Shi Dong,Yuanjun Xia,Tao Wang

DOI: https://doi.org/10.1109/mwc.011.2200320

IF: 12.777

2024-01-01

IEEE Wireless Communications

Abstract:Because wireless communication network attacks continue to evolve, cyber security is becoming more and more important, requiring network security solutions to be constantly updated. In addition, wireless communication network traffic in high-speed networks is massive, high-dimensional, dynamic, and so on, making attacks difficult to detect in real-time. Unknown attacks are also difficult to identify. This article proposes a framework for abnormal traffic detection based on deep reinforcement learning, mainly consisting of four stages: data collection, dataset pre-processing, feature selection, and model detection. Experimental results show that the abnormal traffic detection framework has improved detection performance.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Haoran Yu,Wenchuan Yang,Baojiang Cui,Runqi Sui,Xuedong Wu

DOI: https://doi.org/10.1186/s42400-024-00297-7

2024-01-01

Abstract:AbstractAbnormal traffic detection is a crucial topic in the field of network security. However, existing methods face many challenges when processing complex high-dimensional traffic data. Especially in dealing with redundant features, data sparsity and nonlinear features, traditional methods often suffer from high computational complexity and low detection efficiency. It is challenging to capture potential patterns in complex data effectively and cannot fully meet the needs of practical applications. To address these challenges, this paper proposes an enhanced anomaly traffic detection framework using bidirectional generative adversarial networks (BiGAN) and contrastive learning. This method preprocesses high-dimensional data through steps such as data cleaning, normalization, and clustering to improve data quality. It uses BiGAN and contrastive learning technology to enhance the model's feature representation capabilities. Experimental results show that the method proposed in this paper performs well on multiple traffic data sets and significantly improves the accuracy and efficiency of anomaly detection. Overall, the solution proposed in this paper effectively overcomes the limitations of existing methods in high-dimensional data processing and provides a more advanced abnormal traffic detection strategy.

Zhongyuan Li,Ye Ouyang,Le Su,Wei Jiang,Yirui Hu,Zhenyi Lin

DOI: https://doi.org/10.1109/wts.2018.8363936

2018-01-01

Abstract:Since anomalies in wireless networks have different behaviors, not all of them can be detected and recognized. With the capacity of detecting and describing hidden structure from unlabeled data, unsupervised algorithms are able to automatically characterize the nature of traffic behavior and detect anomalies from normal behaviors in the wireless network. In this paper, co-occurrence data is studied since it combines traffic data with generating entities. Gaussian probabilistic latent semantic analysis (GPLSA) model is leveraged to compare the Gaussian Mixture Model (GMM) with temporal network data. A novel “Donut” algorithm of anomaly detection is proposed with model log-likelihood. Experimental results validated that the proposed GPLSA model could hold better promise in the early detection with low false alarm rate and low implementation complexity.

Bin Yu,Yongzheng Zhang,Wenshu Xie,Wenjia Zuo,Yiming Zhao,Yuliang Wei

DOI: https://doi.org/10.3390/electronics12061397

IF: 2.9

2023-01-01

Electronics

Abstract:How can we learn the normal behavior of some communication processes and predict whether a single communication is under attack, with massive network traffic data representing the time costs of each stage in a single communication process? This paper introduces a statistical method for detecting network traffic anomalies using the Gaussian mixture model. There are two aspects to our contributions. First, we show how to learn the normal behavior of a communication process under the assumption that its time costs are generated from the Gaussian mixture model. Secondly, we show that with the learned Gaussian mixture model, we can predict whether a data point is under attack by computing the likelihood that the data point is drawn from the learned Gaussian distribution. The experimental results show that our method reached high accuracy in some cases, while in some other cases that are more complicated, the data point may have more factors and cannot be represented simply by only one Gaussian mixture model.

Shi Dong,Yuanjun Xia,Tao Peng

DOI: https://doi.org/10.1109/tnsm.2021.3120804

2021-12-01

IEEE Transactions on Network and Service Management

Abstract:The rapid development of Internet technology has brought great convenience to our production life, and the ensuing security problems have become increasingly prominent. These problems threaten users' privacy and pose significant security risks to the normal conduct of many aspects of society, such as politics, economy, culture, and people's livelihood. The growth of the information transmission rate expands the scope of attacks and provides a more attack environment for intruders. Abnormal detection is an effective security protection technology that can monitor network transmission in real-time, effectively sense external attacks, and provide response decisions for relevant managers. The development of machine learning has also led to the development of abnormal traffic detection technology. The goal has been to use powerful and fast learning algorithms to deal with changing threats and respond in real-time. Most of the current abnormal detection research is based on simulation, using public and well-known datasets. On the one hand, the dataset contains high-dimensional massive data, which traditional machine learning methods cannot be processed. On the other hand, the labeled data scale is far behind the application requirements, and the dataset's labels are all manually labeled, so the labeling cost is exceptionally high. This paper proposes a semi-supervised Double Deep Q-Network (SSDDQN)-based optimization method for network abnormal traffic detection, mainly based on Double Deep Q-Network (DDQN), a representative of Deep Reinforcement Learning algorithm. In SSDDQN, the current network first adopts the autoencoder to reconstruct the traffic features and then uses a deep neural network as a classifier. The target network first uses the unsupervised learning algorithm K-Means clustering and then uses deep neural network prediction. The experiment uses NSL-KDD and AWID datasets for training and testing and -erforms a comprehensive comparison with existing machine learning models. The experimental results show that SSDDQN has certain advantages in time complexity and achieved good results in various evaluation metrics.

computer science, information systems

Zecheng Li,Shengyuan Chen,Hongshu Dai,Dunyuan Xu,Cheng-Kang Chu,Bin Xiao

DOI: https://doi.org/10.1109/tr.2022.3204349

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Abnormal traffic detection is the core component of the network intrusion detection system. Although semisupervised methods can detect zero-day attack traffic, previous work suffers from high false alarms because the trained model is simply based on normal traffic. In this article, we propose an accurate abnormal traffic detection method using pseudoanomaly, consisting of an efficient feature extraction framework and a novel denoise autoencoder-generative adversarial network (DAE-GAN) model. The feature extraction framework adopts an innovative packet window scheme to extract spatial and temporal features from traffic flows. The DAE-GAN model has multiple DAEs to achieve efficient data augmentation and generate high-quality pseudoanomalies. The pseudoanomalies are obtained by adding noise on normal traffic and enhanced by adversarial learning in DAE-GAN. Our semisupervised detection method, exploiting both normal data and generated pseudoanomalies, achieves a precision of 98.6 on the NSL-KDD dataset and 98.5 on the UNSW-NB15 dataset. Compared with the state-of-the-art, the detection precision and recall under different user behaviors are significantly improved. The evaluation on four attack datasets shows that our method has a high flow-wise precision of over 99 and a high recall of 60.6.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Rongqiao Fan,Qiyuan Fan,Xue Li,Puming Wang,Jing Xu,Xin Jin,Shaowen Yao,Peng Liu

DOI: https://doi.org/10.1016/j.ins.2024.121210

IF: 8.1

2024-01-01

Information Sciences

Abstract:Network traffic anomaly detection is a crucial task for today's network monitoring and maintenance. However, with the rapid growth of network data volume, the data structure has become more and more complex, showing multi-modal characteristics, which makes traffic anomaly detection face a great challenge. The earlier proposed anomaly detection methods have the following deficiencies, i) Most of them are static or dynamic detection methods that only grow along the temporal modality. ii) Lower detection rate or higher computational cost. To address these deficiencies, this article proposes a traffic anomaly detection framework based on multi-modal incremental tensor decomposition, which has the following three highlights, i) Constructing traffic data as a tensor model to fully mine the correlation between data, and the proposed framework is applicable to the situation where traffic data grows dynamically along multiple modes. ii) Using the multi-modal incremental tensor decomposition method to process dynamically growing data without decomposing all the data, greatly reducing computational cost and improving data quality. iii) Using the XGBoost classification algorithm for anomaly detection to improve detection accuracy. Finally, the results of experiments on two real network traffic datasets NSL-KDD and CICDDOS 2019 show that the proposed framework can achieve a high detection rate of 99.21%, and has the characteristics of good scalability and fast detection speed.

Wengang Ma,Yadong Zhang,Jin Guo,Kehong Li

DOI: https://doi.org/10.2991/ijcis.d.210301.003

IF: 2.259

2021-01-01

International Journal of Computational Intelligence Systems

Abstract:Complex and multidimensional network traffic features have potential redundancy. When traditional detection methods are used for training samples, the detection accuracy of the supervised classification model is affected due to small data samples. Therefore, a method based on generative adversarial networks (GANs) and feature optimization is proposed....

computer science, artificial intelligence, interdisciplinary applications

Shaoyu Dou,Kai Yang,Yang Jiao,Chengbo Qiu,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2024.3418906

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Time series analysis has achieved great success in cyber security such as intrusion detection and device identification. Learning similarities among multiple time series is a crucial problem since it serves as the foundation for downstream analysis. Due to the complex temporal dynamics of the event-triggered time series, it often remains unclear which similarity metric is appropriate for security-related tasks, such as anomaly detection and clustering. The overarching goal of this paper is to develop an unsupervised learning framework that is capable of learning similarities among a set of event-triggered time series. From the machine learning vantage point, the proposed framework harnesses the power of both hierarchical multi-resolution sequential autoencoders and the Gaussian Mixture Model (GMM) to effectively learn the low-dimensional representations from the time series. Finally, the obtained similarity measure can be easily visualized for the explanation. The proposed framework aspires to offer a stepping stone that gives rise to a systematic approach to model and learn similarities among a multitude of event-triggered time series. Through extensive qualitative and quantitative experiments, it is revealed that the proposed method outperforms state-of-the-art methods considerably.

Yu Zheng,Xinglin Lian,Zhangxuan Dang,Chunlei Peng,Chao Yang,Jianfeng Ma

DOI: https://doi.org/10.1145/3583780.3615214

2023-01-01

Abstract:Anomaly traffic detection is a crucial issue in the cyber-security field. Previously, many researchers regarded anomaly traffic detection as a supervised classification problem. However, in real scenarios, anomaly network traffic is unpredictable, dynamically changing and difficult to collect. To address these limitations, we employ anomaly detection setting to propose a novel semi-supervised anomaly network traffic detection framework. It only learns features of normal samples during the training phase. Our framework utilizes low-pass filtering to extract multi-scale low-frequency information from 2-D traffic image. Furthermore, we design a two-stage fusion scheme to incorporate information from original and multi-scale low-frequency traffic image modalities. We conduct experiments on two public datasets: ISCX Tor-nonTor and USTC-TFC2016. The experimental results show that our method outperforms current state-of-the-art anomaly detection methods.

Yan Tong,Jian Zhang,Wei Chen,Mingdi Xu,Tao Qin

DOI: https://doi.org/10.1007/978-3-319-78139-6_30

2017-01-01

Abstract:Focus on the difficulty of large-scale network traffic monitoring and analysis, this paper proposed the concepts of Group Behavior Flow model to aggregate traffic packets and perform abnormal behavior detection. Based on the flow model the pivotal traffic metrics can be extracted while the number of flow records are reduced significantly. Secondly, we employ the graph model to capture the traffic feature distribution between different group users. And optical flow analysis methods are proposed to extract the dynamic behavior changing features between different groups and achieve the goal of abnormal behavior detection. The experimental results based on actual traffic traces show that the methods proposed in this paper can capture the traffic features effectually in the current 10 Gbps network environment, and achieve the goal of abnormal behavior detection and abnormal source location, which is very important for traffic management.

Dong Feng,Mangui Liang,Guangchao Wang

DOI: https://doi.org/10.1145/3448734.3450926

2021-01-01

Abstract:Traffic anomaly detection plays an important role in effective prevention and timely handling of traffic accidents. However, currently traffic anomaly detection is still in its infancy, mainly depending on manual intervention, which not only consumes a lot of manpower, but also is unfavorable in timeliness. According to the characteristics of urban road traffic scenes, this paper proposes a MFnet network structure based on multiple fiber modules, aiming to realize fast extraction and real-time calculation of video streaming features via group convolution and sparse connectivity. In addition, the weakly-supervised multi-instance learning method is introduced for the training on application of traffic anomaly detection model, which reduces the difficulty of labeling sample videos and improves the capacity of traffic anomaly detection in complex scenarios. Experimental results based on real traffic video data show that this method proposed herein, compared to the existing traffic anomaly detection methods, is good in terms of detection accuracy and recall rate, and is efficient in traffic anomaly detection in actual traffic scenarios.

Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Fengqin Zuo,Damin Zhang,Lun Li,Qing He,Jiaxin Deng

DOI: https://doi.org/10.1016/j.heliyon.2024.e32087

IF: 3.776

2024-05-29

Heliyon

Abstract:One of the critical technologies to ensure cyberspace security is network traffic anomaly detection, which detects malicious attacks by analyzing and identifying network traffic behavior. The rapid development of the network has led to explosive growth in network traffic, which seriously impacts the user's information security. Researchers have delved into intrusion detection as an active defense technology to address this challenge. However, traditional machine learning methods struggle to capture complex threats and attack patterns when dealing with large-scale network data. In contrast, deep learning methods have the advantages of automatically extracting features from network traffic data and strong generalization capabilities. Aiming to enhance the ability of network anomaly traffic detection, this paper proposes a network traffic anomaly detection based on Deep Residual Shrinkage Network (DRSN), namely "GSOOA-1DDRSN". This method uses an improved Osprey optimization algorithm to select the most relevant and essential features in network traffic, reducing the features' dimensionality. For better detection performance of network traffic anomalies, a one-dimensional deep residual shrinkage network (1DDRSN) is designed as a classifier. Validation is performed using the NSL-KDD and UNSW-NB15 datasets and compared with other methods. The experimental results show that GSOOA-1DDRSN has improved multi-classification accuracy, precision, recall, and F1 Score by approximately 2 % and 3 %, respectively, compared to the 1DDRSN model on two datasets. Additionally, it reduces the time computation costs by 20 % and 30 % on these datasets. Furthermore, compared to other models, GSOOA-1DDRSN offers superior classification accuracy and effectively reduces the number of features.

Yueqin Ge,Xiaoyong Li,Binsi Cai

DOI: https://doi.org/10.1109/WCNC55385.2023.10118651

2023-01-01

Abstract:The rapid development of the Internet and the increasingly complex structure of network space make the network security situation more and more serious. Abnormal traffic detection is an important part of network intrusion detection and plays an important role in the field of network security. Traditional machine learning methods rely too much on feature selection and extraction and have high false positive rate and delay caused by abnormal behavior recognition. Deep learning models such as CNN and RNN have many parameters and long training time, which seriously affect the early warning function of network intrusion detection. Aiming at the problem that the parameter redundancy of deep learning models limits the corresponding model deployment in some scenarios and devices, this paper proposes a lightweight bit-operation abnormal traffic detection method based on XNOR-net convolutional neural network (XNOR-CNN). The model uses convolutional neural network(CNN) and long-short term memory(LSTM) to comprehensively analyze the temporal and spatial characteristics of network traffic, and predicts and classifies the attack behaviors in the future network traffic. In particular, the model transforms the complex convolution process into bit operation between vectors by XNOR operation, which reduces the storage of weight vectors and complex redundant calculation, greatly improves the speed of network training and reduces the consumption of network memory. In this paper, the accuracy and efficiency of XNOR-CNN model are proved through a large number of comparative experiments on real traffic datasets.

Xiao-Dong Zang,Jian Gong,Xiao-Yan Hu

DOI: https://doi.org/10.1109/access.2019.2914303

IF: 3.9

2019-01-01

IEEE Access

Abstract:Anomaly detection is the first step with a challenging task of securing a communication network, as the anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting different anomalies, such as volume based (e.g., DDoS or Flash crowd) and spatial based (e.g., network scan), that arise simultaneously in the wild but also of attributing the anomalous point to a single-anomaly event causing it. Besides, we also tackle the problem of low-detection accuracy caused by the phenomenon of traffic drift. To this end, a novel adaptive profile-based anomaly detection scheme is proposed. More specifically, a more comprehensive metrics set is defined from the dimensions of temporal, spatial, category, and intensity to compose IP traffic behavior characteristic spectrum for fine-grained traffic characterization. Then, the digital signature matrix obtained by using the ant colony optimization (ACO) algorithm is applied to construct the baseline profile of the normal traffic behavior. Anomalous points are identified and analyzed by using confidence bands and a generic clustering technique, respectively. Finally, a lightweight updating strategy is applied to reduce the number of false positives. Real-world data of China Education Research Network backbone and synthetic data are collected to verify our proposal. The experimental results demonstrate that our approach provides a fine-grained behavior description ability and has significantly increased the detection accuracy compared with other similar alternatives.

Zhongyang Wang,Yijie Wang,Hongzuo Xu,Yongjun Wang

DOI: https://doi.org/10.1109/icpads53394.2021.00043

2021-01-01

Abstract:Mixed-type data with both categorical and numerical features are ubiquitous in network security, but the existing methods are minimal to deal with them. Existing methods usually process mixed-type data through feature conversion, whereas their performance is downgraded by information loss and noise caused by the transformation. Meanwhile, existing methods usually superimpose domain knowledge and machine learning in which fixed thresholds are used. It cannot dynamically adjust the anomaly threshold to the actual scenario, resulting in inaccurate anomalies obtained, which results in poor performance. To address these issues, this paper proposes a novel Anomaly Detection method based on Reinforcement Learning, termed ADRL, which uses reinforcement learning to dynamically search for thresholds and accurately obtain anomaly candidate sets, fusing domain knowledge and machine learning fully and promoting each other. Specifically, ADRL uses prior domain knowledge to label known anomalies and uses entropy and deep autoencoder in the categorical and numerical feature spaces, respectively, to obtain anomaly scores combining with known anomaly information, which are integrated to get the overall anomaly scores via a dynamic integration strategy. To obtain accurate anomaly candidate sets, ADRL uses reinforcement learning to search for the best threshold. Detailedly, it initializes the anomaly threshold to get the initial anomaly candidate set and carries on the frequent rule mining to the anomaly candidate set to form the new knowledge. Then, ADRL uses the obtained knowledge to adjust the anomaly score and get the score modification rate. According to the modification rate, different threshold modification strategies are executed, and the best threshold, that is, the threshold under the maximum modification rate, is finally obtained, and the modified anomaly scores are obtained. The scores are used to re-carry out machine learning to improve the algorithm's accuracy for anomalous data. Repeat the above process until the method is stable. We experiment on ten real network traffic datasets. Experiments show ADRL averagely improves ROC-AUC and PR-AUC than eight state-of-the-art competitors by 89.6% and 286.0%, respectively.

Yitu Wang,Takayuki Nakachi,Wei Wang

DOI: https://doi.org/10.1109/tnsm.2022.3218081

2023-01-01

IEEE Transactions on Network and Service Management

Abstract:The forecast of network traffic with arbitrary predicting horizon is a key enabler of smart management in next-generation networks, as sufficient amount of time can be provided for the proactive manipulation of network resources to maintain high quality transmission. Nevertheless, the evolving characteristic of network traffic challenges the current learning-based and data-driven algorithms on both prediction accuracy and computational complexity. In this work, we explore special properties of network traffic, which are further encoded into the Gaussian Process (GP)-based online learning framework, so as to better comprehend and predict future network traffic from a Bayesian perspective. Specifically, we proceed by three steps, 1). Observing network traffic is evolving, to explore and exploit the dynamic traffic patterns at different times and time-scales, we try to approximate the optimal kernel function of GP by utilizing a mixture of Gaussian to encode the dominant and several nondominant patterns. 2). As network traffic at different time-scales share several common patterns, we adopt Process Convolution (PConv) to fully exploit correlations among multiple subsequent time-slots, so as to facilitate network traffic forecast with large predicting horizon. 3). To promote the tracking capability of the proposed GP-PConv framework without significantly increasing the number of hyper-parameters to train, we slightly modify the GP-based prediction through Lyapunov optimization, which brings performance improvements both in terms of accuracy and computational complexity. Finally, we demonstrate the superiority of the proposed algorithm through simulation.

Yangrui HU,Xingshu CHEN,Junfeng WANG,Xiaoming YE

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.11.008

2016-01-01

Abstract:Real network environment lack of labeled data set, so traditional anomaly traffic detection method based on labeled data set is unsuitable for actual large-scale network. To resolve this, the paper proposes an improved k-means anomaly traffic detection method for unlabeled data sets. Firstly, collect the Sichuan University network outlet lfow and store in the distributed ifle system;secondly, construct user behavior feature set on the basis of network lfow analysis, and extract relevant characteristics by Spark big data processing platform. Referenced principles of group to define the normal behavior of clusters in the actual flow, construct normal flow behavior model on improved K-means++cosine clustering method;Finally, the cosine distance between the normal behavior model and user actual flow behavior is calculated to detected anomaly flow behavior. The feasibility and validity of the method are verified by attacking experiment. The experimental results show that the normal lfow behavior model for anomaly lfow detection has higher accuracy.

Bo Li,Simin Zhang,Ke Li

DOI: https://doi.org/10.1002/cpe.3955

2016-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryAnomaly detection plays a crucial part in identifying unforeseen attacks for network and information security. However, the accuracy of existing network anomaly detection approaches is limited because of the lack of sufficient and high‐quality features. Most research works only take information from one network layer into account, which leads to a situation that some key features of other network layers are omitted. To address this issue, we propose a novel approach, named Multi‐Layers Anomaly Detection, which extracts and combines features from different network layers. In order to reduce redundancy and noise derived from the combination of multiple layers, an algorithm called RanPF is designed by applying principal components analysis (PCA) into random forest (RF) algorithm. RanPF uses features selected by PCA to decide the height of every tree in RF and provides a method to select which features for tree nodes to use according to the weights of principal components. To obtain high‐quality features, we adopt an attribute learning mechanism. Naive Bayes is used to characterize the attribute information, which is fast and simple compared with other learning algorithms such as SVM. In addition, a series of experiments conducted on two real‐life datasets demonstrate that our approach outperforms the state‐of‐the‐art methods in terms of detection rate and false alarm rate. MLAD achieves about 99% detection rate and about 0.6% false alarm rate on average when the ratio of the training set is 60%. Copyright © 2016 John Wiley & Sons, Ltd.