Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Mengyao Fu,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9327246

2020-01-01

Abstract:In recent years, the network security problem of industrial control systems is very severe. It is particularly important to detect abnormal situations in the industrial control system network correctly and timely to avoid disasters in the physical world. This paper proposes a compound fuzzy clustering algorithm, taking TE process as the research object, to analyze its working mechanism and distinguish security threats it may encounter. Considering the coupling relationship between the production process unit in the industrial control system, fuzzy clustering is used for each process unit, which performs detection and comprehensive decision-making to obtain the final anomaly detection result. Experimental results show that the proposed compound fuzzy clustering algorithm can realize anomaly detection in industrial control systems.

Jinkun Geng,Daren Ye,Ping Luo,Pin Lv

DOI: https://doi.org/10.1007/978-3-319-28865-9_45

2015-01-01

Abstract:As a main method in database intrusion detection, database anomaly detection should be able to detect users’ operational behaviours for timely prevention of possible attacks and for guarantee of database security. Aiming at this, we apply cluster analysis techniques to anomaly detection and propose a novel density-based clustering algorithm called DBCAPSIC, which is adopted to clustering database users according to their behavior types and behavior frequencies. Privilege patterns are extracted from the clusters and serve as a reference in anomaly detection. The simulation experiment proves that the algorithm can recognize the anomalous operations with few mistakes.

Guo Pu,Lijuan Wang,Jun Shen,Fang Dong

DOI: https://doi.org/10.26599/tst.2019.9010051

2021-04-01

Abstract:In recent years, machine learning-based cyber intrusion detection methods have gained increasing popularity. The number and complexity of new attacks continue to rise; therefore, effective and intelligent solutions are necessary. Unsupervised machine learning techniques are particularly appealing to intrusion detection systems since they can detect known and unknown types of attacks as well as zero-day attacks. In the current paper, we present an unsupervised anomaly detection method, which combines Sub-Space Clustering (SSC) and One Class Support Vector Machine (OCSVM) to detect attacks without any prior knowledge. The proposed approach is evaluated using the well-known NSL-KDD dataset. The experimental results demonstrate that our method performs better than some of the existing techniques.

computer science, information systems,engineering, electrical & electronic, software engineering

Oksana Nikiforova,Andrejs Romanovs,Vitaly Zabiniako,Jurijs Kornienko

DOI: https://doi.org/10.1109/access.2024.3365424

IF: 3.9

2024-03-02

IEEE Access

Abstract:This paper explores the analysis of user behavior in information systems through audit records, creating a behavior model represented as a graph. The model captures actions over a specified period, facilitating real-time comparison to identify insider threats exploring anomalies detected in behavior models. "e-StepControl," developed by "ABC software" Ltd., incorporates this approach for monitoring user behavior in different business environments. The study proposes enhancing this solution with automatic user clustering, achieved by grouping individuals exhibiting similar behavior patterns using AI/ML algorithms. The research evaluates various clustering methods, discussing their suitability for grouping users based on their behavior. The subsequent step involves leveraging user class behavior models to identify anomalies by comparing an individual's actions with the behavior model expected in their specific user group. This extension aims to enhance the system's ability to detect potentially malicious activities, providing data security administrators with timely alerts in case of deviations from typical behavior.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chun Yang,Feiqi Deng,Haidong Yang

DOI: https://doi.org/10.1109/CHINACOM.2007.4469390

2007-01-01

Abstract:Previous Research in network intrusion detection system (NIDS) has typically used misuse detection or supervised anomaly detection techniques. These techniques have difficulty in detecting new types of attacks or causing high false positives in real network environment. Unsupervised anomaly detection can overcome the drawbacks of misuse detection and supervised anomaly detection. In this paper, normal-anomaly patterns are built over the network traffic dataset that uses subtractive clustering, and at the same time the built Hidden Markov Model (HMM) correlates the observation sequences and state transitions to predict the most probable intrusion state sequences. The proposed unsupervised anomaly detection approach is capable of reducing false positives by classifying intrusion sequences into different emergency levels. The experimental results are also reported using the KDDCup'99 dataset and Matlab.

Zheng Ruijuan,Chen Jing,Zhang Mingchuan,Zhu Junlong,Wu Qingtao

DOI: https://doi.org/10.1016/s1005-8885(16)60029-8

2016-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:It is the premise of accessing and controlling cloud environment to establish the mutual trust relationship between users and clouds. How to identify the credible degree of the user identity and behavior becomes the core problem? This paper proposes a user abnormal behavior analysis method based on neural network clustering to resolve the problems of over-fitting and flooding the feature information, which exists in the process of traditional clustering analysis and calculating similarity. Firstly, singular value decomposition (SVD) is applied to reduce dimension and de-noise for massive data, where map-reduce parallel processing is used to accelerate the computation speed, and neural network model is used for softening points. Secondly, information entropy is added to hidden layer of neural network model to calculate the weight of each attribute. Finally, weight factor is used to calculate the similarity to make the cluster more accuracy. For the problem of analyzing the mobile cloud user behaviors, the experimental results show that the scheme has higher detection speed (DS) and clustering accuracy than traditional schemes. The proposed method is more suitable for the mobile cloud environment.

Zeyu Fang,Ming Gu,Sheng Zhou,Jiawei Chen,Qiaoyu Tan,Haishuai Wang,Jiajun Bu

2024-06-01

Abstract:Unsupervised Anomaly Detection (UAD) plays a crucial role in identifying abnormal patterns within data without labeled examples, holding significant practical implications across various domains. Although the individual contributions of representation learning and clustering to anomaly detection are well-established, their interdependencies remain under-explored due to the absence of a unified theoretical framework. Consequently, their collective potential to enhance anomaly detection performance remains largely untapped. To bridge this gap, in this paper, we propose a novel probabilistic mixture model for anomaly detection to establish a theoretical connection among representation learning, clustering, and anomaly detection. By maximizing a novel anomaly-aware data likelihood, representation learning and clustering can effectively reduce the adverse impact of anomalous data and collaboratively benefit anomaly detection. Meanwhile, a theoretically substantiated anomaly score is naturally derived from this framework. Lastly, drawing inspiration from gravitational analysis in physics, we have devised an improved anomaly score that more effectively harnesses the combined power of representation learning and clustering. Extensive experiments, involving 17 baseline methods across 30 diverse datasets, validate the effectiveness and generalization capability of the proposed method, surpassing state-of-the-art methods.

Machine Learning,Artificial Intelligence

N. Pandeeswari,Ganesh Kumar

DOI: https://doi.org/10.1007/s11036-015-0644-x

2015-08-16

Mobile Networks and Applications

Abstract:Cloud computing affords lot of resources and computing facilities through Internet. Cloud systems attract many users with its desirable features. In spite of them, Cloud systems may experience severe security issues. Thus, it is essential to create an Intrusion Detection System (IDS) to detect both insider and outsider attacks with high detection accuracy in cloud environment. This work proposes an anomaly detection system at the hypervisor layer named Hypervisor Detector that uses a hybrid algorithm which is a mixture of Fuzzy C-Means clustering algorithm and Artificial Neural Network (FCM-ANN) to improve the accuracy of the detection system. The proposed system is implemented and compared with Naïve Bayes classifier and Classic ANN algorithm. The DARPA’s KDD cup dataset 1999 is used for experiments. Based on extensive theoretical and performance analysis, it is evident that the proposed system is able to detect the anomalies with high detection accuracy and low false alarm rate even for low frequent attacks thereby outperforming Naïve Bayes classifier and Classic ANN.

computer science, information systems,telecommunications, hardware & architecture

Roman Nikiforov

DOI: https://doi.org/10.48550/arXiv.1810.02762

2018-10-05

Abstract:Anomaly detection is an important step in the management and monitoring of data centers and cloud computing platforms. The ability to detect anomalous virtual machines before real failures occur results in reduced downtime while operations engineers urgently recover malfunctioning virtual machines, efficient root cause analysis, and improved customer optics in the event said malfunction lead to an outage. Virtual machines could fail at any time, whether in a lab or production system. If there is no anomaly detection system, and a virtual machine in a lab environment fails, the QA and DEV team will have to switch to another environment while the OPS team fixes the failure. The potential impact of failing to detect anomalous virtual machines can result in financial ramifications, both when developing new features and servicing existing ones. This paper presents a model that can efficiently detect anomalous virtual machines both in production and testing environments.

Distributed, Parallel, and Cluster Computing,Machine Learning

ZM Cai,XH Guan,P Shao,QK Peng,GJ Sun

DOI: https://doi.org/10.1111/1468-0394.00249

IF: 3.3

2003-01-01

Expert Systems

Abstract:Abstract: Intrusion detection is important in the defense‐in‐depth network security framework. This paper presents an effective method for anomaly intrusion detection with low overhead and high efficiency. The method is based on rough set theory to extract a set of detection rules with a minimal size as the normal behavior model from the system call sequences generated during the normal execution of a process. It is capable of detecting the abnormal operating status of a process and thus reporting a possible intrusion. Compared with other methods, the method requires a smaller size of training data set and less effort to collect training data and is more suitable for real‐time detection. Empirical results show that the method is promising in terms of detection accuracy, required training data set and efficiency.

Xudong Zhu,Zhijing Liu

DOI: https://doi.org/10.1108/17563781111160039

2011-01-01

International Journal of Intelligent Computing and Cybernetics

Abstract:Purpose The purpose of this paper is to address the problem of profiling human behaviour patterns captured in surveillance videos for the application of online normal behaviour recognition and anomaly detection. Design/methodology/approach A novel framework is developed for automatic behaviour profiling and online anomaly detection without any manual labeling of the training dataset. Findings Experimental results demonstrate the effectiveness and robustness of the authors' approach using noisy and sparse datasets collected from one real surveillance scenario. Originality/value To discover the topics, co‐clustering topic model not only captures the correlation between words, but also models the correlations between topics. The major difference between the conventional co‐clustering algorithms and the proposed CCMT is that CCMT shows a major improvement in terms of recall, i.e. interpretability.

SHI ZHONG,TAGHI M. KHOSHGOFTAAR,NAEEM SELIYA

DOI: https://doi.org/10.1142/s0218539307002568

2007-04-01

International Journal of Reliability, Quality and Safety Engineering

Abstract:Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.

Bilal Ahmad,Wang Jian,Zain Anwar Ali,Sania Tanvir,M. Sadiq Ali Khan

DOI: https://doi.org/10.1007/s11277-018-5721-6

IF: 2.017

2018-04-16

Wireless Personal Communications

Abstract:Performance of wireless sensor network are highly prone to network anomalies particularly to misdirection attacks and blackhole attacks. Therefor intrusion detection system has a key role in WSN and it’s essential in security application. However the identification of active attacks is cumbersome in many cases particularly for remote sensing applications. This paper proposes hybrid anomaly detection method for misdirection and blackhole attacks by employing K-medoid customized clustering technique. A synthetic dataset was established by defining network parameters and threshold values were obtained to detect the anomalies. Experimental work was performed on network simulator (NS-2) and R studio. The proposed algorithm successfully detect the hybrid anomalies with high accuracy. This work is suitable for hybrid anomaly detection including misdirection and blackhole attacks in wireless environment.

telecommunications

Jing Tao,Ning Zheng,Waner Wang,Ting Han,Xuna Zhan,Qingxin Luan

DOI: https://doi.org/10.1109/icbk.2019.00039

2019-01-01

Abstract:Abnormal host detection is a critical issue in an enterprise intranet data center. The traditional anomaly host detection method mainly focuses on detecting anomaly behavior, and the abnormality determination for a single behavior point often has certain limitations. For example, the entire attack process cannot be completely restored. And it will cause a lot of underreporting. Therefore, in this paper, we propose A Behavior Sequence Clustering-based Enterprise Network Anomaly Host Detection Method to solve the problem of anomaly host detection of an enterprise network We use the Toeplitz Inverse Covariance-Based Clustering (TICC) algorithm [1] to segment and cluster time series data and mining anomaly host behavior sequences, identify the anomaly host of the enterprise network The experimental results show that the Behavior Sequence Clustering-based Enterprise Network Anomaly Host Recognition Method can quickly identify the anomaly host and accurately restore the complete attack process.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.012

2011-01-01

Computer Science

Abstract:This paper presented a novel method for anomaly detection of user behavior based on the discrete-time Mar-kov chain model,which is applicable to intrusion detection systems using shell commands as audit data.In the training period,the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered.This method takes the sequences of shell commands as the basic processing units.It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged results.Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space.In the detection stage,considering the real-time performance and the accuracy requirement of the detection system,it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences,and then provides two schemes,based on the probability stream filtered with single window or multi-windows,to classify the user's behavior.The results of our experiments show that this method can achieve higher detection performance and practicability than others.

Doi Thi Lan,Seokhoon Yoon

DOI: https://doi.org/10.3390/s23063318

2023-03-21

Abstract:Human movement anomalies in indoor spaces commonly involve urgent situations, such as security threats, accidents, and fires. This paper proposes a two-phase framework for detecting indoor human trajectory anomalies based on density-based spatial clustering of applications with noise (DBSCAN). The first phase of the framework groups datasets into clusters. In the second phase, the abnormality of a new trajectory is checked. A new metric called the longest common sub-sequence using indoor walking distance and semantic label (LCSS_IS) is proposed to calculate the similarity between trajectories, extending from the longest common sub-sequence (LCSS). Moreover, a DBSCAN cluster validity index (DCVI) is proposed to improve the trajectory clustering performance. The DCVI is used to choose the epsilon parameter for DBSCAN. The proposed method is evaluated using two real trajectory datasets: MIT Badge and sCREEN. The experimental results show that the proposed method effectively detects human trajectory anomalies in indoor spaces. With the MIT Badge dataset, the proposed method achieves 89.03% in terms of F1-score for hypothesized anomalies and above 93% for all synthesized anomalies. In the sCREEN dataset, the proposed method also achieves impressive results in F1-score on synthesized anomalies: 89.92% for rare location visit anomalies (τ = 0.5) and 93.63% for other anomalies.

Zhi-Zhong WU,Xue-Hai ZHOU

DOI: https://doi.org/10.3969/j.issn.1003-3254.2015.04.032

2015-01-01

Abstract:In this paper, we present a distributed anomaly detection system for mobile devices. The proposed framework realizes a client-server architecture, the client continuously extracts various features of mobile device and transfers to the server, and the server’s major task is to detect anomaly using state-of-art detection algorithms. According to the regularity of human daily activity and the periodic of using mobile device, we also propose a novel user behavior cycle based statistical approach, in which the abnormal is determined by the distance from the undetermined feature vector to the similar time segments’ vectors of previous cycles. We use the Mahalanobis distance as distance metric since it is rarely affected by the correlate and value range of features. Evaluation results demonstrated that the proposed framework and novel anomaly detection algorithm could effectively improve the detection rate of malwares on mobile devices.

Jionghua Jin,Xuejun Zhu

2006-01-01

Abstract:The intrusion detection in computer networks is a complex research problem, which requires the understanding of computer networks and the mechanism of intrusions, the configuration of sensors and the collected data, the selection of the relevant attributes, and the monitor algorithms for online detection. It is critical to develop general methods for data dimension reduction, effective monitoring algorithms for intrusion detection, and means for their performance improvement. This dissertation is motivated by the timely need to develop statistics-based machine learning methods for effective detection of computer network anomalies. Three fundamental research issues related to data dimension reduction, control charts design and performance improvement have been addressed accordingly. The major research activities and corresponding contributions are summarized as follows: (1) Filter and Wrapper models are integrated to extract a small number of the informative attributes for computer network intrusion detection. A two-phase analyses method is proposed for the integration of Filter and Wrapper models. The proposed method has successfully reduced the original 41 attributes to 12 informative attributes while increasing the accuracy of the model. The comparison of the results in each phase shows the effectiveness of the proposed method. (2) Supervised kernel based control charts for anomaly intrusion detection. We propose to construct control charts in a feature space. The first contribution is the use of multi-objective Genetic Algorithm in the parameter pre-selection for SVM based control charts. The second contribution is the performance evaluation of supervised kernel based control charts. (3) Unsupervised kernel based control charts for anomaly intrusion detection. Two types of unsupervised kernel based control charts are investigated: Kernel PCA control charts and Support Vector Clustering based control charts. The applications of SVC based control charts on computer networks audit data are also discussed to demonstrate the effectiveness of the proposed method. Although the developed methodologies in this dissertation are demonstrated in the computer network intrusion detection applications, the methodologies are also expected to be applied to other complex system monitoring, where the database consists of a large dimensional data with non-Gaussian distribution.

DY Yeung,YX Ding

DOI: https://doi.org/10.1016/s0031-3203(02)00026-2

IF: 8

2003-01-01

Pattern Recognition

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on program or user profiles built from normal usage data. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled using two different types of behavioral models for data mining. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only, as opposed to the classification approach which has to use both normal and intrusion data for training. To determine whether or not a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that the dynamic modeling approach is better than the static modeling approach for the system call datasets, while the dynamic modeling approach is worse for the shell command datasets. Moreover, the static modeling approach is similar in performance to instance-based learning reported previously by others for the same shell command database but with much higher computational and storage requirements than our method.