Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Chonghua Wang,Hao Zhou,Zhiqiang Hao,Shu Hu,Jun Li,Xueying Zhang,Bo Jiang,Xuehong Chen

DOI: https://doi.org/10.1016/j.comnet.2022.108760

IF: 5.493

2022-03-01

Computer Networks

Abstract:Due to the ever-growing presence of network traffic, there has been a considerable amount of research on anomaly detection in network traffic by clustering. Most of them have not considered the problem that collective anomaly detection in network traffic. Collective anomaly might scatter among multiple clusters when applying the clustering-based algorithms in the anomaly detection. In this paper, we propose a progressive exploration framework for collective anomaly detection on network traffic based on a clustering method, called CCAD. CCAD enables analysts to effectively explore collective anomaly in network traffic. This framework is different from the other anomaly detection methods. It is based on the analysis of the influence of collective anomaly on the clustering results in the network traffic stream data. CCAD framework efficiently supports the collective anomaly exploration. As demonstrated by our extensive experiments with real-world data, CCAD has high detection rate in comparison with other existing methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

YU Han-Bing,WANG Ji-Long

2008-01-01

Periodical of Ocean University of China

Abstract:Abnormal traffic appears very different from normal traffic on the distribution of both destination IP address and time.This paper clusters the Netflow records of the traffic via the campus network based on the higher 16 bits of the outer IP address,finding that some clusters appear unusual on frequency of the emergence.This paper analyzes two kinds of typical cluster,proposes a method to detect anomaly sources insides the campus network using the clusters,and finds the differences of two kinds of anomaly source.Comparing with common anomaly detection methods,this method has fewer amounts of data required for dealing with,and therefore higher efficiency.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Ning Chen,Xiao-Su Chen,Bing Xiong,Hong-Wei Lu

DOI: https://doi.org/10.1109/embeddedcom-scalcom.2009.50

2009-01-01

Abstract:Based on TCP protocol, this paper aims at TCP flows, discusses the effects of multivariate correlation analysis on network traffic, obtains the quantitative relationship between different types of TCP packets in each time unit by correlation coefficient matrix, and finally proposes an anomaly detection and analysis method based on the correlation coefficient matrix. The experimental results show that our method can efficiently distinguish normal and abnormal traffic, and accurately detect and classify various anomaly behaviors (such as network scanning and DDoS attacks) in network traffic. The linear complexity of our method makes real-time detection and analysis practical.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

jing yuan,ruixi yuan,xi chen

DOI: https://doi.org/10.15837/ijccc.2014.1.870

IF: 2.635

2014-01-01

International Journal of Computers Communications & Control

Abstract:This paper proposes a novel detection engine, called the Wavelet-Recurrence-Clustering (WRC) detection model, to study the network anomaly detection problem that is widely attractive in Internet security area. The WRC model first applies the wavelet transform and recurrence analysis to calculate the multi-scale dynamic characteristics of network traffic, and then identifies network anomalies through the clustering algorithm with those dynamic characteristics. The evaluation results on DARPA 1999 dataset indicate that the WRC detection model can effectively improve the detection accuracy with a low false alarm

Chen Yang

DOI: https://doi.org/10.1007/s10586-018-1755-5

2018-01-16

Cluster Computing

Abstract:In recent years, there are more and more abnormal activities in the network, which greatly threaten network security. Hence, it is of great importance to collect the data which indicate the running statement of the network, and distinguish the anomaly phenomena of the network in time. In this paper, we propose a novel anomaly network traffic detection algorithm under the cloud computing environment. Firstly, the framework of the anomaly network traffic detection system is illustrated, and six type of network traffic features are consider in this work, that is, (1) number of source IP address, (2) number of source port number, (3) number of destination IP address, (4) number of destination port number, (5) Number of packet type, and (6) number of network packets. Secondly, we propose a novel hybrid information entropy and SVM model to tackle the proposed problem by normalizing values of network features and exploiting SVM detect anomaly network behaviors. Finally, experimental results demonstrate that the proposed algorithm can detect anomaly network traffic with high accuracy and it can also be used in the large scale dataset.

Xiaolan Wang,Md. Manjur Ahmed,Mohd Nizam Husen,Hai Tao,Qian Zhao

DOI: https://doi.org/10.1007/978-981-99-0405-1_5

2023-01-01

Abstract:The identification of anomalies in a data stream is a difficulty for decision-making in real time. A memory-constrained online detection system that is able to quickly detect the concept drift of streaming data is required because the constant arrival of massive amounts of streaming data with changing characteristics makes real-time and efficient anomaly detection a difficult task. This is because of the nature of the data itself, which is constantly changing. In this study, a novel model for detecting anomalies using dynamic micro-clusters scheme is developed. The macro-clusters are generated from a network of connected micro-clusters. When new data items are added, the normal patterns that are formed in macro-clusters will update in tandem with the dynamic micro-clusters in an incremental fashion. An outlier may be understood from both a global and a local perspective by examining the global and local densities respectively. The effectiveness of the suggested approach was evaluated with the use of three different datasets. The findings of the experiment demonstrate that the suggested method is superior to earlier algorithms in terms of both the accuracy of detection and the level of computing complexity it requires.

Yishan Guo,Mandan Liu

DOI: https://doi.org/10.3233/ida-216185

IF: 1.7

2023-02-01

Intelligent Data Analysis

Abstract:With the development of wireless communication technology, when users use wireless networks to meet various needs, wireless networks also record a large number of users' spatial-temporal trajectory data. In order to better pay attention to the healthy development of students and promote the information construction on campus, a spectral clustering algorithm based on the multi-scale threshold and density combined with shared nearest neighbors (MSTDSNN-SC) is proposed. Firstly, it improves the affinity distance function based on the shortest time dis-tance-shortest time distance sub-sequence (STD-STDSS) by adding location popularity and uses this model to construct the initial adjacency matrix. Then it introduces the covariance scale threshold and spatial scale threshold to perform 0–1 processing on the adjacency matrix to obtain more accurate sample similarity. Next, it constructs an eigenvector space by eigenvalue decom-position of the adjacency matrix. Finally, it uses DBSCAN clustering algorithm with shared nearest neighbors to avoid to manually determine the number of clusters. Taking Internet usage data on campus as an example, multiple clustering algorithms are used for anomaly detection and four evaluation metrics are applied to estimate the clustering results. MSTDSNN-SC algorithm reflects better clustering performance. Furthermore, the abnormal trajectories list is verified to be effective and credible.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Jing Wang,Daniel Rossell,Christos G. Cassandras,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1309.4844

2013-09-19

Abstract:We present five methods to the problem of network anomaly detection. These methods cover most of the common techniques in the anomaly detection field, including Statistical Hypothesis Tests (SHT), Support Vector Machines (SVM) and clustering analysis. We evaluate all methods in a simulated network that consists of nominal data, three flow-level anomalies and one packet-level attack. Through analyzing the results, we point out the advantages and disadvantages of each method and conclude that combining the results of the individual methods can yield improved anomaly detection results.

Machine Learning,Networking and Internet Architecture

Qian Ma,Cong Sun,Baojiang Cui

DOI: https://doi.org/10.1155/2021/2170788

IF: 1.968

2021-11-20

Security and Communication Networks

Abstract:New vulnerabilities and ever-evolving network attacks pose great threats to today’s cyberspace security. Anomaly detection in network traffic is a promising and effective technique to enhance network security. In addition to traditional statistical analysis and rule-based detection techniques, machine learning models are introduced for intelligent detection of abnormal traffic data. In this paper, a novel model named SVM-C is proposed for the anomaly detection in network traffic. The URLs in the network traffic log are transformed into feature vectors via statistical laws and linear projection. The obtained feature vectors are fed into a support vector machine (SVM) classifier and classified as normal or abnormal. Based on the idea of SVM and clustering, we construct an optimization model to train the parameters of the feature extraction method and traffic classifier. Numerical tests indicate that the proposed model outperforms the state of the arts on all the tested datasets.

computer science, information systems,telecommunications

Yating Liu,Yuantao Gu

DOI: https://doi.org/10.1109/dsw.2018.8439923

2018-01-01

Abstract:Network anomaly detection refers to automatically identifying the flows associated with anomalous events, which is the first line of defense against attacks in network security system. This paper proposes a new reliable unsupervised detector Multiple Sketches and Clustering (MSC) combining sketches (random projections) and clustering to blindly identify anomalies without relying on signatures or labeled traffic data. Multiple random projections and voting strategy alleviate the potential misclassification of single analysis and ensure a lower false positive rate. The K-means++ clustering detection detects both known and unknown anomalies accurately and triggers a higher true positive rate without any prior information about traffic data or anomaly patterns. The results on the MAWILAB backbone network dataset reveal that the novel detector outperforms the state-of-the-art detectors.

Bin Zhang,Jiahai Yang,Jianping Wu,Ziyu Wang

DOI: https://doi.org/10.1093/comjnl/bxr134

2013-01-01

Abstract:In this paper, we present a statistical analysis of six traffic features based on entropy and distinct feature number at the packet level, and we find that, although these traffic features are unstable and show seasonal patterns like traffic volume for a long period, they are stable and consistent with Gaussian distribution in a short time period. However, this equilibrium property will be violated by some anomalies. Based on this observation, we propose a Multi-dimensional Clustering method for Short-time scale Traffic(MCST) to classify abnormal and normal traffic. We compare our new method to the well known wavelet technique. The detection result on synthetic anomaly traffic shows MCST can better detect the low-rate attacks than wavelet-based method, and detection result on real traffic demonstrates that MCST can detect more anomalies with low false alarm rate.

Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.