Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Li Zhi-tang,Li Yao,Wang Li

DOI: https://doi.org/10.1109/hpcasia.2005.7

2005-01-01

Abstract:More and more intrusion detection systems were developed, but most of these systems have very poor accuracy. To overcome this problem, a self-adaptive anomaly detection system was developed using fuzzy detection anomaly algorithm with negative selection of biology. The algorithm improves the accuracy of the detection method and produces a novel method to measure the deviation from the normal that does not need a discrete division of the non-self space. The proposed anomaly detection model is designed as flexible, extendible, and adaptable in order to meet the needs and preferences of network administrators and can be also supplied for IPv6 environment. Different experiments are performed with MIT-DARAP 1999 dataset (Lippmann et al., 2000) and real word data from different sources. The experimental results show that the proposed algorithms provide some advantages over other algorithms

Mohammad Almseidin,Jamil Al-Sawwa,Mouhammd Alkasassbeh

DOI: https://doi.org/10.48550/arXiv.2107.12299

2021-06-22

Abstract:Recently, the Distributed Denial of Service (DDOS) attacks has been used for different aspects to denial the number of services for the end-users. Therefore, there is an urgent need to design an effective detection method against this type of attack. A fuzzy inference system offers the results in a more readable and understandable form. This paper introduces an anomaly-based Intrusion Detection (IDS) system using fuzzy logic. The fuzzy logic inference system implemented as a detection method for Distributed Denial of Service (DDOS) attacks. The suggested method was applied to an open-source DDOS dataset. Experimental results show that the anomaly-based Intrusion Detection system using fuzzy logic obtained the best result by utilizing the InfoGain features selection method besides the fuzzy inference system, the results were 91.1% for the true-positive rate and 0.006% for the false-positive rate.

Cryptography and Security,Networking and Internet Architecture

Fenghuan Li,Dequan Zheng,Tiejun Zhao,Witold Pedrycz

DOI: https://doi.org/10.3233/ifs-151910

2016-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Anomalies are subsequences that exhibit departures from normal state of operation. In this paper, to solve the problems of unknown data distribution, control limit determination, multiple parameters, training data and fuzziness of ‘anomaly’, a self-adaptive and unsupervised model is developed for finding anomalies in data streams. A salient feature is a synergistic combination of both statistical and fuzzy set-based techniques. Anomaly detection problem is viewed as a certain statistical hypothesis testing which is realized in an unsupervised mode. At the same time, ‘anomaly’ is a much more complex concept and as such can be described with fuzzy set theory. Fuzzy sets bring a facet of robustness to the overall scheme and play an important role in the successive step of hypothesis testing. Because of the fuzzification, parameters determination is self-adaptive and no parameter needs to be specified by the user, what’s more, there is no need to consider the data distribution in statistical hypothesis testing in this paper. The approach is validated with a number of experiments, which help to quantify the performance of constructed algorithm.

Wenyao Sha,Yongxin Zhu,Min Chen,Tian Huang

DOI: https://doi.org/10.1109/tcc.2015.2415813

IF: 5.697

2015-01-01

IEEE Transactions on Cloud Computing

Abstract:As a major strategy to ensure the safety of IT infrastructure, anomaly detection plays a more important role in cloud computing platform which hosts the entire applications and data. On top of the classic Markov chain model, we proposed in this paper a feasible multi-order Markov chain based framework for anomaly detection. In this approach, both the high-order Markov chain and multivariate time series are adopted to compose a scheme described in algorithms along with the training procedure in the form of statistical learning framework. To curb time and space complexity, the algorithms are designed and implemented with non-zero value table and logarithm values in initial and transition matrices. For validation, the series of system calls and the corresponding return values are extracted from classic Defense Advanced Research Projects Agency (DARPA) intrusion detection evaluation data set to form a two-dimensional test input set. The testing results show that the multi-order approach is able to produce more effective indicators: in addition to the absolute values given by an individual single-order model, the changes in ranking positions of outputs from different-order ones also correlate closely with abnormal behaviours.

Dequan Zheng,Fenghuan Li,Tiejun Zhao

DOI: https://doi.org/10.1016/j.eswa.2016.03.029

IF: 8.5

2016-01-01

Expert Systems with Applications

Abstract:Anomaly detection in time series has become a widespread problem in the areas such as intrusion detection and industrial process monitoring. Major challenges in anomaly detection systems include unknown data distribution, control limit determination, multiple parameters, training data and fuzziness of 'anomaly'. Motivated by these considerations, a novel model is developed, whose salient feature is a synergistic combination of statistical and fuzzy set-based techniques. We view anomaly detection problem as a certain statistical hypothesis testing. Meanwhile, 'anomaly' itself includes fuzziness, therefore, can be described with fuzzy sets, which bring a facet of robustness to the overall scheme. Intensive fuzzification is engaged and plays an important role in the successive step of hypothesis testing. Because of intensive fuzzification, the proposed algorithm is distribution-free and self-adaptive, which solves the limitation of control limit and multiple parameters. The framework is realized in an unsupervised mode, leading to great portability and scalability. The performance is assessed in terms of ROC curve on university of California Riverside repository. A series of experiments show that the proposed approach can significantly increase the AUC, while the false alarm rate is improved. In particular, it is capable of detecting anomalies at the earliest possible time. (C) 2016 Elsevier Ltd. All rights reserved.

Sihan Wang,Zhong Yuan,Chuan Luo,Hongmei Chen,Dezhong Peng

DOI: https://doi.org/10.1016/j.ijar.2023.109087

IF: 4.452

2024-02-01

International Journal of Approximate Reasoning

Abstract:Anomaly detection has been used in a wide range of fields. However, most of the current detection methods are only applicable to certain data, ignoring uncertain information such as fuzziness in the data. Fuzzy rough set theory, as an essential mathematical model for granular computing, provides an effective method for processing uncertain data such as fuzziness. Fuzzy rough entropy has been proposed in fuzzy rough set theory and has been employed successfully in data analysis tasks such as feature selection. However, it mainly uses the intersection operation, which may not effectively reflect the similarity between high-dimensional objects. In response to the two challenges mentioned above, distance-based fuzzy rough entropy and its correlation measures are proposed. Further, the proposed fuzzy rough entropy is used to construct the anomaly detection model and the Fuzzy Rough Entropy-based Anomaly Detection (FREAD) algorithm is designed. Finally, the FREAD algorithm is compared and analyzed with some mainstream anomaly detection algorithms (including COF, DIS, INFLO, LDOF, LoOP, MIX, ODIN, SRO, and VarE algorithms) on some publicly available datasets. Experimental results indicate that the FREAD algorithm significantly outperforms other algorithms in terms of performance and flexibility. The code is publicly available online at https://github.com/optimusprimeyy/FREAD.

computer science, artificial intelligence

Zhi-Zhong WU,Xue-Hai ZHOU

DOI: https://doi.org/10.3969/j.issn.1003-3254.2015.04.032

2015-01-01

Abstract:In this paper, we present a distributed anomaly detection system for mobile devices. The proposed framework realizes a client-server architecture, the client continuously extracts various features of mobile device and transfers to the server, and the server’s major task is to detect anomaly using state-of-art detection algorithms. According to the regularity of human daily activity and the periodic of using mobile device, we also propose a novel user behavior cycle based statistical approach, in which the abnormal is determined by the distance from the undetermined feature vector to the similar time segments’ vectors of previous cycles. We use the Mahalanobis distance as distance metric since it is rarely affected by the correlate and value range of features. Evaluation results demonstrated that the proposed framework and novel anomaly detection algorithm could effectively improve the detection rate of malwares on mobile devices.

DaPeng Chen,Xiaosong Zhang

DOI: https://doi.org/10.1109/ICACIA.2008.4770028

2008-01-01

Abstract:Recent attacks demonstrated that network intrusions have become a major threat to Internet. Systems are employed to detect internet anomaly play a vital role in Internet security. To solve this problem, a technique called frequent episode rules (FERs) base on data mining has been introduced into anomaly detection system (ADS). These episode rules are used to distinguish anomalous sequences of TCP, UDP, or ICMP connections from normal traffic episodes. Unfortunately, this technique is so depend on the machine learning that we may get some false alarms if the results of machine learning cannot cover all the normal traffic data. In this paper, we introduce a new approach for Internet anomaly detection with weighted fuzzy matching over frequent episode rules. We use weighted fuzzy matching algorithm to match the rules, though machine learning may not cover all the normal traffic. The results show that the proposed approach can improve the detection performance of the ADS, where only pure frequent episode rule is used.

Yue Liu,Jun Zhang,Zhijing Liu

DOI: https://doi.org/10.1007/978-3-540-88192-6_62

2008-01-01

Abstract:Abnormal behavior detecting is one of the hottest but most difficult subjects in Monitoring System. It is hard to define “abnormal” in different scenarios. In this paper firstly the classification of motion is conducted, and then conclusions are made under specific circumstances. In order to indicate a pedestrian’s movements, a complex number notation based on centroid is proposed. And according to the different sorts of movements, a set of standard image contours are made. Different behavior matrices based on spatio-temporal are acquired through Hidden Markov Models (HMM). A Procrustes shape analysis method is presented in order to get the similarity degree of two contours. Finally Fuzzy Associative Memory (FAM) is proposed to infer behavior classification of a walker. Thus anomalous pedestrians can be detected in the given condition. FAM can detect irregularities and implement initiative analysis of body behavior.

Jun Zhang,Zhijing Liu,Xudong Zhu,Hao Zhang

2008-01-01

Abstract:The fuzzy discriminant has better performance used in the nonlinear processing which is complex and difficult in establishing models. And it is suitable to detect abnormal movement. Visual analysis of human motion from video sequences has been attached more and more attention to computer visions in recent years. In order to identify pedestrian movement in Intelligent Security Monitoring System, an articulated model of human is presented. Using the variety of major organ of the body contour angle, a fuzzification function is designed. An abnormal behavior discrimination algorithm based on fuzzy theory is proposed. The algorithm applies fuzzy membership of the organ of pedestrian to get the overall degree of the anomaly. In the reality of the system, a combined method of center of mass and fuzzy discriminant is presented. Fuzzy discriminant can detect irregularities and implements initiative analysis to body behavior in visual surveillance. Therefore, we can recognize some abnormal behaviors and then alarm, so that it becomes intelligible in nature. The results show that the new algorithm has better performance:.

Cuixia Gao,Zhitang Li

DOI: https://doi.org/10.1109/MINES.2009.150

2009-01-01

Abstract:Anomaly detection means developing a reference profile of normal activity and comparing the ongoing activity against it. Anomaly detection is very promising because of its potential to detect unseen types of attacks. In this paper we present our preliminary research on host anomaly detection by fusing multi-source security information. We selected five types of information which may be good indicators of host anomalies. They are RAM usage, host network connections, usage of bandwidth, the alert of antivirus and the alert of our own project SATA. In the information fusion framework, the D-S evidence theory was used to fuse the dynamic host-related information. Some improvements are also discussed. We also use real-world environment to demonstrate the method's capability for detecting host anomaly. We show that our prototype can successfully detect most of anomalies caused by DOS, scanning and other attacks.

Jing Zhang

DOI: https://doi.org/10.48550/arXiv.1901.09294

2019-01-27

Abstract:Anomaly detecting as an important technical in cloud computing is applied to support smooth running of the cloud platform. Traditional detecting methods based on statistic, analysis, etc. lead to the high false-alarm rate due to non-adaptive and sensitive parameters setting. We presented an online model for anomaly detecting using machine learning theory. However, most existing methods based on machine learning linked all features from difference sub-systems into a long feature vector directly, which is difficult to both exploit the complement information between sub-systems and ignore multi-view features enhancing the classification performance. Aiming to this problem, the proposed method automatic fuses multi-view features and optimize the discriminative model to enhance the accuracy. This model takes advantage of extreme learning machine (ELM) to improve detection efficiency. ELM is the single hidden layer neural network, which is transforming iterative solution the output weights to solution of linear equations and avoiding the local optimal solution. Moreover, we rank anomies according to the relationship between samples and the classification boundary, and then assigning weights for ranked anomalies, retraining the classification model finally. Our method exploits the complement information between sub-systems sufficiently, and avoids the influence from imbalance dataset, therefore, deal with various challenges from the cloud computing platform. We deploy the privately cloud platform by Openstack, verifying the proposed model and comparing results to the state-of-the-art methods with better efficiency and simplicity.

Machine Learning

N. Pandeeswari,Ganesh Kumar

DOI: https://doi.org/10.1007/s11036-015-0644-x

2015-08-16

Mobile Networks and Applications

Abstract:Cloud computing affords lot of resources and computing facilities through Internet. Cloud systems attract many users with its desirable features. In spite of them, Cloud systems may experience severe security issues. Thus, it is essential to create an Intrusion Detection System (IDS) to detect both insider and outsider attacks with high detection accuracy in cloud environment. This work proposes an anomaly detection system at the hypervisor layer named Hypervisor Detector that uses a hybrid algorithm which is a mixture of Fuzzy C-Means clustering algorithm and Artificial Neural Network (FCM-ANN) to improve the accuracy of the detection system. The proposed system is implemented and compared with Naïve Bayes classifier and Classic ANN algorithm. The DARPA’s KDD cup dataset 1999 is used for experiments. Based on extensive theoretical and performance analysis, it is evident that the proposed system is able to detect the anomalies with high detection accuracy and low false alarm rate even for low frequent attacks thereby outperforming Naïve Bayes classifier and Classic ANN.

computer science, information systems,telecommunications, hardware & architecture

Jing Tao,Waner Wang,Ning Zheng,Ting Han,Yue Chang,Xuna Zhan

DOI: https://doi.org/10.1109/icbk.2019.00038

2019-01-01

Abstract:Anomaly login detection is a critical step towards building a secure and trustworthy system. When a new user appears in the login record, the traditional method determines that an anomaly behavior of login has occurred. However, in fact, the first login subject may be a new employee other than the attacker. In this paper, we propose an asynchronous anomaly login detection algorithm model of "Off-line Learning + On-line detection" to solve the real-time anomaly login detection problem. In addition, based on the analysis of multi-source logs, we extract the operating features of users to solve the problem of how to distinguish malicious users from legitimate users who log on to the host for the first time. Extensive experimental evaluations over large log data have shown that our algorithm can not only catch the first abnormal account effectively but also reduce the running time by tens of times compared with K-means and other cluster algorithms

Liyang Wang,Yu Cheng,Hao Gong,Jiacheng Hu,Xirui Tang,Iris Li

2024-09-23

Abstract:The sophistication and diversity of contemporary cyberattacks have rendered the use of proxies, gateways, firewalls, and encrypted tunnels as a standalone defensive strategy inadequate. Consequently, the proactive identification of data anomalies has emerged as a prominent area of research within the field of data security. The majority of extant studies concentrate on sample equilibrium data, with the consequence that the detection effect is not optimal in the context of unbalanced data. In this study, the unsupervised learning method is employed to identify anomalies in dynamic data flows. Initially, multi-dimensional features are extracted from real-time data, and a clustering algorithm is utilised to analyse the patterns of the data. This enables the potential outliers to be automatically identified. By clustering similar data, the model is able to detect data behaviour that deviates significantly from normal traffic without the need for labelled data. The results of the experiments demonstrate that the proposed method exhibits high accuracy in the detection of anomalies across a range of scenarios. Notably, it demonstrates robust and adaptable performance, particularly in the context of unbalanced data.

Machine Learning,Artificial Intelligence,Cryptography and Security

Xi Xiangyu,Zhang Tong,Ye Wei,Wen Zhao,Zhang Shikun,Du Dongdong,Gao Qing

DOI: https://doi.org/10.1142/s0218194018400211

2018-01-01

Abstract:An intruder of a company’s network may use stolen login credentials to silently collect sensitive data. Such malicious user behavior is difficult to detect as long as it does not trigger access violation or data leak alert. In this paper, we propose to use an ensemble of three unsupervised anomaly detection algorithms, namely OCSVM, RNN and Isolation Forest, to detect abnormal user behavior patterns. Besides, an User Behavior Analytics (UBA) Platform is proposed to collect logs, extract features and conduct experiments. The experiment results indicate that our algorithm outperforms each individual algorithm with recall of 96.55% and precision of 91.24% on average, while both OCSVM and RNN suffer from anomalies in the training set, and [Formula: see text] produces more false positives and false negatives in prediction.

Zhong Yuan,Baiyang Chen,Jia Liu,Hongmei Chen,Dezhong Peng,Peilin Li

DOI: https://doi.org/10.1016/j.asoc.2023.109995

2023-01-01

Abstract:The density-based method is a more widely used anomaly detection. However, most of the existing density-based methods mainly focus on dealing with certainty data and do not consider the problem of uncertainty and fuzziness of the data. Fuzzy rough set theory, as an important mathematical model of granular computing, provides an effective method for information processing of uncertain data. For this reason, this paper proposes an anomaly detection based on fuzzy-rough density. First, the fuzzy-rough density is defined to describe the degree of aggregation of objects. Then, fuzzy entropy is introduced to compute the weights of each attribute. Further, an anomaly score is constructed to characterize the anomaly degree of the samples, which takes into account both the density and fuzziness of the samples. Finally, extensive experiments are conducted on publicly available data with nine popular detection methods. The experimental results show that the proposed method achieves better performance on three types of datasets.(c) 2023 Elsevier B.V. All rights reserved.

Fanping Zeng,Kaitao Yin,Minghui Chen,Xufa Wang

DOI: https://doi.org/10.1109/ICIS.2009.140

2009-01-01

Abstract:Over the past few years, anomaly detection has been an increasing concern with the rapid growth of the network security. Hidden Markov model (HMM) has been applied in various methods in intrusion detection and proved to be a good tool to model normal behaviors of privileged processes, however, one major problem with this approach is that it demands excessive computing resources and costs a long model training time, which makes it inefficient for practical intrusion detection. This paper presents a new method of bringing rough set reduction into HMM to overcome the shortcoming. The proposed approach classifies and simplifies the long observation sequence by virtue of rough set reduction, and the decision conditions obtained in rough set reduction phase could be used in further detection. The experimental results indicate that this method can promote the model training efficiency. Further-more, it is suitable for anomaly detection with high detect rate and low false alarm rate.