Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

XIAO Zheng-hong,PAN Mei-sen,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.02.099

2007-01-01

Abstract:Network traffic is one of the key properties in LAN as well as WAN,by wavelet analysis,the complex traffic times series can be decomposed into different frequent components.Based on wavelet decomposed,the self-similar of traffic can be used to detect anomaly behavior of network,a method of detecting attacks based on the deviation of Hurst parameter is presented.The changes of Hurst parameter are analyzed and compared in different time scale.Result shows the proposed approach can detect the possible presence of not only an anomaly,but also its location on data set.

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Tingting Huang,Chao Liu,Anuj Sharma,Soumik Sarkar

DOI: https://doi.org/10.36001/ijphm.2018.v9i1.2671

2020-01-01

International Journal of Prognostics and Health Management

Abstract:Traffic dynamics in the urban interstate system are critical in terms of highway safety and mobility. This paper proposes a systematic data mining technique to detect traffic system-level anomalies in a batch-processing fashion. Built on the concepts of symbolic dynamics, a spatiotemporal pattern network (STPN) architecture is developed to capture the system characteristics. This novel spatiotemporal graphical modeling approach is shown to be able to extract salient time series features and discover spatial and temporal patterns for a traffic system. An information-theoretic metric is used to quantify the causal relationships between sub-systems. By comparing the structural similarity of the information-theoretic metrics of the STPNs learnt from each day, a day with anomalous system characteristics can be identified. A case study is conducted on an urban interstate in Iowa, USA, with 11 roadside radar sensors collecting 20-second resolution speed and volume data. After applying the proposed methods on one-month data (Feb. 2017), several system-level anomalies are detected. The potential causes that include inclement weather condition and non-recurring congestion are also verified to demonstrate the efficacies of the proposed technique. Compared to the traditional predefined performance measures for the traffic systems, the proposed framework has advantages in capturing spatiotemporal features in a fast and scalable manner.

Shaoyu Dou,Kai Yang,Yang Jiao,Chengbo Qiu,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2024.3418906

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Time series analysis has achieved great success in cyber security such as intrusion detection and device identification. Learning similarities among multiple time series is a crucial problem since it serves as the foundation for downstream analysis. Due to the complex temporal dynamics of the event-triggered time series, it often remains unclear which similarity metric is appropriate for security-related tasks, such as anomaly detection and clustering. The overarching goal of this paper is to develop an unsupervised learning framework that is capable of learning similarities among a set of event-triggered time series. From the machine learning vantage point, the proposed framework harnesses the power of both hierarchical multi-resolution sequential autoencoders and the Gaussian Mixture Model (GMM) to effectively learn the low-dimensional representations from the time series. Finally, the obtained similarity measure can be easily visualized for the explanation. The proposed framework aspires to offer a stepping stone that gives rise to a systematic approach to model and learn similarities among a multitude of event-triggered time series. Through extensive qualitative and quantitative experiments, it is revealed that the proposed method outperforms state-of-the-art methods considerably.

Chao Liu,Mo Zhao,Anuj Sharma,Soumik Sarkar

DOI: https://doi.org/10.1007/s42421-019-00003-x

2019-01-01

Journal of Big Data Analytics in Transportation

Abstract:To discover the spatial and temporal traffic patterns, this paper proposes a spatiotemporal graphical modeling approach, spatiotemporal pattern network (STPN), to explore traffic dynamics in large traffic networks. A measurement based on Granger causality is used to identify the characteristics of spatial and temporal traffic patterns. An anomaly score is estimated to detect and locate traffic incidents in diverse types and severities, and also to quantify the influence of incidents on traffic flow fluctuations. Built upon symbolic dynamics filtering, the proposed approach implements spatial and temporal feature extraction via discovering causal dependencies among road segments using STPN, system-wide pattern learning through an energy-based model, restricted Boltzmann machine, and inference using a newly developed root-cause analysis algorithm. Case studies are carried out using the probe vehicle data collected on Interstate Highway 80 in Iowa and the results show that the proposed approach is capable of (1) discovering and representing causal interactions among sub-systems (e.g., road segment) of a traffic network that provide valuable information for developing and applying customized traffic management strategies, (2) adaptively handling multiple nominal patterns mixed with anomalous data for effectively differentiating abnormal traffic system status and locating traffic incidents, and (3) quantifying the fluctuation of traffic flow and the severity of the detected incident via anomaly scores estimated from traffic speed behaviors. The findings from the case studies reiterate the importance of incorporating both temporal and spatial features for pattern analysis and incident detection. The proposed approach is built for real-time application and can be utilized for on-line incident detection.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Su Yang,Wenbin Zhou

DOI: https://doi.org/10.1109/PASSAT/SocialCom.2011.10

2011-01-01

Abstract:Some special natural and social events like natural disasters, terrorism attacks, and traffic accidents may have remarkable effect on people's collective behaviors, which means the behaviors of a large number of people viewed as a whole. Analysis of the patterns of collective behaviors in the sense of data mining is an important topic. Solving this problem is crucial and practical in that online detection of abnormal patterns of people's collective behaviors may lead to rapid response to emergent affairs. In terms of technology, the task can be regarded as detection of abnormal particle movement patterns from a global point of view. In this study, we propose a solution to solve this problem. First, the traffic flows observed by more than 4000 sensors are organized as high-dimensional time series. Second, a widely used manifold learning technique referred to as locally linear embedding (LLE) is used to compute the K coefficients in fitting every data point with its K nearest neighbors in the high-dimensional space, which can be regarded as a K-dimensional local feature associated with every data point. Then, the local features of the data points within a time window are summarized by using principal component analysis (PCA) to obtain a global feature to represent the traffic data in every time window. Finally, outlier detection is performed on such PCALLE feature space. The experimental results show that the proposed method can effectively detect abnormal traffic patterns, which correspond with some special days, like the New Year day, the national day of America, and some days with extreme weather. © 2011 IEEE.

Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Mengnan Gao,Lifa Wu,Qi Li,Wei Chen

DOI: https://doi.org/10.1016/j.jisa.2023.103532

IF: 4.96

2023-06-17

Journal of Information Security and Applications

Abstract:The number of Internet of Things (IoT) devices is expanding quickly as IoT gradually spreads to all aspects of life. At the same time, IoT devices have emerged as a new attack medium for attack groups, and IoT security becomes an urgent issue to be solved. Attackers often evade intrusion detection using disguises, and attack methods against the IoT continue to evolve over time. To effectively identify malicious traffic, we propose a method for anomaly detection based on attribute graphs to identify potential security vulnerabilities in IoT traffic. The nodes of the attribute graph are values of features extracted from network traffic, with a meta-path-based graph neural network learning the topology and attribute information of the traffic network. To assure the model's performance under large-scale IoT nodes, we develop a Hoffman coding-based data accuracy adjustment strategy to optimize the data, which regulates the size of the attribute graph under various data sizes. Our extensive experiments on datasets of real network traffic show the effectiveness of our method.

computer science, information systems

Ning Chen,Xiao-Su Chen,Bing Xiong,Hong-Wei Lu

DOI: https://doi.org/10.1109/embeddedcom-scalcom.2009.50

2009-01-01

Abstract:Based on TCP protocol, this paper aims at TCP flows, discusses the effects of multivariate correlation analysis on network traffic, obtains the quantitative relationship between different types of TCP packets in each time unit by correlation coefficient matrix, and finally proposes an anomaly detection and analysis method based on the correlation coefficient matrix. The experimental results show that our method can efficiently distinguish normal and abnormal traffic, and accurately detect and classify various anomaly behaviors (such as network scanning and DDoS attacks) in network traffic. The linear complexity of our method makes real-time detection and analysis practical.

Tianye Zhang,Xumeng Wang,Zongzhuang Li,Fangzhou Guo,Yuxin Ma,Wei Chen

DOI: https://doi.org/10.1007/s11432-016-0428-2

2017-01-01

Science China Information Sciences

Abstract:Network anomaly analysis is an emerging subtopic of network security. Network anomaly refers to the unusual behavior of network devices or suspicious network status. A number of intelligent visual tools are developed to enhance the ability of network security analysts in understanding the original data, ultimately solving network security problems. This paper surveys current progress and trends in network anomaly visualization. By providing an overview of network anomaly data, visualization tasks, and applications, we further elaborate on existing methods to depict various data features of network alerts, anomalous traffic, and attack patterns data. Directions for future studies are outlined at the end of this paper.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Yuantian Miao,Zichan Ruan,Lei Pan,Yu Wang,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.48550/arXiv.1804.09023

2018-04-24

Abstract:Network traffic analytics technology is a cornerstone for cyber security systems. We demonstrate its use through three popular and contemporary cyber security applications in intrusion detection, malware analysis and botnet detection. However, automated traffic analytics faces the challenges raised by big traffic data. In terms of big data's three characteristics --- volume, variety and velocity, we review three state of the art techniques to mitigate the key challenges including real-time traffic classification, unknown traffic classification, and efficiency of classifiers. The new techniques using statistical features, unknown discovery and correlation analytics show promising potentials to deal with big traffic data. Readers are encouraged to devote to improving the performance and practicability of automatic traffic analytic in cyber security.

Cryptography and Security

Siming Chen,Xiaoru Yuan

2015-01-01

Abstract:Monitoring the behavior of hosts and identifying anomaly situation in the streaming network is critical but challenging. There lacks of efficient methods to quickly identify and classified the different behavior for IPs and ports in a dynamic scenario. In this work, we propose a visual analytics approach for quickly identifying anomaly situation and tracking the behavior of interested IP/ports from the streaming network flow data. We build up an interactive visual classification and analysis system, providing filtering and sorting methods, as well as correlation exploration. Features can be classified through interactive brushing and be monitored in other analysis stage. Our case study turns our method can efficiently identify anomaly events from the complex global network flow data.

Xueyuan Duan,Yu Fu,Kun Wang

DOI: https://doi.org/10.48550/arXiv.2205.03907

2022-05-08

Networking and Internet Architecture

Abstract:To address the problem that traditional network traffic anomaly detection algorithms do not suffi-ciently mine potential features in long time domain, an anomaly detection method based on mul-ti-scale residual features of network traffic is proposed. The original traffic is divided into subse-quences of different time spans using sliding windows, and each subsequence is decomposed and reconstructed into data sequences of different levels using wavelet transform technique; the stacked autoencoder (SAE) constructs similar feature space using normal network traffic, and gen-erates reconstructed error vector using the difference between reconstructed samples and input samples in the similar feature space; the multi-path residual group is used to learn reconstructed error The traffic classification is completed by a lightweight classifier. The experimental results show that the detection performance of the proposed method for anomalous network traffic is sig-nificantly improved compared with traditional methods; it confirms that the longer time span and more S transformation scales have positive effects on discovering potential diversity information in the original network traffic.

Tahereh Babaie,Sanjay Chawla,Sebastien Ardon

DOI: https://doi.org/10.48550/arXiv.1403.0157

2014-03-02

Abstract:In this paper we focus on the detection of network anomalies like Denial of Service (DoS) attacks and port scans in a unified manner. While there has been an extensive amount of research in network anomaly detection, current state of the art methods are only able to detect one class of anomalies at the cost of others. The key tool we will use is based on the spectral decomposition of a trajectory/hankel matrix which is able to detect deviations from both between and within correlation present in the observed network traffic data. Detailed experiments on synthetic and real network traces shows a significant improvement in detection capability over competing approaches. In the process we also address the issue of robustness of anomaly detection systems in a principled fashion.

Machine Learning,Networking and Internet Architecture

Hector Gonzalez,Jiawei Han,Yanfeng Ouyang,Sebastian Seith

DOI: https://doi.org/10.3141/2215-08

2011-01-01

Abstract:The identification and characterization of traffic anomalies on massive road networks is a vital component of traffic monitoring and control. Anomaly identification can be used to reduce congestion, increase safety, and provide transportation engineers with better information for traffic forecasting and road network design. However, because of the size, complexity, and dynamics of transportation networks, automating such a process is challenging. A multidimensional mining framework is proposed; it can be used to identify a concise set of anomalies from massive traffic monitoring data and then overlay, contrast, and explore such anomalies in multidimensional space. The framework is based on the development of two novel methods: (1) efficient anomaly mining stemming from the discovery of the atypical fragment (a compact representation of a set of abnormal traffic patterns happening across a sequence of connected road segments, possibly spanning multiple roads, and occurring at overlapping time intervals) and (2) a multidimensional anomaly overlay model that enables the clustering of multiple atypical fragments according to different criteria (e.g., severity, topology, or spatiotemporal characteristics). The atypical fragment provides a concise, global view of the traffic anomaly situation, whereas the framework for anomaly overlay provides the power of online analytical processing to facilitate the discovery of patterns associated with different anomaly types and the navigation of anomalies at multilevel abstraction.