Cyber situational awareness through network anomaly detection: state of the art and new approaches

Ivo Friedberg; Florian Skopik; Roman Fiedler

doi:10.1007/s00502-015-0287-4

Cyber situational awareness through network anomaly detection: state of the art and new approaches

e & i Elektrotechnik und Informationstechnik ◽

10.1007/s00502-015-0287-4 ◽

2015 ◽

Vol 132 (2) ◽

pp. 101-105 ◽

Cited By ~ 7

Author(s):

Ivo Friedberg ◽

Florian Skopik ◽

Roman Fiedler

Keyword(s):

Anomaly Detection ◽

Situational Awareness ◽

State Of The Art ◽

New Approaches ◽

Network Anomaly Detection

Download Full-text

Multiresolution dendritic cell algorithm for network anomaly detection

PeerJ Computer Science ◽

10.7717/peerj-cs.749 ◽

2021 ◽

Vol 7 ◽

pp. e749

Author(s):

David Limon-Cantu ◽

Vicente Alarcon-Aquino

Keyword(s):

Information Systems ◽

Dendritic Cell ◽

Anomaly Detection ◽

State Of The Art ◽

Denial Of Service ◽

Series Data ◽

Time Frequency ◽

Computer Services ◽

Dendritic Cell Algorithm ◽

Network Anomaly Detection

Anomaly detection in computer networks is a complex task that requires the distinction of normality and anomaly. Network attack detection in information systems is a constant challenge in computer security research, as information systems provide essential services for enterprises and individuals. The consequences of these attacks could be the access, disclosure, or modification of information, as well as denial of computer services and resources. Intrusion Detection Systems (IDS) are developed as solutions to detect anomalous behavior, such as denial of service, and backdoors. The proposed model was inspired by the behavior of dendritic cells and their interactions with the human immune system, known as Dendritic Cell Algorithm (DCA), and combines the use of Multiresolution Analysis (MRA) Maximal Overlap Discrete Wavelet Transform (MODWT), as well as the segmented deterministic DCA approach (S-dDCA). The proposed approach is a binary classifier that aims to analyze a time-frequency representation of time-series data obtained from high-level network features, in order to classify data as normal or anomalous. The MODWT was used to extract the approximations of two input signal categories at different levels of decomposition, and are used as processing elements for the multi resolution DCA. The model was evaluated using the NSL-KDD, UNSW-NB15, CIC-IDS2017 and CSE-CIC-IDS2018 datasets, containing contemporary network traffic and attacks. The proposed MRA S-dDCA model achieved an accuracy of 97.37%, 99.97%, 99.56%, and 99.75% for the tested datasets, respectively. Comparisons with the DCA and state-of-the-art approaches for network anomaly detection are presented. The proposed approach was able to surpass state-of-the-art approaches with UNSW-NB15 and CSECIC-IDS2018 datasets, whereas the results obtained with the NSL-KDD and CIC-IDS2017 datasets are competitive with machine learning approaches.

Download Full-text

A DOUBLE-SHRINK AUTOENCODER FOR NETWORK ANOMALY DETECTION

Journal of Computer Science and Cybernetics ◽

10.15625/1813-9663/36/2/14578 ◽

2020 ◽

Vol 36 (2) ◽

pp. 159-172

Author(s):

Cong Thanh Bui ◽

Loi Cao Van ◽

Minh Hoang ◽

Quang Uy Nguyen

Keyword(s):

Machine Learning ◽

Anomaly Detection ◽

State Of The Art ◽

The State ◽

The Internet ◽

Learning Methods ◽

Network Attacks ◽

Machine Learning Methods ◽

Pull Out ◽

Network Anomaly Detection

The rapid development of the Internet and the wide spread of its applications has affected many aspects of our life. However, this development also makes the cyberspace more vulnerable to various attacks. Thus, detecting and preventing these attacks are crucial for the next development of the Internet and its services. Recently, machine learning methods have been widely adopted in detecting network attacks. Among many machine learning methods, AutoEncoders (AEs) are known as the state-of-the-art techniques for network anomaly detection. Although, AEs have been successfully applied to detect many types of attacks, it is often unable to detect some difficult attacks that attempt to mimic the normal network traffic. In order to handle this issue, we propose a new model based on AutoEncoder called Double-Shrink AutoEncoder (DSAE). DSAE put more shrinkage on the normal data in the middle hidden layer. This helps to pull out some anomalies that are very similar to normal data. DSAE are evaluated on six well-known network attacks datasets. The experimental results show that our model performs competitively to the state-of-the-art model, and often out-performs this model on the attacks group that is difficult for the previous methods.

Download Full-text