Jing Zhang

DOI: https://doi.org/10.48550/arXiv.1901.09294

2019-01-27

Abstract:Anomaly detecting as an important technical in cloud computing is applied to support smooth running of the cloud platform. Traditional detecting methods based on statistic, analysis, etc. lead to the high false-alarm rate due to non-adaptive and sensitive parameters setting. We presented an online model for anomaly detecting using machine learning theory. However, most existing methods based on machine learning linked all features from difference sub-systems into a long feature vector directly, which is difficult to both exploit the complement information between sub-systems and ignore multi-view features enhancing the classification performance. Aiming to this problem, the proposed method automatic fuses multi-view features and optimize the discriminative model to enhance the accuracy. This model takes advantage of extreme learning machine (ELM) to improve detection efficiency. ELM is the single hidden layer neural network, which is transforming iterative solution the output weights to solution of linear equations and avoiding the local optimal solution. Moreover, we rank anomies according to the relationship between samples and the classification boundary, and then assigning weights for ranked anomalies, retraining the classification model finally. Our method exploits the complement information between sub-systems sufficiently, and avoids the influence from imbalance dataset, therefore, deal with various challenges from the cloud computing platform. We deploy the privately cloud platform by Openstack, verifying the proposed model and comparing results to the state-of-the-art methods with better efficiency and simplicity.

Machine Learning

Feiyi Chen,Yingying zhang,Zhen Qin,Lunting Fan,Renhe Jiang,Yuxuan Liang,Qingsong Wen,Shuiguang Deng

DOI: https://doi.org/10.1109/icde60146.2024.00047

2024-01-01

Abstract:Anomaly detection significantly enhances the robustness of cloud systems.While neural network-based methods have recently demonstrated strongadvantages, they encounter practical challenges in cloud environments: thecontradiction between the impracticality of maintaining a unique model for eachservice and the limited ability to deal with diverse normal patterns by aunified model, as well as issues with handling heavy traffic in real time andshort-term anomaly detection sensitivity. Thus, we propose MACE, a multi-normal-pattern accommodated and efficientanomaly detection method in the frequency domain for time series anomalydetection. There are three novel characteristics of it: (i) a patternextraction mechanism excelling at handling diverse normal patterns with aunified model, which enables the model to identify anomalies by examining thecorrelation between the data sample and its service normal pattern, instead ofsolely focusing on the data sample itself; (ii) a dualistic convolutionmechanism that amplifies short-term anomalies in the time domain and hindersthe reconstruction of anomalies in the frequency domain, which enlarges thereconstruction error disparity between anomaly and normality and facilitatesanomaly detection; (iii) leveraging the sparsity and parallelism of frequencydomain to enhance model efficiency. We theoretically and experimentally provethat using a strategically selected subset of Fourier bases can not only reducecomputational overhead but is also profitable to distinguish anomalies,compared to using the complete spectrum. Moreover, extensive experimentsdemonstrate MACE's effectiveness in handling diverse normal patterns with aunified model and it achieves state-of-the-art performance with highefficiency.

N. Pandeeswari,Ganesh Kumar

DOI: https://doi.org/10.1007/s11036-015-0644-x

2015-08-16

Mobile Networks and Applications

Abstract:Cloud computing affords lot of resources and computing facilities through Internet. Cloud systems attract many users with its desirable features. In spite of them, Cloud systems may experience severe security issues. Thus, it is essential to create an Intrusion Detection System (IDS) to detect both insider and outsider attacks with high detection accuracy in cloud environment. This work proposes an anomaly detection system at the hypervisor layer named Hypervisor Detector that uses a hybrid algorithm which is a mixture of Fuzzy C-Means clustering algorithm and Artificial Neural Network (FCM-ANN) to improve the accuracy of the detection system. The proposed system is implemented and compared with Naïve Bayes classifier and Classic ANN algorithm. The DARPA’s KDD cup dataset 1999 is used for experiments. Based on extensive theoretical and performance analysis, it is evident that the proposed system is able to detect the anomalies with high detection accuracy and low false alarm rate even for low frequent attacks thereby outperforming Naïve Bayes classifier and Classic ANN.

computer science, information systems,telecommunications, hardware & architecture

L. Girish,Sridhar K. N. Rao

DOI: https://doi.org/10.1007/s00607-021-00941-x

2021-03-28

Computing

Abstract:Now days the usage of cloud environment is rapidly increasing in all the fields to run applications in virtual machines instead of physical hardware based machine. This increases the service availability and also reduces the cost. The usage of openstack cloud environment is also increasing both in academics and industry as it provides open source cloud services to run the application both for research and for production environment. One of the challenges in cloud environment is that the detection and prediction of the anomalies before they occur. In the traditional approach, the anomalies are detected manually by keeping track of threshold level and heartbeat. The recent research is happening on using machine learning techniques in detecting the anomalies before they occur. In this paper, we propose a model for anomaly detection in openstack cloud environment. In the proposed model, we used Stacked and Bidirectional LSTM models to build the neural network. For the experiment the data is collected from openstack using collectd. The collected data sets 10 features and class label. Using LSTM neural network, we were able to detect the anomalies in openstack environment. The proposed model achieved the detection accuracy of 94.61% for training set and 93.98% for the test set using binary cross entropy function as a loss function.

computer science, theory & methods

Aws Naser Jaber,Shafiq Ul Rehman

DOI: https://doi.org/10.1007/s10586-020-03082-6

2020-03-25

Cluster Computing

Abstract:Cloud computing offer various services over the Internet based on pay-per-use concept. Therefore, many organizations have already adopted this system to attract the users with its desirable features. However, due to its design, makes it vulnerable to malicious attacks. This demands an Intrusion Detection System that can detect such attacks with high detection accuracy in cloud environment. This paper proposes a novel intrusion detection system that combines a fuzzy c means clustering (FCM) algorithm with support vector machine (SVM) to improve the accuracy of the detection system in cloud computing environment. The proposed system is implemented and compared with existing mechanisms. The NSL-KDD dataset is used for experiments. Based on performance evaluation and comparative analysis, the results obtained using this new hybrid mechanism (FCM–SVM) show that the proposed system can detect the anomalies with high detection accuracy and low false alarm rates over the existing techniques.

Ke Xu,Yun Wang,Leni Yang,Yifang Wang,Bo Qiao,Si Qin,Yong Xu,Haidong Zhang,Huamin Qu

DOI: https://doi.org/10.1109/tvcg.2019.2934613

IF: 5.2

2019-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Detecting and analyzing potential anomalous performances in cloud computing systems is essential for avoiding losses to customers and ensuring the efficient operation of the systems. To this end, a variety of automated techniques have been developed to identify anomalies in cloud computing. These techniques are usually adopted to track the performance metrics of the system (e.g., CPU, memory, and disk I/O), represented by a multivariate time series. However, given the complex characteristics of cloud computing data, the effectiveness of these automated methods is affected. Thus, substantial human judgment on the automated analysis results is required for anomaly interpretation. In this paper, we present a unified visual analytics system named CloudDet to interactively detect, inspect, and diagnose anomalies in cloud computing systems. A novel unsupervised anomaly detection algorithm is developed to identify anomalies based on the specific temporal patterns of the given metrics data (e.g., the periodic pattern). Rich visualization and interaction designs are used to help understand the anomalies in the spatial and temporal context. We demonstrate the effectiveness of CloudDet through a quantitative evaluation, two case studies with real-world data, and interviews with domain experts.

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

ZeYuan Fu

DOI: https://doi.org/10.1371/journal.pone.0271546

IF: 3.7

2022-10-07

PLoS ONE

Abstract:To improve the cybersecurity of Cloud Computing (CC) system. This paper proposes a Network Anomaly Detection (NAD) model based on the Fuzzy-C-Means (FCM) clustering algorithm. Secondly, the Cybersecurity Assessment Model (CAM) based on Grey Relational Grade (GRG) is creatively constructed. Finally, combined with Rivest Shamir Adleman (RSA) algorithm, this work proposes a CC network-oriented data encryption technology, selects different data sets for different models, and tests each model through design experiments. The results show that the average Correct Detection Rate (CDR) of the NAD model for different types of abnormal data is 93.33%. The average False Positive Rate (FPR) and the average Unreported Rate (UR) are 6.65% and 16.27%, respectively. Thus, the NAD model can ensure a high detection accuracy in the case of sufficient data. Meanwhile, the cybersecurity situation prediction by the CAM is in good agreement with the actual situation. The error between the average value of cybersecurity situation prediction and the actual value is only 0.82%, and the prediction accuracy is high. The RSA algorithm can control the average encryption time for very large text, about 12s. The decryption time is slightly longer but within a reasonable range. For different-size text, the encryption time is maintained within 0.5s. This work aims to provide important technical support for anomaly detection, overall security situation analysis, and data transmission security protection of CC systems to improve their cybersecurity.

multidisciplinary sciences

Xi Li,Peian Wen,Peng Chen,Juan Chen,Xuming Wen,Yunni Xia

DOI: https://doi.org/10.1007/s11219-024-09672-6

2024-05-22

Software Quality Journal

Abstract:Microservice architecture is a new technology for deploying large-scale applications and services in the cloud. But multivariate time series data with anomalies are increasingly generated in the cloud. Effectively diagnosing the runtime system anomalies is necessary to ensure the quality of service of microservice systems. Typical anomaly detection methods are effective in data quality and computing reliability of cloud computing. However, they all focus on one-class anomaly detection, which may not perform on practical microservice frameworks with diverse types of anomalies. Furthermore, locating the root cause of anomalies to eliminate after detection is essential. To address these issues, we propose an effective parallel convolutional anomaly multi-classification model (PCAC) based on an attention mechanism for fault diagnosis in microservice system. We first construct a parallel convolutional structure that allows subnetworks to extract features independently. Then, channel and spatial attention mechanisms are applied in the parallel convolutional layers to mitigate the loss of feature representation. Finally, causal inference based on the anomalous graph is used to locate the fault in the microservice system. The experimental results clearly show that the proposed model achieves the highest F1 scores on six public microservice datasets, improved by 37.9% in average macro-F1 and 4.4% in average micro-F1 scores respectively, outperforming eight state-of-the-art methods.

computer science, software engineering

Wenjuan Wang,Xuehui Du,Dibin Shan,Ruoxi Qin,Na Wang

DOI: https://doi.org/10.1109/tcc.2020.3001017

IF: 5.697

2020-01-01

IEEE Transactions on Cloud Computing

Abstract:Security issues have resulted in severe damage to the cloud computing environment, adversely affecting the healthy and sustainable development of cloud computing. Intrusion detection is one of the technologies for protecting the cloud computing environment from malicious attacks. However, network traffic in the cloud computing environment is characterized by large scale, high dimensionality, and high redundancy, these characteristics pose serious challenges to the development of cloud intrusion detection systems. Deep learning technology has shown considerable potential for intrusion detection. Therefore, this study aims to use deep learning to extract essential feature representations automatically and realize high detection performance efficiently. An effective stacked contractive autoencoder (SCAE) method is presented for unsupervised feature extraction. By using the SCAE method, better and robust low-dimensional features can be automatically learned from raw network traffic. A novel cloud intrusion detection system is designed on the basis of the SCAE and support vector machine (SVM) classification algorithm. The SCAE+SVM approach combines both deep and shallow learning techniques, and it fully exploits their advantages to significantly reduce the analytical overhead. Experiments show that the proposed SCAE+SVM method achieves higher detection performance compared to three other state-of-the-art methods on two well-known intrusion detection evaluation datasets, namely KDD Cup 99 and NSL-KDD.

computer science, information systems, theory & methods

Tao Yang,Jinming Wang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.48550/arXiv.2204.09942

2022-04-21

Cryptography and Security

Abstract:Industrial control systems (ICSs) are facing increasing cyber-physical attacks that can cause catastrophes in the physical system. Efficient anomaly detection models in the industrial sensor networks are essential for enhancing ICS reliability and security, due to the sensor data is related to the operational state of the ICS. Considering the limited availability of computing resources, this paper proposes a hybrid anomaly detection approach in cloud-edge collaboration industrial sensor networks. The hybrid approach consists of sensor data detection models deployed at the edges and a sensor data analysis model deployed in the cloud. The sensor data detection model based on Gaussian and Bayesian algorithms can detect the anomalous sensor data in real-time and upload them to the cloud for further analysis, filtering the normal sensor data and reducing traffic load. The sensor data analysis model based on Graph convolutional network, Residual algorithm and Long short-term memory network (GCRL) can effectively extract the spatial and temporal features and then identify the attack precisely. The proposed hybrid anomaly detection approach is evaluated using a benchmark dataset and baseline anomaly detection models. The experimental results show that the proposed approach can achieve an overall 11.19% increase in Recall and an impressive 14.29% improvement in F1-score, compared with the existing models.

Ashkan Aghdai,Kang Xi,H. Jonathan Chao

DOI: https://doi.org/10.48550/arXiv.1906.06388

2019-06-15

Abstract:Data centers play a key role in today's Internet. Cloud applications are mainly hosted on multi-tenant warehouse-scale data centers. Anomalies pose a serious threat to data centers' operations. If not controlled properly, a simple anomaly can spread throughout the data center, resulting in a cascading failure. Amazon AWS had been affected by such incidents recently. Although some solutions are proposed to detect anomalies and prevent cascading failures, they mainly rely on application-specific metrics and case-based diagnosis to detect the anomalies. Given the variety of applications on a multi-tenant data center, proposed solutions are not capable of detecting anomalies in a timely manner. In this paper we design an application-agnostic anomaly detection scheme. More specifically, our design uses a highly distributed data mining scheme over network-level traffic metrics to detect anomalies. Once anomalies are detected, simple actions are taken to mitigate the damage. This ensures that errors are confined and prevents cascading failures before administrators intervene.

Networking and Internet Architecture

V. Sujatha Bai,M. Punithavalli

DOI: https://doi.org/10.1007/s11042-024-18162-7

IF: 2.577

2024-01-21

Multimedia Tools and Applications

Abstract:Cloud computing (CC) was extremely implemented by the application service providers (ASP) and enterprises for reducing either operational or capital expenditures. Services and applications before running on remote data centres can presently be transferred to public or private clouds. This alteration can manage the study community to analyze cloud platforms. But, a wide acceptance of such platforms can be blocked by main security concerns. Firewalls and typical rule-based security protection approaches could not be adequate for protecting user information in cloud environments. In recent times, advances in machine learning (ML) approaches are concerned the attention of research communities for building intrusion detection systems (IDS) that anomaly detection from the network traffic. This manuscript presents a Feature Subset Selection with Deer Hunting Optimizer based Deep Learning (FSS-DHODLAD) technique for Anomaly Detection in Secure Cloud Computing Environment. The purpose of the FSS-DHODLAD algorithm lies in the accurate identification and classification of anomalies that exist in the cloud platform. To reduce the high dimensionality of features, the FSS-DHODLAD technique designs a grasshopper optimization algorithm (GOA) to elect features. For anomaly detection, the FSS-DHODLAD technique utilizes Attention Convolutional Bidirectional Long Short Term Memory (AC-BLSTM) system. Eventually, the DHO system was utilized for the optimal hyperparameter selection of the AC-BLSTM model. To exhibit the higher performance of the FSS-DHODLAD system, a sequence of simulations was applied to the benchmark database and the outcomes are assessed concerning several evaluation measures. The simulation outcomes implied the greater performance of the FSS-DHODLAD algorithm over other recent approaches in terms of different metrics.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Jin Gao,Jiaquan Liu,Sihua Guo,Qi Zhang,Xinyang Wang

DOI: https://doi.org/10.1155/2020/6343705

IF: 1.43

2020-11-19

Mathematical Problems in Engineering

Abstract:Aiming at problems such as slow training speed, poor prediction effect, and unstable detection results of traditional anomaly detection algorithms, a data mining method for anomaly detection based on the deep variational dimensionality reduction model and MapReduce (DMAD-DVDMR) in cloud computing environment is proposed. First of all, the data are preprocessed by a dimensionality reduction model based on deep variational learning and based on ensuring complete data information as much as possible, the dimensionality of the data is reduced, and the computational pressure is reduced. Secondly, the data set stored on the Hadoop Distributed File System (HDFS) is logically divided into several data blocks, and the data blocks are processed in parallel through the principle of MapReduce, so the k-distance and LOF value of each data point can only be calculated in each block. Thirdly, based on stochastic gradient descent, the concept of k-neighboring distance is redefined, thus avoiding the situation where there are greater than or equal to k-repeated points and infinite local density in the data set. Finally, compared with CNN, DeepAnt, and SVM-IDS algorithms, the accuracy of the scheme is increased by 10.3%, 18.0%, and 17.2%, respectively. The experimental data set verifies the effectiveness and scalability of the proposed DMAD-DVDMR algorithm.

engineering, multidisciplinary,mathematics, interdisciplinary applications

D. Praveena,P. Rangarajan

DOI: https://doi.org/10.1007/s11042-018-6339-0

IF: 2.577

2018-07-04

Multimedia Tools and Applications

Abstract:Cloud computing facilitates the enormous support of the public, business and emerging applications such as healthcare and nature disasters. Based on their services and characteristics, it can be classified as private cloud and public cloud. In this scenario, we need these two kinds of cloud services for an organization to provide the better service to the society. For that purpose, introduced a new cloud service called hybrid cloud service which is the combination of both private and public cloud. Security to the cloud environment is a challenging issue today especially for the hybrid cloud due to the combination of both. Many security mechanisms available in the literature but these are not achieved the sufficient level of security. For this purpose, we propose a new machine learning application for providing security to the hybrid cloud networks while storing the data and retrieving or accessing the data from the cloud. This proposed algorithm combines an existing Enhanced C4.5, newly proposed deduplication processing algorithm and the newly proposed dynamic access control mechanism. Moreover, we introduce a new deduplication processing algorithm for secure storage and retrieval without duplication or redundancy. In addition, a newly proposed dynamic access control mechanism called Dynamic Spatial Role Based Access Control Algorithm is also used in the proposed security framework. The proposed security framework has been implemented and also evaluated that the security level of the hybrid cloud while storing, retrieving and accessing the data from the cloud database.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Parthasarathy, S.

DOI: https://doi.org/10.1007/s11277-024-11079-2

IF: 2.017

2024-05-25

Wireless Personal Communications

Abstract:The increasing need for high-performance computing, preservation, and networking capabilities to support corporate and scientific applications is driving a rapid expansion in the use of cloud computing server farms. Virtual machine (VM) consolidation plays a crucial role in this context, involving the direct migration of VMs from underutilized physical servers to optimize power consumption efficiency, operational costs, and reduce CO2 emissions. A pivotal step in VM consolidation is the detection of host overload, which aims to predict potential server over-subscription with VMs. This paper introduces an Optimized Support Vector Regression model for overloaded detection. To enhance the Support Vector Regression (SVR) performance, optimal selection of SVR parameters is achieved using the Enhanced Tasmanian Devil Optimization algorithm. Following overload detection, VM migration occurs, but this process raises concerns about system integrity and data confidentiality. To address these concerns, data is encrypted using the Cyclic Shift Transposition Algorithm before migration. The proposed approach's performance is evaluated across various metrics such as energy consumption, ESV, Migration, and SLA X0.001, and its effectiveness is compared with different existing methods.

telecommunications

Zhenhui Wang,Dezhi Han,Ming Li,Han Liu,Mingming Cui

DOI: https://doi.org/10.1080/09540091.2022.2051434

2022-04-07

Connection Science

Abstract:Network abnormal traffic detection can monitor the network environment in real time by extracting and analysing network traffic characteristics, and plays an important role in network security protection. In order to solve the problems that the existing detection methods cannot fully learn the spatio-temporal characteristics of data, the classification accuracy is not high, and the detection time and accuracy are susceptible to the influence of redundant data in the sample. Thus, this paper proposes a network abnormal detection method (PCSS) integrating principal component analysis (PCA) and single-stage headless face detector algorithms (SSH). PCSS applies the PCA algorithm to the data preprocessing to eliminate the interference of redundant data. At the same time, PCSS also combines feature fusion and SSH to enhance the feature extraction of unclear features data, and effectively improve the detection speed and accuracy. Simulation experiments based on IDS2017 and IDS2012 data sets are carried out in this paper. Experimental results show that PCSS is obviously superior to other detection models in detection speed and accuracy, which provides a new method for efficiently detecting traffic attacks.

computer science, artificial intelligence, theory & methods

Xiaodong Wu,Zhigang Jin,Junyi Zhou,Chenxu Duan

DOI: https://doi.org/10.1016/j.eswa.2023.120894

IF: 8.5

2023-07-02

Expert Systems with Applications

Abstract:Cloud computing is considerably investigable and adoptable in both industry and academia, and Software Defined Networking (SDN) has been applied in cloud computing. Although SDN mitigates some security issues in cloud computing, new security issues related to its own architecture are also introduced. In this paper, we propose a quantum walks-based classification model which is available for intrusion detection in cloud computing. The proposed model concentrates feature information of data via Principal Component Analysis, and then aggregates the concentrated data in the way of quantum walks by a training-free clustering algorithm. The clustering algorithm constructs coin transformation and conditional shift transformation based on transition probabilities to move similar data toward each other. To enhance the usability of the proposed model in cloud computing security, we propose a new cloud architecture which adds security layer in SDN to ponder the protection of cloud computing fundamentally, and simplify transition probabilities equations of clustering algorithm without affecting clustering accuracy, decreasing the time complexity from O(nk2) to O(nk) . The experimental results on popular datasets (Accuracy: 99.4% on InSDN, 95.8% on NSL-KDD, 98% on UNSW-NB15 and 96.4% on CSE-CIC-IDS2018) revealed that the proposed model is effective dealing with attacks on SDN-based cloud computing, and is able to maintain stable and excellent attack identification ability under different traffic intensities.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Jinyang Liu,Tianyi Yang,Zhuangbin Chen,Yuxin Su,Cong Feng,Zengyin Yang,Michael R. Lyu

2023-08-19

Abstract:As modern software systems continue to grow in terms of complexity and volume, anomaly detection on multivariate monitoring metrics, which profile systems' health status, becomes more and more critical and challenging. In particular, the dependency between different metrics and their historical patterns plays a critical role in pursuing prompt and accurate anomaly detection. Existing approaches fall short of industrial needs for being unable to capture such information efficiently. To fill this significant gap, in this paper, we propose CMAnomaly, an anomaly detection framework on multivariate monitoring metrics based on collaborative machine. The proposed collaborative machine is a mechanism to capture the pairwise interactions along with feature and temporal dimensions with linear time complexity. Cost-effective models can then be employed to leverage both the dependency between monitoring metrics and their historical patterns for anomaly detection. The proposed framework is extensively evaluated with both public data and industrial data collected from a large-scale online service system of Huawei Cloud. The experimental results demonstrate that compared with state-of-the-art baseline models, CMAnomaly achieves an average F1 score of 0.9494, outperforming baselines by 6.77% to 10.68%, and runs 10X to 20X faster. Furthermore, we also share our experience of deploying CMAnomaly in Huawei Cloud.

Software Engineering,Machine Learning

Tao Yang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.eswa.2023.120668

IF: 8.5

2023-01-01

Expert Systems with Applications

Abstract:Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system's security and reliability. However, existing research on network traffic anomaly detection for ICPS has several limitations. First, most traffic anomaly detection models focus on centralized detection. Thus, all traffic packets have to be uploaded to the control center for detection, which leads to a heavy traffic load. However, real-time and reliable communication is crucial to ICPSs. The heavy traffic load may cause communication delays or packets lost by corruption. Second, Seasonal AutoRegressive Integrated Moving Average (SARIMA) is popular in ICPS network traffic anomaly detection. However, most SARIMA-based detection models can only detect anomalous traffic once. Thus, they are unable to detect anomalies continuously and are not suitable for actual ICPS. Third, the features extracted from network traffic affect the classification performance. However, most existing feature extraction models cannot sufficiently extract traffic features, leading to poor detection performance. To address the limitations above, this paper proposes a cloud-edge coordinated network traffic anomaly detection approach. The proposed approach consists of a set of anomalous traffic alarm models deployed in the edge areas and an anomalous traffic analysis model deployed in the cloud. The former is implemented based on Improved Online SARIMA (IOSARIMA) algorithm that can detect anomalous traffic continuously and upload it to the cloud for further analysis, filtering massive normal traffic packets and making traffic load smaller. The anomalous traffic analysis model consists of a feature extraction algorithm and a Convolutional Neural Network (CNN) classifier, which can sufficiently extract traffic features and identify the attack types precisely. The proposed anomaly detection approach is extensively evaluated on a realistic ICPS testbed, including 3 edges (i.e., power generation, power transmission and power distribution) and a cloud consisting of an engineering workstation and a Supervisory Control And Data Acquisition (SCADA) workstation. The experimental results confirm the smaller traffic load and better detection performance, compared with the existing detection models.