Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Bin Zhang,Jia-Hai Yang,Jian-Ping Wu,Ying-Wu Zhu

DOI: https://doi.org/10.1007/s11390-012-1225-0

2012-01-01

Abstract:Network traffic anomalies are unusual changes in a network, so diagnosing anomalies is important for network management. Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing packet header features. PCA-subspace method (Principal Component Analysis) has been verified as an efficient feature-based way in network-wide anomaly detection. Despite the powerful ability of PCA-subspace method for network-wide traffic detection, it cannot be effectively used for detection on a single link. In this paper, different from most works focusing on detection on flow-level traffic, based on observations of six traffic features for packet-level traffic, we propose a new approach B6-SVM to detect anomalies for packet-level traffic on a single link. The basic idea of B6-SVM is to diagnose anomalies in a multi-dimensional view of traffic features using Support Vector Machine (SVM). Through two-phase classification, B6-SVM can detect anomalies with high detection rate and low false alarm rate. The test results demonstrate the effectiveness and potential of our technique in diagnosing anomalies. Further, compared to previous feature-based anomaly detection approaches, B6-SVM provides a framework to automatically identify possible anomalous types. The framework of B6-SVM is generic and therefore, we expect the derived insights will be helpful for similar future research efforts.

Hanghang Tong,Chongrong Li,Jingrui He,Jiajian Chen,Quang-Anh Tran,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11427469_77

2005-01-01

Abstract:As a crucial issue in computer network security, anomaly detection is receiving more and more attention from both application and theoretical point of view. In this paper, a novel anomaly detection scheme is proposed. It can detect anomaly network traffic which has extreme large value on some original feature by the major component, or does not follow the correlation structure of normal traffic by the minor component. By introducing kernel trick, the non-linearity of network traffic can be well addressed. To save the processing time, a simplified version is also proposed, where only major component is adopted. Experimental results validate the effectiveness of the proposed scheme.

Tao Yang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.eswa.2023.120668

IF: 8.5

2023-01-01

Expert Systems with Applications

Abstract:Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system's security and reliability. However, existing research on network traffic anomaly detection for ICPS has several limitations. First, most traffic anomaly detection models focus on centralized detection. Thus, all traffic packets have to be uploaded to the control center for detection, which leads to a heavy traffic load. However, real-time and reliable communication is crucial to ICPSs. The heavy traffic load may cause communication delays or packets lost by corruption. Second, Seasonal AutoRegressive Integrated Moving Average (SARIMA) is popular in ICPS network traffic anomaly detection. However, most SARIMA-based detection models can only detect anomalous traffic once. Thus, they are unable to detect anomalies continuously and are not suitable for actual ICPS. Third, the features extracted from network traffic affect the classification performance. However, most existing feature extraction models cannot sufficiently extract traffic features, leading to poor detection performance. To address the limitations above, this paper proposes a cloud-edge coordinated network traffic anomaly detection approach. The proposed approach consists of a set of anomalous traffic alarm models deployed in the edge areas and an anomalous traffic analysis model deployed in the cloud. The former is implemented based on Improved Online SARIMA (IOSARIMA) algorithm that can detect anomalous traffic continuously and upload it to the cloud for further analysis, filtering massive normal traffic packets and making traffic load smaller. The anomalous traffic analysis model consists of a feature extraction algorithm and a Convolutional Neural Network (CNN) classifier, which can sufficiently extract traffic features and identify the attack types precisely. The proposed anomaly detection approach is extensively evaluated on a realistic ICPS testbed, including 3 edges (i.e., power generation, power transmission and power distribution) and a cloud consisting of an engineering workstation and a Supervisory Control And Data Acquisition (SCADA) workstation. The experimental results confirm the smaller traffic load and better detection performance, compared with the existing detection models.

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

Qian Ma,Cong Sun,Baojiang Cui

DOI: https://doi.org/10.1155/2021/2170788

IF: 1.968

2021-11-20

Security and Communication Networks

Abstract:New vulnerabilities and ever-evolving network attacks pose great threats to today’s cyberspace security. Anomaly detection in network traffic is a promising and effective technique to enhance network security. In addition to traditional statistical analysis and rule-based detection techniques, machine learning models are introduced for intelligent detection of abnormal traffic data. In this paper, a novel model named SVM-C is proposed for the anomaly detection in network traffic. The URLs in the network traffic log are transformed into feature vectors via statistical laws and linear projection. The obtained feature vectors are fed into a support vector machine (SVM) classifier and classified as normal or abnormal. Based on the idea of SVM and clustering, we construct an optimization model to train the parameters of the feature extraction method and traffic classifier. Numerical tests indicate that the proposed model outperforms the state of the arts on all the tested datasets.

computer science, information systems,telecommunications

Tao Yang,Jinming Wang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.48550/arXiv.2204.09942

2022-04-21

Cryptography and Security

Abstract:Industrial control systems (ICSs) are facing increasing cyber-physical attacks that can cause catastrophes in the physical system. Efficient anomaly detection models in the industrial sensor networks are essential for enhancing ICS reliability and security, due to the sensor data is related to the operational state of the ICS. Considering the limited availability of computing resources, this paper proposes a hybrid anomaly detection approach in cloud-edge collaboration industrial sensor networks. The hybrid approach consists of sensor data detection models deployed at the edges and a sensor data analysis model deployed in the cloud. The sensor data detection model based on Gaussian and Bayesian algorithms can detect the anomalous sensor data in real-time and upload them to the cloud for further analysis, filtering the normal sensor data and reducing traffic load. The sensor data analysis model based on Graph convolutional network, Residual algorithm and Long short-term memory network (GCRL) can effectively extract the spatial and temporal features and then identify the attack precisely. The proposed hybrid anomaly detection approach is evaluated using a benchmark dataset and baseline anomaly detection models. The experimental results show that the proposed approach can achieve an overall 11.19% increase in Recall and an impressive 14.29% improvement in F1-score, compared with the existing models.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Tirthankar Ghosh,Sikha Bagui,Subhash Bagui,Martin Kadzis,Jackson Bare

DOI: https://doi.org/10.3390/jcp3040041

2023-12-01

Journal of Cybersecurity and Privacy

Abstract:This article presents a statistical approach using entropy and classification-based analysis to detect anomalies in industrial control systems traffic. Several statistical techniques have been proposed to create baselines and measure deviation to detect intrusion in enterprise networks with a centralized intrusion detection approach in mind. Looking at traffic volume alone to find anomalous deviation may not be enough—it may result in increased false positives. The near real-time communication requirements, coupled with the lack of centralized infrastructure in operations technology and limited resources of the sensor motes, require an efficient anomaly detection system characterized by these limitations. This paper presents extended results from our previous work by presenting a detailed cluster-based entropy analysis on selected network traffic features. It further extends the analysis using a classification-based approach. Our detailed entropy analysis corroborates with our earlier findings that, although some degree of anomaly may be detected using univariate and bivariate entropy analysis for Denial of Service (DOS) and Man-in-the-Middle (MITM) attacks, not much information may be obtained for the initial reconnaissance, thus preventing early stages of attack detection in the Cyber Kill Chain. Our classification-based analysis shows that, overall, the classification results of the DOS attacks were much higher than the MITM attacks using two Modbus features in addition to the three TCP/IP features. In terms of classifiers, J48 and random forest had the best classification results and can be considered comparable. For the DOS attack, no resampling with the 60–40 (training/testing split) had the best results (average accuracy of 97.87%), but for the MITM attack, the 80–20 non-attack vs. attack data with the 75–25 split (average accuracy of 82.81%) had the best results.

computer science, information systems, interdisciplinary applications, software engineering

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Junjie Cen,Yongbo Li

DOI: https://doi.org/10.1155/2022/6155925

2022-03-31

Wireless Communications and Mobile Computing

Abstract:To address the problem of poor detection performance of existing intrusion detection methods in the environment of high-dimensional massive data with uneven class distribution, a deep learning-based anomaly traffic detection method in cloud computing environment is proposed. First, the fuzzy C -means (FCM) algorithm is introduced and is combined with the general regression neural network (GRNN) to cluster the samples to be classified in the original space by FCM. Then, the GRNN model is trained and the center point is updated using the sample closest to the FCM clustering center until a stable cluster center is obtained. The parameters in FCM-GRNN are optimized using the global optimization feature of the modified fruit fly optimization algorithm (MFOA), and the optimal spread value is found using the three-dimensional search method through an iterative search. Finally, experiments are conducted based on the KDD CUP99 dataset, and the results demonstrate that the detection rate (DR) and false alarm rate (FAR) of the proposed FCM-MFOA-GRNN method are 91% and 1.176%, respectively, which are better than those of the comparison methods. Therefore, the proposed method has good anomaly traffic detection ability.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wang Jianyuan,Gu Chengcheng,Liu Kechen

DOI: https://doi.org/10.3389/fenrg.2022.984473

IF: 3.4

2022-08-31

Frontiers in Energy Research

Abstract:This study aims at investigating the applicability of abnormal electricity consumption data detection method, which is based on the entropy weight method and the isolated forest tree algorithm. The inaccessibility and imbalance of abnormal electricity consumption samples in actual data sets are considered by analyzing smart distribution network power consumption big data. Firstly, the users are classified by the k-means clustering algorithm, and then the characteristics of each type of user are extracted and the feature set is processed by the principal component analysis method to reduce the dimensions, followed by the entropy weight method adaptive configuration of the weight coefficients of each feature index, and finally the abnormal power consumption users are calculated based on the feature-weighted isolated forest algorithm. The algorithm verifies the real electricity consumption data of 6,445 users, and the results show that the method has a high detection accuracy, recall rate and F1 score, which is more suitable for the detection of abnormal electricity consumption in scenarios when there are complex and diverse user power consumption behaviors.

energy & fuels

牛国林,管晓宏,龙毅,秦涛

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.04.009

2009-01-01

Abstract:Based on tradeoffs analysis of abnormal behavior and detection methods,a multi-source traffic features analysis and abnormal detection method was proposed.The distribution characteristics of the flow size,IP addresses and ports were analyzed and found to be efficacious in traffic patterns analysis.The Renyi entropy was employed to fuse the multi-source information captured by different traffic features,and an abnormal behavior detection method was presented.Beacause of using the multi-source information,the models could detect many kinds of abnormal behaviors,which was an impossible mission for many other traditional abnormal detection methods.The experimental results based on actual network data show that the proposed abnormal detection methods are effective in detecting known and unknown attacks with high-accuracy detection rate and low complexity.

Serenje Macdonald,Mkandawire Mtende

DOI: https://doi.org/10.26634/jcom.11.4.20650

2024-01-01

Abstract:The rapid growth of network infrastructures and the increasing volume of data transmitted through them have led to a critical need for efficient and accurate anomaly detection systems in network transport. This paper proposes a novel anomaly detection system that utilizes machine learning techniques to identify abnormal patterns and deviations in network traffic. The proposed system follows a multi-layered approach, starting with the collection of network traffic data from various sources, including routers, switches, and gateways. The data is then preprocessed to extract relevant features and eliminate noise. Feature extraction is carried out using statistical, time-series, and flow-based analysis to capture the inherent characteristics of network communication. Machine learning algorithms, such as neural networks, or in this case, auto-encoders, will be trained to learn the patterns of normal network behavior and subsequently detect deviations from these patterns as anomalies. The system provides alerts and notifications to network administrators, allowing prompt investigation and response to potential security threats or network performance issues. It effectively differentiates between benign and malicious network activities, enabling network administrators to take proactive measures to secure their infrastructure and ensure uninterrupted communication.

Tao Qin,Zhaoli Liu,Pinghui Wang,Shancang Li,Xiaohong Guan,Lixin Gao

DOI: https://doi.org/10.1109/tifs.2019.2933731

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Anomaly detection is an important technique used to identify patterns of unusual network behavior and keep the network under control. Today, network attacks are increasing in terms of both their number and sophistication. To avoid causing significant traffic patterns and being detected by existing techniques, many new attacks tend to involve gradual adjustment of behaviors, which always generate incomplete sessions due to their running mechanisms. Accordingly, in this work, we employ the behavior symmetry degree to profile the anomalies and further identify unusual behaviors. We first proposed a symmetry degree to identify the incomplete sessions generated by unusual behaviors; we then employ a sketch to calculate the symmetry degree of internal hosts to improve the identification efficiency for online applications. To reduce the memory cost and probability of collision, we divide the IP addresses into four segments that can be used as keys of the hash functions in the sketch. Moreover, to further improve detection accuracy, a threshold selection method is proposed for dynamic traffic pattern analysis. The hash functions in the sketch are then designed using Chinese remainder theory, which can analytically trace the IP addresses associated with the anomalies. We tested the proposed techniques based on traffic data collected from the northwest center of CERNET (China Education and Research Network); the results show that the proposed methods can effectively detect anomalies in large-scale networks.

Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.