Xianbo Zhang,Chao Wang,Jing Zhang,Feng Lin,Zezhou Li

DOI: https://doi.org/10.1109/ddcls55054.2022.9858500

2022-01-01

Abstract:The multivariate time series (MTS) is observed in various fields nowadays so as to monitor the operating status of equipment like server machines, satellites, engines, etc. Tasks like anomaly detection and anomaly pattern classification of MTS, accordingly, are of great importance to fault warning and system stability. Data-driven methods are increasingly becoming prevailing regarding these problems with a huge amount of input information. In this paper, we propose a new architecture where MTS is processed as images and fed into an attention-based CNN-LSTM network (AC-LSTM). CNN-LSTM network is responsible for extracting both spatial and temporal features among and within each dimension of MTS, while the modified attention mechanism helps promote reasonable weight allocations without the introduction of additional parameters. The proposed model firstly gives the result of anomaly detection and makes a further decision on anomaly classifications if the input is detected as an abnormal one. With the modified attention mechanism and the cooperation of CNN and LSTM, experiments on both public datasets and the operation data collected from real-world applications prove the effectiveness and promotion of the proposed model.

Pramita Sree Muhuri,Prosenjit Chatterjee,Xiaohong Yuan,Kaushik Roy,Albert Esterline

DOI: https://doi.org/10.3390/info11050243

2020-05-01

Information

Abstract:An intrusion detection system (IDS) identifies whether the network traffic behavior is normal or abnormal or identifies the attack types. Recently, deep learning has emerged as a successful approach in IDSs, having a high accuracy rate with its distinctive learning mechanism. In this research, we developed a new method for intrusion detection to classify the NSL-KDD dataset by combining a genetic algorithm (GA) for optimal feature selection and long short-term memory (LSTM) with a recurrent neural network (RNN). We found that using LSTM-RNN classifiers with the optimal feature set improves intrusion detection. The performance of the IDS was analyzed by calculating the accuracy, recall, precision, f-score, and confusion matrix. The NSL-KDD dataset was used to analyze the performances of the classifiers. An LSTM-RNN was used to classify the NSL-KDD datasets into binary (normal and abnormal) and multi-class (Normal, DoS, Probing, U2R, and R2L) sets. The results indicate that applying the GA increases the classification accuracy of LSTM-RNN in both binary and multi-class classification. The results of the LSTM-RNN classifier were also compared with the results using a support vector machine (SVM) and random forest (RF). For multi-class classification, the classification accuracy of LSTM-RNN with the GA model is much higher than SVM and RF. For binary classification, the classification accuracy of LSTM-RNN is similar to that of RF and higher than that of SVM.

Waseem Ullah,Amin Ullah,Ijaz Ul Haq,Khan Muhammad,Muhammad Sajjad,Sung Wook Baik

DOI: https://doi.org/10.1007/s11042-020-09406-3

IF: 2.577

2020-08-20

Multimedia Tools and Applications

Abstract:In current technological era, surveillance systems generate an enormous volume of video data on a daily basis, making its analysis a difficult task for computer vision experts. Manually searching for unusual events in these massive video streams is a challenging task, since they occur inconsistently and with low probability in real-world surveillance. In contrast, deep learning-based anomaly detection reduces human labour and its decision making ability is comparatively reliable, thereby ensuring public safety. In this paper, we present an efficient deep features-based intelligent anomaly detection framework that can operate in surveillance networks with reduced time complexity. In the proposed framework, we first extract spatiotemporal features from a series of frames by passing each one to a pre-trained Convolutional Neural Network (CNN) model. The features extracted from the sequence of frames are valuable in capturing anomalous events. We then pass the extracted deep features to multi-layer Bi-directional Long Short-term Memory (BD-LSTM) model, which can accurately classify ongoing anomalous/normal events in complex surveillance scenes of smart cities. We performed extensive experiments on various anomaly detection benchmark datasets to validate the functionality of the proposed framework within complex surveillance scenarios. We reported a 3.41% and 8.09% increase in accuracy on UCF-Crime and UCFCrime2Local datasets compared to state-of-the-art methods.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Eduardo Lopez,Kamran Sartipi

DOI: https://doi.org/10.48550/arXiv.2007.11956

2020-07-21

Abstract:Information systems enable many organizational processes in every industry. The efficiencies and effectiveness in the use of information technologies create an unintended byproduct: misuse by existing users or somebody impersonating them - an insider threat. Detecting the insider threat may be possible if thorough analysis of electronic logs, capturing user behaviors, takes place. However, logs are usually very large and unstructured, posing significant challenges for organizations. In this study, we use deep learning, and most specifically Long Short Term Memory (LSTM) recurrent networks for enabling the detection. We demonstrate through a very large, anonymized dataset how LSTM uses the sequenced nature of the data for reducing the search space and making the work of a security analyst more effective.

Cryptography and Security,Machine Learning

Aiguo Chen,Yang Fu,Xu Zheng,Guoming Lu

DOI: https://doi.org/10.1016/j.cose.2021.102600

2022-03-01

Abstract:The Internet environment is exposed to diverse and increasingly numerous intrusion attacks due to its continuously expanding scale, threatening the information and assets of individuals and companies. The application of machine learning and deep learning methods has significantly improved the performance of network behavior anomaly detection (NBAD). However, existing NBAD methods based on machine learning classify network behaviors with hand-selected feature vectors, which are not flexible enough to adapt to various cyber environments and new categories of attacks, resulting in low accuracy. Moreover, high-dimensional and large-scale data have significantly increased the training, retraining, and detection time, resulting in low scalability. To solve these problems, an efficient NBAD algorithm based on deep belief networks (DBN) and long short-term memory (LSTM) networks is proposed. First, a nonlinear feature extraction method using a DBN is applied to extract features automatically and reduce the dimension of the original data while guaranteeing accuracy. Then, a light-structure LSTM network is used to obtain the classification results. The results of multiple experiments show that the proposed approach performs well in feature learning and has high accuracy while obtaining results in a timely manner and easily updating the model.

computer science, information systems

Soheil Vosta,Kin-Choong Yow,Soheil Vosta,Kin-Choong Yow

DOI: https://doi.org/10.3390/app12031021

2022-01-19

Applied Sciences

Abstract:Surveillance cameras have been increasingly used in many public and private spaces in recent years to increase the security of those areas. Although many companies still recruit someone to monitor the cameras, the person recruited is more likely to miss some abnormal events in the camera feeds due to human error. Therefore, monitoring surveillance cameras could be a waste of time and energy. On the other hand, many researchers worked on surveillance data and proposed several methods to detect abnormal events automatically. As a result, if any anomalous happens in front of the surveillance cameras, it can be detected immediately. Therefore, we introduced a model for detecting abnormal events in the surveillance camera feed. In this work, we designed a model by implementing a well-known convolutional neural network (ResNet50) for extracting essential features of each frame of our input stream followed by a particular schema of recurrent neural networks (ConvLSTM) for detecting abnormal events in our time-series dataset. Furthermore, in contrast with previous works, which mainly focused on hand-crafted datasets, our dataset took real-time surveillance camera feeds with different subjects and environments. In addition, we classify normal and abnormal events and show the method’s ability to find the right category for each anomaly. Therefore, we categorized our data into three main and essential categories: the first groups mainly need firefighting service, while the second and third categories are about thefts and violent behaviour. We implemented the proposed method on the UCF-Crime dataset and achieved 81.71% in AUC, higher than other models like C3D on the same dataset. Our future work focuses on adding an attention layer to the existing model to detect more abnormal events.

Miguel Villarreal-Vasquez,Gaspar Modelo-Howard,Simant Dube,Bharat Bhargava,Gaspar Modelo Howard

DOI: https://doi.org/10.1109/tdsc.2021.3135639

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Insider threats are one of the most difficult problems to solve, given the privileges and information available to insiders to launch different types of attacks. Current security systems can record and analyze sequences from a deluge of log data, potentially becoming a tool to detect insider threats. The issue is that insiders mix the sequence of attack steps with valid actions, reducing the capacity of security systems to programmatically detect the attacks. To address this shortcoming, we introduce LADOHD, an anomaly detection framework based on Long-Short Term Memory (LSTM) models, which learns the expected event patterns in a computer system to identify attack sequences even when attacks span for a long time. The applicability of the framework is demonstrated on a dataset of 38.9 million events collected from a commercial network of 30 computers over twenty days and where a 4-day long insider threat attack occurs. Results show that LADOHD outperforms the anomaly detection system used to protect the commercial network with a True Positive Rate of 97.29% and a False Positive Rate of 0.38%. Experiments also show that LSTMs have higher prediction precision in variable-length sequences than methods like Hidden Markov Models, a crucial requirement in sequence-analysis-based anomaly detection techniques.

computer science, information systems, software engineering, hardware & architecture

Jingxi Liang,Wen Zhao,Wei Ye

DOI: https://doi.org/10.1145/3171592.3171594

2017-01-01

Abstract:As the era of cloud technology arises, more and more people are beginning to migrate their applications and personal data to the cloud. This makes web-based applications an attractive target for cyber-attacks. As a result, web-based applications now need more protections than ever. However, current anomaly-based web attack detection approaches face the difficulties like unsatisfying accuracy and lack of generalization. And the rule-based web attack detection can hardly fight unknown attacks and is relatively easy to bypass. Therefore, we propose a novel deep learning approach to detect anomalous requests. Our approach is to first train two Recurrent Neural Networks (RNNs) with the complicated recurrent unit (LSTM unit or GRU unit) to learn the normal request patterns using only normal requests unsupervisedly and then supervisedly train a neural network classifier which takes the output of RNNs as the input to discriminate between anomalous and normal requests. We tested our model on two datasets and the results showed that our model was competitive with the state-of-the-art. Our approach frees us from feature selection. Also to the best of our knowledge, this is the first time that the RNN is applied on anomaly-based web attack detection systems.

Wei Dai,Xinhui Li,Wenxin Ji,Sicheng He

DOI: https://doi.org/10.1109/access.2024.3384528

IF: 3.9

2024-04-20

IEEE Access

Abstract:To address the issue of low detection accuracy and high false positive rate in existing network intrusion detection methods, this paper proposes an intrusion detection model based on CNN-BiLSTM-Attention. Firstly, CNN is used to extract the spatial features from the intrusion data; Secondly, BiLSTM is used to mine the temporal features from the intrusion data further; Thirdly, the attention mechanism is used to assign different weights to the extracted spatiotemporal features and then enhance the role of important features in the calculation process, which can improve the classification accuracy of the model. In addition, for the problem of class imbalance existing in network intrusion data, Equalization Loss v2 is introduced as the loss function of the CNN-BiLSTM-Attention model, making the model pay more attention to minority class data during the training process, thereby improving the detection rate of the model for the minority class data. Finally, comparative experiments are conducted on NSL-KDD, UNSW-NB15, and CIC-DDoS2019 datasets. The experimental results show that the CNN-BiLSTM-Attention model outperforms the other models in terms of accuracy, detection rate, and false positive rate.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jingxi Liang,Wen Zhao,Wei Ye

DOI: https://doi.org/10.1145/3171592.3171594

2017-01-01

Abstract:As the era of cloud technology arises, more and more people are beginning to migrate their applications and personal data to the cloud. This makes web-based applications an attractive target for cyber-attacks. As a result, web-based applications now need more protections than ever. However, current anomaly-based web attack detection approaches face the difficulties like unsatisfying accuracy and lack of generalization. And the rule-based web attack detection can hardly fight unknown attacks and is relatively easy to bypass. Therefore, we propose a novel deep learning approach to detect anomalous requests. Our approach is to first train two Recurrent Neural Networks (RNNs) with the complicated recurrent unit (LSTM unit or GRU unit) to learn the normal request patterns using only normal requests unsupervisedly and then supervisedly train a neural network classifier which takes the output of RNNs as the input to discriminate between anomalous and normal requests. We tested our model on two datasets and the results showed that our model was competitive with the state-of-the-art. Our approach frees us from feature selection. Also to the best of our knowledge, this is the first time that the RNN is applied on anomaly-based web attack detection systems.

Jay Sinha,M. Manollas

DOI: https://doi.org/10.1145/3430199.3430224

2020-06-26

Abstract:The need for Network Intrusion Detection systems has risen since usage of cloud technologies has become mainstream. With the ever growing network traffic, Network Intrusion Detection is a critical part of network security and a very efficient NIDS is a must, given new variety of attack arises frequently. These Intrusion Detection systems are built on either a pattern matching system or AI/ML based anomaly detection system. Pattern matching methods usually have a high False Positive Rates whereas the AI/ML based method, relies on finding metric/feature or correlation between set of metrics/features to predict the possibility of an attack. The most common of these is KNN, SVM etc., operate on a limited set of features and have less accuracy and still suffer from higher False Positive Rates. In this paper, we propose a deep learning model combining the distinct strengths of a Convolutional Neural Network and a Bi-directional LSTM to incorporate learning of spatial and temporal features of the data. For this paper, we use publicly available datasets NSL-KDD and UNSW-NB15 to train and test the model. The proposed model offers a high detection rate and comparatively lower False Positive Rate. The proposed model performs better than many state-of-the-art Network Intrusion Detection systems leveraging Machine Learning/Deep Learning models.

Ashish Kamra,Evimaria Terzi,Elisa Bertino

DOI: https://doi.org/10.1007/s00778-007-0051-4

2007-05-17

The VLDB Journal

Abstract:A considerable effort has been recently devoted to the development of Database Management Systems (DBMS) which guarantee high assurance and security. An important component of any strong security solution is represented by Intrusion Detection (ID) techniques, able to detect anomalous behavior of applications and users. To date, however, there have been few ID mechanisms proposed which are specifically tailored to function within the DBMS. In this paper, we propose such a mechanism. Our approach is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles that can model normal database access behavior and identify intruders. We consider two different scenarios while addressing the problem. In the first case, we assume that the database has a Role Based Access Control (RBAC) model in place. Under a RBAC system permissions are associated with roles, grouping several users, rather than with single users. Our ID system is able to determine role intruders, that is, individuals while holding a specific role, behave differently than expected. An important advantage of providing an ID technique specifically tailored to RBAC databases is that it can help in protecting against insider threats. Furthermore, the existence of roles makes our approach usable even for databases with large user population. In the second scenario, we assume that there are no roles associated with users of the database. In this case, we look directly at the behavior of the users. We employ clustering algorithms to form concise profiles representing normal user behavior. For detection, we either use these clustered profiles as the roles or employ outlier detection techniques to identify behavior that deviates from the profiles. Our preliminary experimental evaluation on both real and synthetic database traces shows that our methods work well in practical situations.

computer science, information systems, hardware & architecture

Chaopeng Li,Jinlin Wang,Xiaozhou Ye

DOI: https://doi.org/10.14704/nq.2018.16.5.1391

2018-01-01

NeuroQuantology

Abstract:In the studies of intrusion detection/prevention systems (IDS/IPS) and network security situational awareness, malicious traffic detection has been given significantly more attention to prevent malicious traffic. Meanwhile, with the development of machine learning technology, an increasing number of algorithms and models have been employed for attack detection. Previous studies generally used common and typical machine learning models such as SVM, KNN, or a random forest. However, the bottleneck of these types of approaches is two-fold. The input of the model is constructed using the feature engineering method of artificially designed representation, which requires a substantial amounts expertise. Additionally, most detection methods ignore the temporal information between network packets in one micro-flow. In this paper, we regard malicious traffic detection as a classification task and propose a hybrid model that combines a recurrent neural network (RNN) with restricted Boltzmann machines (RBM) which take byte-level raw data as input without feature engineering. Specifically, distributed embedding is utilized to pre-process network data to make it more suitable for deep neural network models. Subsequently, an RBM model is used to extract the feature vectors of the network packets and an RNN model is used to extract the flow feature vector. Finally, the flow vectors are sent to the Softmax layer to obtain the detection result. Experiments based on the ISCX-2012 and DARPA-1998 published datasets show that our proposed RNN-RBM model has a greater detection accuracy, recall rate, and lower false alarm rate than most traditional machine learning models. This proves the effectiveness of the proposed RNN-RBM model in malicious traffic detection.

Rikhi Ram Jagat,Dilip Singh Sisodia,Pradeep Singh

DOI: https://doi.org/10.1109/tsc.2024.3453748

IF: 11.019

2024-10-11

IEEE Transactions on Services Computing

Abstract:Web attacks penetrate the web applications' security through unauthorized access to sensitive information, disrupting services, and stealing data. Conventionally, rule-based statistical methods distinguish attackers from legitimate users. However, the training through manually extracted weblog features is time-consuming and requires subject expertise. Additionally, the supervised attack classification method needs massive, labeled weblog data, which is expensive and unfeasible. Also, the unsupervised classification techniques have resolved the labeled data insufficiency problem, but their detection performance is unreliable. Recent studies focus on recognizing web attacks through deep neural network-based anomaly detection. Hence, this study proposes an anomaly detection-based Variational LSTM Autoencoder Deviation Network (VLADEN) for recognizing web attacks from weblogs. This work resolves the aforementioned issues by extracting the aberrant information encoded in weblog request data to detect web attacks. VLADEN works in three stages: data preprocessing, anomaly and reference score generation, and classification. The variational LSTM self-encoding-based reference score generation ensures that the anomaly score deviates from the normal data. The proposed model is experimentally validated on three publicly available datasets (CSIS2010, FWAF, and HTTPParams) and evaluated using AUC-ROC and AUC-PR-based evaluation metrics. The results demonstrate the models' superior performance in detecting attack requests with minimum domain knowledge and labeled data.

computer science, information systems, software engineering

Li Siyi

DOI: https://doi.org/10.1109/APCT58752.2023.00009

2023-01-01

Abstract:Currently, methods to prevent common high-risk Web intrusion technologies such as SQL injection, XSS cross-site scripting, Webshell, etc., include precompiled SQL statements, Httponly, feature matching, regular filtering, global filtering of user input, etc. However, based on traditional intrusion detection models, complex Web intrusion technologies cannot be effectively identified. High false alarm rate, poor timeliness and other problems. Therefore, a one-layer RBM structure training model for common high-risk Web intrusion detection techniques is proposed in this paper, and the effectiveness and superiority of the proposed model are verified by experiments. It only needs to analyze and extract the required features of the model, and these features can be input into the model to detect the attack behavior in real time. The attack characteristics of these intrusion techniques are analyzed and the requests obtained from the URL are used as training data, including the SQL injection data set obtained by Tamper injection in the secondary development of SQLMAP. The deep Belief network (DBN) model is used to train the selected features and the collected sample data. Finally, an optimal model of SQL injection, XSS cross-site scripting, Webshell attack can be recognized, and real-time detection can be realized online.

Computer Science

Anh Truong,Austin Walters,Jeremy Goodsitt

DOI: https://doi.org/10.48550/arXiv.2012.09597

2020-12-17

Abstract:Named Entity Recognition has been extensively investigated in many fields. However, the application of sensitive entity detection for production systems in financial institutions has not been well explored due to the lack of publicly available, labeled datasets. In this paper, we use internal and synthetic datasets to evaluate various methods of detecting NPI (Nonpublic Personally Identifiable) information commonly found within financial institutions, in both unstructured and structured data formats. Character-level neural network models including CNN, LSTM, BiLSTM-CRF, and CNN-CRF are investigated on two prediction tasks: (i) entity detection on multiple data formats, and (ii) column-wise entity prediction on tabular datasets. We compare these models with other standard approaches on both real and synthetic data, with respect to F1-score, precision, recall, and throughput. The real datasets include internal structured data and public email data with manually tagged labels. Our experimental results show that the CNN model is simple yet effective with respect to accuracy and throughput and thus, is the most suitable candidate model to be deployed in the production environment(s). Finally, we provide several lessons learned on data limitations, data labelling and the intrinsic overlap of data entities.

Machine Learning

Steven Yen,Melody Moh,Teng-Sheng Moh

DOI: https://doi.org/10.1109/icmla.2019.00217

2019-12-01

Abstract:Computer systems utilize logging to record events of interest. These logs are a rich source of information, and can be analyzed to detect attacks, failures, and many other issues. Due to the automated generation of logs by computer processes, the volume and throughput of logs can be extremely large, limiting the effectiveness of manual analysis. Rule-based systems were introduced to automatically detect issues based on rules written by experts. However, these systems can only detect known issues for which related rules exist in the rule-set. On the other hand, anomaly detection (AD) approaches can detect unknown issues. This is achieved by looking for unusual behaviors significantly different from the norm. In this paper, we target the problem of semi-supervised log anomaly detection, where the only training data available are normal logs from a baseline period. We propose a novel hybrid model called "CausalConvLSTM" for modeling log sequences that takes advantage of Convolutional Neural Network’s (CNN) ability to efficiently extract spatial features in a parallel fashion, and Long Short-Term Memory (LSTM) network’s superior ability to capture sequential relationships. Another major challenge faced by anomaly detection systems is concept drift, which is the change in normal system behavior over time. We proposed and evaluated concrete strategies for retraining neural-network (NN) anomaly detection systems to adapt to concept drift.

Zou, Tao

DOI: https://doi.org/10.1007/s11277-024-11041-2

IF: 2.017

2024-05-10

Wireless Personal Communications

Abstract:The confidentiality and safety of managerial information are now important in the rapidly changing field of digital administration. Using the improved features of 6G Internet of Things (IoT) technology, this study presents a novel approach for anomaly and illegal access detection designed for administrative management systems. The widespread use of Internet of Things (IoT) gadgets in administrative activities has made it difficult for standard security procedures to identify complex anomalies and intrusions adequately. By utilising the high-speed, quick, and enormous connection properties of 6G networks, our research seeks to close this distance. In the existing work, the CNN and RNN method is challenging for IoT devices, it works on limited resources, it is time-consuming during the data labelling. The proposed anomaly detection framework uses Autoencoders (AE) with a Multi-Layer Perceptron (MLP) method for administrative management data anomaly access detection. Initially, the dataset is collected with the help of 6G IoT devices and then pre-processed. Next the feature is compressed and extracted using Autoencoders, it compresses the input data, and it emphasises the intrinsic patterns and features to define the expected behaviour of data. Finally, the MLP is used to classify the input and normal and anomalous data. This work uses Three different datasets: NSL_KDD, UNSW_NB2015 and CICDDOD2019. The experimental results use parameters such as accuracy, f1-score, false negative rate and confusion matrix. As a result of administrative management data anomaly detection, the proposed work AE-MLP identifies breaches and classifies the normal and anomalous data efficiently.

telecommunications

Yung-Chung Wang,Yi-Chun Houng,Han-Xuan Chen,Shu-Ming Tseng

DOI: https://doi.org/10.3390/s23042171

IF: 3.9

2023-02-16

Sensors

Abstract:The prevalence of internet usage leads to diverse internet traffic, which may contain information about various types of internet attacks. In recent years, many researchers have applied deep learning technology to intrusion detection systems and obtained fairly strong recognition results. However, most experiments have used old datasets, so they could not reflect the latest attack information. In this paper, a current state of the CSE-CIC-IDS2018 dataset and standard evaluation metrics has been employed to evaluate the proposed mechanism. After preprocessing the dataset, six models—deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM), CNN + RNN and CNN + LSTM—were constructed to judge whether network traffic comprised a malicious attack. In addition, multi-classification experiments were conducted to sort traffic into benign traffic and six categories of malicious attacks: BruteForce, Denial-of-service (DoS), Web Attacks, Infiltration, Botnet, and Distributed denial-of-service (DDoS). Each model showed a high accuracy in various experiments, and their multi-class classification accuracy were above 98%. Compared with the intrusion detection system (IDS) of other papers, the proposed model effectively improves the detection performance. Moreover, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. Therefore, the DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM for considering the implementation of the algorithm in the IDS device.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation