of the different evaluation measures (F1-score, False alarm rate, Adjusted rand index, and Jaccard coefficient), and running time. We also observe that DBSCAN performs very well on data sets with fewer number of data points. Moreover, the results indicate that the choice of clustering algorithm can significantly impact the performance of anomaly detection and that the performance of different algorithms varies depending on the characteristics of the data. Overall, this study provides insights into the strengths and limitations of different clustering algorithms for anomaly detection and can help guide the selection of appropriate algorithms for specific applications.

Ya CHEN

DOI: https://doi.org/10.3969/j.issn.1006-9348.2017.09.079

2017-01-01

Abstract:A detection method for abnormal information under big data environment is put forward based on fuzzy clustering.The subset of original data set via sampling data point in the original data set in proportion is formed,and the pretreatment for the observed value of feature of abnormal information is carried out,then the local extreme point of the objective function is searched and characteristic value of sliding window of the pre-detected abnormal information is extracted.The matrix of time-space relationship among neighbor nodes in assigned section is built,and space -time correlation of characteristic value of neighbor nodes is worked out.According to cluster results,the probability of abnormal mutation of information under big data enviromnent is confirmed.Thus,the detection of abnormal information is completed.Simulation resuhs show that the method has high precision.It lays foundation for improving environmental quality of big data.

Yuan Yuan,Yuangang Li

DOI: https://doi.org/10.1155/2022/5985426

IF: 1.43

2022-10-02

Mathematical Problems in Engineering

Abstract:Data anomaly detection plays a vital role in protecting network security and developing network technology. Aiming at the detection problems of large data volume, complex information, and difficult identification, this paper constructs a modified hybrid anomaly detection (MHAD) method based on the K-means clustering algorithm, particle swarm optimization, and genetic algorithm. First, by designing coding rules and fitness functions, the multiattribute data is effectively clustered, and the inheritance of good attributes is guaranteed. Second, by applying selection, crossover, and mutation operators to particle position and velocity updates, local optima problems are avoided and population diversity is ensured. Finally, the Fisher score expression for data attribute extraction is constructed, which reduces the required sample size and improves the detection efficiency. The experimental results show that the MHAD method has better performance than the K-means clustering algorithm, the support vector machine, decision trees, and other methods in the four indicators of recall, precision, prediction accuracy, and F-measure. The main advantages of the proposed method are that it achieves a balance between global and local search and ensures a high detection rate and a low false positive rate.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Yating Liu,Yuantao Gu

DOI: https://doi.org/10.1109/dsw.2018.8439923

2018-01-01

Abstract:Network anomaly detection refers to automatically identifying the flows associated with anomalous events, which is the first line of defense against attacks in network security system. This paper proposes a new reliable unsupervised detector Multiple Sketches and Clustering (MSC) combining sketches (random projections) and clustering to blindly identify anomalies without relying on signatures or labeled traffic data. Multiple random projections and voting strategy alleviate the potential misclassification of single analysis and ensure a lower false positive rate. The K-means++ clustering detection detects both known and unknown anomalies accurately and triggers a higher true positive rate without any prior information about traffic data or anomaly patterns. The results on the MAWILAB backbone network dataset reveal that the novel detector outperforms the state-of-the-art detectors.

Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

Jing Wang,Daniel Rossell,Christos G. Cassandras,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1309.4844

2013-09-19

Abstract:We present five methods to the problem of network anomaly detection. These methods cover most of the common techniques in the anomaly detection field, including Statistical Hypothesis Tests (SHT), Support Vector Machines (SVM) and clustering analysis. We evaluate all methods in a simulated network that consists of nominal data, three flow-level anomalies and one packet-level attack. Through analyzing the results, we point out the advantages and disadvantages of each method and conclude that combining the results of the individual methods can yield improved anomaly detection results.

Machine Learning,Networking and Internet Architecture

Jing Tao,Ning Zheng,Waner Wang,Ting Han,Xuna Zhan,Qingxin Luan

DOI: https://doi.org/10.1109/icbk.2019.00039

2019-01-01

Abstract:Abnormal host detection is a critical issue in an enterprise intranet data center. The traditional anomaly host detection method mainly focuses on detecting anomaly behavior, and the abnormality determination for a single behavior point often has certain limitations. For example, the entire attack process cannot be completely restored. And it will cause a lot of underreporting. Therefore, in this paper, we propose A Behavior Sequence Clustering-based Enterprise Network Anomaly Host Detection Method to solve the problem of anomaly host detection of an enterprise network We use the Toeplitz Inverse Covariance-Based Clustering (TICC) algorithm [1] to segment and cluster time series data and mining anomaly host behavior sequences, identify the anomaly host of the enterprise network The experimental results show that the Behavior Sequence Clustering-based Enterprise Network Anomaly Host Recognition Method can quickly identify the anomaly host and accurately restore the complete attack process.

Ding De Jiang,Cheng Yao,Wei Han Zhang,Zheng

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1461

2013-01-01

Advanced Materials Research

Abstract:This paper presents a detection algorithm for anomaly network traffic, which is based on spectral kurtosis analysis. Firstly, we turn network traffic into time-frequency signals at different scales. These time-frequency signals hold the more detailed nature corresponding to different scales. Secondly, the time-frequency signals at different scales are transformed into a series of new time signals by time-frequency analysis theory. These new time signals hold obvious narrowband nature and embody the local properties of network traffic. Thirdly, we calculate the spectral kurtosis values of the new time signals and then perform the feature extractions. As a result, the abnormal network traffic can be correctly identified. Simulation results show that our algorithm is feasible and promising.

Qian Ma,Cong Sun,Baojiang Cui

DOI: https://doi.org/10.1155/2021/2170788

IF: 1.968

2021-11-20

Security and Communication Networks

Abstract:New vulnerabilities and ever-evolving network attacks pose great threats to today’s cyberspace security. Anomaly detection in network traffic is a promising and effective technique to enhance network security. In addition to traditional statistical analysis and rule-based detection techniques, machine learning models are introduced for intelligent detection of abnormal traffic data. In this paper, a novel model named SVM-C is proposed for the anomaly detection in network traffic. The URLs in the network traffic log are transformed into feature vectors via statistical laws and linear projection. The obtained feature vectors are fed into a support vector machine (SVM) classifier and classified as normal or abnormal. Based on the idea of SVM and clustering, we construct an optimization model to train the parameters of the feature extraction method and traffic classifier. Numerical tests indicate that the proposed model outperforms the state of the arts on all the tested datasets.

computer science, information systems,telecommunications

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Chonghua Wang,Hao Zhou,Zhiqiang Hao,Shu Hu,Jun Li,Xueying Zhang,Bo Jiang,Xuehong Chen

DOI: https://doi.org/10.1016/j.comnet.2022.108760

IF: 5.493

2022-03-01

Computer Networks

Abstract:Due to the ever-growing presence of network traffic, there has been a considerable amount of research on anomaly detection in network traffic by clustering. Most of them have not considered the problem that collective anomaly detection in network traffic. Collective anomaly might scatter among multiple clusters when applying the clustering-based algorithms in the anomaly detection. In this paper, we propose a progressive exploration framework for collective anomaly detection on network traffic based on a clustering method, called CCAD. CCAD enables analysts to effectively explore collective anomaly in network traffic. This framework is different from the other anomaly detection methods. It is based on the analysis of the influence of collective anomaly on the clustering results in the network traffic stream data. CCAD framework efficiently supports the collective anomaly exploration. As demonstrated by our extensive experiments with real-world data, CCAD has high detection rate in comparison with other existing methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Chen Yang

DOI: https://doi.org/10.1007/s10586-018-1755-5

2018-01-16

Cluster Computing

Abstract:In recent years, there are more and more abnormal activities in the network, which greatly threaten network security. Hence, it is of great importance to collect the data which indicate the running statement of the network, and distinguish the anomaly phenomena of the network in time. In this paper, we propose a novel anomaly network traffic detection algorithm under the cloud computing environment. Firstly, the framework of the anomaly network traffic detection system is illustrated, and six type of network traffic features are consider in this work, that is, (1) number of source IP address, (2) number of source port number, (3) number of destination IP address, (4) number of destination port number, (5) Number of packet type, and (6) number of network packets. Secondly, we propose a novel hybrid information entropy and SVM model to tackle the proposed problem by normalizing values of network features and exploiting SVM detect anomaly network behaviors. Finally, experimental results demonstrate that the proposed algorithm can detect anomaly network traffic with high accuracy and it can also be used in the large scale dataset.

Junlin Zhou,Aleksandar Lazarevic,Kuo-Wei Hsu,Jaideep Srivastava,Yan Fu,Yue Wu

DOI: https://doi.org/10.1142/s0219622010004172

2010-01-01

International Journal of Information Technology & Decision Making

Abstract:Anomaly detection has recently become an important problem in many industrial and financial applications. Very often, the databases from which anomalies have to be found are located at multiple local sites and cannot be merged due to privacy reasons or communication overhead. In this paper, a novel general framework for distributed anomaly detection is proposed. The proposed method consists of three steps: (i) building local models for distributed data sources with unsupervised anomaly detection methods and computing quality measure of local models; (ii) transforming local unsupervised local models into sharing models; and (iii) reusing sharing models for new data and combining their results by considering both quality and diversity of them to detect anomalies in a global view. In experiments performed on synthetic and real-life large data set, the proposed distributed anomaly detection method achieved prediction performance comparable or even slightly better than the global anomaly detection algorithm applied on the data set obtained when all distributed data set were merged.