H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Jian Zhang,Yan Tong,Tao Qin

DOI: https://doi.org/10.1145/3028842.3028867

2016-01-01

Abstract:With the increasing of the network bandwidth, users generate massive traffic data, how to extract the effective traffic features and achieve the goal of abnormal behavior detection is a hot and difficult problem in the area of network security monitoring. In this paper, several traffic features are proposed to capture the traffic characteristics, and then we employ the DBSCAN methods to realize abnormal traffic mining based on those features. We extract four traffic features to capture the traffic characteristics, including the ratio between number of source and destination IP addresses, ration between number of source port and destination port, ration between number of TCP packet and the total number of packets and that of number of small packets between the total number of package in a specific time window. Based on the feature extracted, we employ the DBSCAN method to cluster the network traffic in different clusters. Traffic packet in different clusters has different statistical characteristics, and the isolated points are employed to perform abnormal traffic detection. The implementation results based on traffic collect from our Lab show that proposed statistics features can capture traffic characteristics, and clustering method can classify the abnormal traffic packets into a special cluster.

Dingde Jiang,Zhengzheng Xu,Peng Zhang,Ting Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.09.014

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic anomalies contain existing abnormal changes in network traffic, which are derived from malicious and anomalous behaviors of users or network devices, such as network faults, abuses, network attacks, etc. These anomalies often damage our operation networks and even lead to network disruptions. In the present paper, we propose a novel method for detecting traffic anomalies in a network by exacting and capturing their features in the transform domain. Here, we take in consideration network topology information and network-wide traffic jointly. We find that anomalous network-wide traffic usually exhibits distinct high-frequency nature. This motivates us to utilize transform domain analysis theory to characterize network-wide traffic to identify its abnormal components. Besides, we group all origin-destination flows in the network in accordance with common destination nodes. By combining network topology information and transform-domain analysis in the given time window, the specious traffic components can be found and identified. Simulation results show that our detection algorithm exhibits a fairly robust detection ability and provides the better detection performance than previous algorithms. (c) 2013 Elsevier Ltd. All rights reserved.

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Zheng-mao ZHUANG,Xing-shu CHEN,Guo-lin SHAO,Xiao-ming YE

DOI: https://doi.org/10.6040/j.issn.1671-9352.1.2016.030

2017-01-01

Abstract:Server behavior characteristics in a time of dynamic correlation characteristics of a clustering method based on the distribution ratio, clustering and density deviation combined to construct a temporal correlation server traffic anomaly detection model. Through the campus network server traffic and long-term observation study found that server traffic characteristics and dynamic correlation time, based on this condition, this article extract the feature server traffic flow at the present time and combines the features of the current moment of time associated with dynamic, using K-means clustering algorithm to detect the outliers of the flow characteristics, and find abnormal server traffic. Experimental results show that the model can effectively detect abnormal server traffic even in the real-world environment. The longer the model applies, the stronger adaptable the algorithm is.

Baojiang Cui,Shanshan He,Haifeng Jin

DOI: https://doi.org/10.1109/imis.2015.43

2015-01-01

Abstract:the large number of internet traffic has highlighted the importance of traffic detection. Anomaly detection is playing an increasingly important role in network security. Feature matching, statistics rules and data mining are widely used in traditional anomaly detection systems, but they have numerous disadvantages, such as low accuracy, over consumption of processing resources. For the complexities of irregular situation, we propose a new model for anomaly traffic detection in this paper. This study combine feature matching module, statistics rules module and data mining module under fully considering the advantages and disadvantages of these three detection methods. Moreover, a multi-layer detection scheme was introduced to enhance system accuracy and reduce the complexity at the same time. Data mining module is the core of the model, Naive Bayes, decision tree and clustering algorithms are used in this module. The results of this system are produced by integrating the detection results of multi detection modules and proved that it has more accuracy than separate module.

Dingde Jiang,Yang Han,Xingwei Wang,Zhengzheng Xu

2010-01-01

Abstract:Traffic anomalies are abnormal changes in network traffic. There are many causes of resulting in traffic anomaly changes, including network fault, abuse, network attack and so on. This paper proposes a novel method for detecting traffic anomalies in a network. Firstly, all Origin-Destination (OD) flows in the network are grouped with accordance with common destination nodes. We then make time-frequency analysis for each group and extract their high frequency component. Based on the extracted high frequency signal, correlation coefficients of each OD flow against the other in a group are computed. Consequently, we can make the exact anomaly detection. Simulation results show that our approach is effective and promising.

Zedong Zhang,Hao-Tong Shen,Songjie Wei

DOI: https://doi.org/10.1109/isncc55209.2022.9851762

2022-01-01

Abstract:Although we may observe heterogeneous traffic appearance on the network backbone, malicious traffic tends to converge with their traffic appearance similarity due to the consistent hostile behaviors of the same anomaly category. Measuring such traffic similarity of host behaviors can help us to detect anomalous traffic from benign traffic. This paper proposes a novel framework for the detection of network intrusion based on traffic similarity measures and clustering. We apply the grouping and DBSCAN method to feature dimensionality reduction so that traffic carrying the same category anomalies is concentrated in the limited amount of clusters, which can be interpreted as the structured significant characteristics of the corresponding anomaly category. The derived anomaly cluster characteristics are useful for detecting newly coming traffic in future for its maliciousness. Based on the experiment with the IDS 2018 dataset, our proposed detection procedure can effectively separate the malicious network traffic from background with an accuracy of up to 96%. Our proposed method has apparent benefits for identifying malicious traffic in large-scale network traffic data, and it is a practical intrusion detection method.

Qinpei Zhao,Yinjia Zhang,Yang Shi,Jiangfeng Li

DOI: https://doi.org/10.1007/978-3-030-19861-9_2

2019-01-01

Abstract:The traffic among the hosts and behaviors of the anomalous hosts in the network is usually complex. In network traffic, there is a key problem that is how to identify the security incidents. The corresponding question that who have contributed to the incidents is arisen then. A method, which detects both anomalies and events at the same time is quite helpful. A data from network traffic can be composed of the hosts and different attributes (traffic flow like amount of upload package and download package) in time series. Based on the structure of the network traffic data, we propose an anomaly and event detection method based on the network attributes in time series. The method analyzes both the host’s behavior and the temporal features of the network traffic.

Jinfa Wang,Hai Zhao,Jiuqiang Xu,Hequn Li,Hongsong Zhu,Shuai Chao,Chunyang Zheng

DOI: https://doi.org/10.1109/access.2018.2873291

IF: 3.9

2018-01-01

IEEE Access

Abstract:We present a method to detect anomalies in time series of flow interaction patterns. There are many existing methods for anomaly detection in network traffic, such as the number of packets. However, there is no established method to detect anomalies in time series of flow interaction patterns that can be represented as complex network. First, based on the proposed multivariate flow similarity method on temporal locality, a complex network model (MFS-TL) is constructed to describe the interactive behaviors of traffic flows. After analyzing the relationships between MFS-TL characteristics, temporal locality window, and multivariate flow similarity critical threshold, an approach for parameters determination was established. Observed the evolution of MFS-TL characteristics, three non-deterministic correlations were defined for network states (i.e., normal or abnormal). Furthermore, intuitionistic fuzzy set (IFS) is introduced to quantify three non-deterministic correlations, and an anomaly detection method is put forward for single characteristic sequence. In order to build an objective IFS, we design a Gaussian distribution-based membership function with a variable hesitation degree. To determine the mapping of IFS's clustering intervals to network states, a distinction index is developed. Furthermore, an IFS ensemble method (IFSE-AD) is proposed to eliminate the impacts of the inconsistent about MFS-TL characteristic to network state and to improve detection performance. Finally, we carried out extensive experiments on some network traffic datasets, and the results validate the effectiveness of our method and demonstrate the superiority of IFSE-AD to state-of-the-art approaches.

Hong Wang,Zhenghu Gong,Qing Guan,Baosheng Wang

DOI: https://doi.org/10.1109/icn.2008.83

2008-01-01

Abstract:Anomalies generate vast amounts of bogus traffic, which can overwhelm the network and any attached hosts. Identifying Traffic anomalies rapidly and accurately is critical to network stability and usefulness. Most papers focus on analyzing the volume of data or packets on the network. However, legitimate network traffic may be bursty or highly variable, rendering such naive approaches ineffective[7]. We propose a novel method called MultiA to solve this problem. Rather than just looking at volumes of packets, MultiA intelligently adopted Multistage Filter and information entropy take into account the behavior of the network. The MultiA is scalable, automated and self-training. We find this technique effectively identifies network traffic anomalies while avoiding the high false alarms rate.

CHEN Ping,SONG Yu-rong,JIANG Guo-ping

DOI: https://doi.org/10.3969/j.issn.1673-629x.2012.07.037

2012-01-01

Abstract:Network anomaly detection which is a very important issue in network management has been extensively studied in recent years.Although people in the field made a number of advanced works,the accuracy of automatic classification of network traffic to detect and identify abnormal network traffic is still a very challenging problem.It presents a multidimensional clustering based anomaly detection method,by two stages to achieve anomaly detection.The first phase,through multidimensional clustering algorithms,network traffic is automatically mined into different multidimensional clusters.The second phase calculates the degree of multidimensional clusters to achieve anomaly detection.By this method,the abnormal network traffic is automatically classified into different meaningful clusters,and then these clusters can be used to find network anomalies.Finally,this algorithm was validated through experiments,the results show that the method can effectively identify abnormal network traffic.

Yapeng Zhang,Nan Hu,Wenjun Wang,Hao Yu

DOI: https://doi.org/10.1007/978-3-319-20472-7_12

2015-01-01

Abstract:Anomaly detection is an important problem that has been well researched in diverse application domains. However, to the best of our knowledge, the anomaly detection for metro traffic flow has not been investigated before. In this paper, we proposed a new framework to solve two problems about anomaly detection in the metro traffic flow: obtaining the potential information by every passenger’s trip and detecting anomalies among metro traffic flow. For the first problem, we proposed a novel encoding path model to infer the passing stations’ information for each trip. For the second problem, we provide an improved K-Nearest Neighbor Distort (KNN-Distort) algorithm to quantify the anomalies in the metro traffic flow. We conduct intensive experiments on a large real-world metro dataset to demonstrate the performance of our algorithms.

GUO Lin,ZHANG Dafang,LI Wenwei,XIE Kun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.19.048

2006-01-01

Abstract:Diagnosing anomalies are difficult problem because one must extract and interpret anomalous patterns from large amounts of high-dimensional,noisy data.In this paper the network traffic is validated to possess a non-stationary characteristic and a general method was proposed to diagnose anomalies.This method is based on a separation of the non-stationary traffic into disjoint components corresponding to normal and anomalous network conditions.This separation can be performed effectively by both marginal distribution and qq-plot analysis of parameters of anomalous component.We evaluate the method's ability to diagnose both existing and synthetically injected traffic anomalies in real traffic.Experiment shows the method can: ①accurately detect when traffic anomaly is occurring;②does so with a very low false alarm rate.

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Yingxu Lai,Yinong Chen,Zenghui Liu,Zhen Yang,Xiulong Li

DOI: https://doi.org/10.1016/j.simpat.2014.02.002

IF: 4.199

2014-01-01

Simulation Modelling Practice and Theory

Abstract:Traffic analysis and traffic abnormality detection are emerged as an efficient way of detecting network attacks in recent years. The existing approaches can be improved by introducing a new model and a new analysis method of network user’s traffic behaviors. The description dimensions to network user’s traffic behaviors in the current approaches are high, resulting in high processing complexity, high delay in differentiating an individual user’s abnormal traffic behavior from massive network data, and low detection rate. To improve the detection rate and efficiency, we develop a new method of establishing user’s traffic behavior analysis system based on a new model of network traffic monitoring. First, we establish a more complete feature set based on the characteristics of network traffic to describe massive network user’s behaviors. Then, we define a feature selection rule based on the relative deviation distance to select the optimized feature set. We use the selected feature set to locate the abnormality moment and the users who produce the abnormal traffic behavior. Finally, a traffic behavior analysis method based on prediction is developed to improve efficiency of the system. This new method is applied to evaluate the mobile users on mobile cloud. The experimental results show that the proposed method has a higher detection rate and lower delay in the analysis of abnormal user’s traffic behavior than that of the existing approaches.

Shuying Chang,Xuesong Qiu,Zhipeng Gao,Ke Liu,Feng Qi

DOI: https://doi.org/10.1109/CNSM.2010.5691206

2010-01-01

Abstract:With the development of high-speed networks, the challenge of effectively analyzing the massive data source for anomaly detection and diagnosis is yet to be resolved. This paper proposes a new flow-based anomaly detection method based on summary data structures and combinations of traffic features. Using IPFIX flow records as input, parallel sketches are established for chosen traffic features respectively. For each sketch, we use Holt-Winters forecasting technique to achieve their forecast sketches and deviation matrixes. When the deviation exceeds a certain threshold, sub-alarms will be generated. According to the characteristics of various attacks and combinations of traffic features, sub-alarms can be merged into final alarms. While sketches of flows are being constructed, destination addresses are recorded in linked lists which are used to locate victims by a series of set operations. This method can not only detect the existence of anomalies in near real time, but can roughly indicate the anomaly types and locate abnormal addresses.

ruoning song,fang liu

DOI: https://doi.org/10.1109/CCIS.2014.7175727

2014-01-01

Abstract:In recent years, the scale of mobile Internet is rapidly increasing because of the explosive growing of smartphone users and applications. The traffic analysis and anomaly detection become critical for mobile operators. Up to now, there are a number of studies for detecting anomaly network traffic. However, the way of detecting anomalies on massive traffic data in real-time manner is not well studied. In this paper, we propose a real-time anomaly detection method based on dynamic k-NN cumulative-distance abnormal detection algorithm. We also present the design and implementation of the method by leveraging Strom, a distributed steam computing technology. Experimental results from evaluation by real-world dataset show that our system is a promised solution for real-time anomaly detection solution in high-speed network.