Promising techniques for anomaly detection on network traffic

In various networks, anomaly may happen due to network breakdown, intrusion detection, and end-to-end traffic changes. To detect these anomalies is important in diagnosis, fault report, capacity plan and so on. However, it?s challenging to detect these anomalies with high accuracy rate and time efficiency. Existing works are mainly classified into two streams, anomaly detection on link traffic and on global traffic. In this paper we discuss various anomaly detection methods on both types of traffic and compare their performance.

Download Full-text

Hubble: An End to End Approach for Anomaly Detection in Network Traffic

10.1109/iciea51954.2021.9516307 ◽

2021 ◽

Author(s):

Shiwei Wang ◽

Haizhou Du ◽

Lin Liu ◽

Zhenyu Lin

Keyword(s):

Anomaly Detection ◽

Network Traffic ◽

End To End

Download Full-text

Host-based Intrusion Detection Using Signature-based and AI-driven Anomaly Detection Methods

Information & Security An International Journal ◽

10.11610/isij.5016 ◽

2021 ◽

Vol 50 ◽

pp. 37-48

Author(s):

Panos Panagiotou ◽

Notis Mengidis ◽

Theodora Tsikrika ◽

Stefanos Vrochidis ◽

Ioannis Kompatsiaris

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Detection Methods

Download Full-text

Anomaly Detection in Distributed Denial of Service Attack using Map Reduce Improvised Counter Based Algorithm in Hadoop

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.d8431.118419 ◽

2019 ◽

Vol 8 (4) ◽

pp. 4668-4671

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Network Traffic ◽

Intrusion Detection System ◽

Detection System ◽

Denial Of Service ◽

Map Reduce ◽

Distributed Denial Of Service ◽

Unusual Pattern ◽

Denial Of Service Attack

A Distributed denial of Service attacks(DDoS) is one of the major threats in the cyber network and it attacks the computers flooded with the Users Data Gram packet. These types of attacks causes major problem in the network in the form of crashing the system with large volume of traffic to attack the victim and make the victim idle in which not responding the requests. To detect this DDOS attack traditional intrusion detection system is not suitable to handle huge volume of data. Hadoop is a frame work which handles huge volume of data and is used to process the data to find any malicious activity in the data. In this research paper anomaly detection technique is implemented in Map Reduce Algorithm which detects the unusual pattern of data in the network traffic. To design a proposed model, Map Reduce platform is used to hold the improvised algorithm which detects the (DDoS) attacks by filtering and sorting the network traffic and detects the unusual pattern from the network. Improvised Map reduce algorithm is implemented with Map Reduce functionalities at the stage of verifying the network IPS. This Proposed algorithm focuses on the UDP flooding attack using Anomaly based Intrusion detection system technique which detects kind of pattern and flow of packets in the node is more than the threshold and also identifies the source code causing UDP Flood Attack.

Download Full-text

Network Traffic Anomaly Detection Based on ML-ESN for Power Metering System

Mathematical Problems in Engineering ◽

10.1155/2020/7219659 ◽

2020 ◽

Vol 2020 ◽

pp. 1-21

Author(s):

S. T. Zhang ◽

X. B. Lin ◽

L. Wu ◽

Y. Q. Song ◽

N. D. Liao ◽

...

Keyword(s):

Anomaly Detection ◽

Network Traffic ◽

Network Flow ◽

Small Sample ◽

Detection Methods ◽

Echo State Network ◽

Power Network ◽

Power Metering ◽

Traffic Anomaly ◽

Traffic Anomaly Detection

Due to the diversity and complexity of power network system platforms, some traditional network traffic detection methods work well for small sample datasets. However, the network data detection of complex power metering system platforms has problems of low accuracy and high false-positive rate. In this paper, through a combination of exploration and feedback, a solution for power network traffic anomaly detection based on multilayer echo state network (ML-ESN) is proposed. This method first relies on the Pearson and Gini coefficient method to calculate the statistical distribution and correlation of network flow characteristics and then uses the ML-ESN method to classify the network attacks abnormally. Because the ML-ESN method abandons the backpropagation mechanism, the nonlinear fitting ability of the model is solved. In order to verify the effectiveness of the proposed method, a simulation test was conducted on the UNSW_NB15 network security dataset. The test results show that the average accuracy of this method is more than 97%, which is significantly better than single-layer echo state network, shallow BP neural network, and some traditional machine learning methods.

Download Full-text

Network Anomaly Detection by Using a Time-Decay Closed Frequent Pattern

Information ◽

10.3390/info10080262 ◽

2019 ◽

Vol 10 (8) ◽

pp. 262

Author(s):

Ying Zhao ◽

Junjun Chen ◽

Di Wu ◽

Jian Teng ◽

Nabin Sharma ◽

...

Keyword(s):

Anomaly Detection ◽

Network Traffic ◽

User Behavior ◽

Frequent Pattern ◽

Detection Methods ◽

Frequent Patterns ◽

Time Decay ◽

Network Behavior ◽

Detection Model ◽

Network Anomaly Detection

Anomaly detection of network traffic flows is a non-trivial problem in the field of network security due to the complexity of network traffic. However, most machine learning-based detection methods focus on network anomaly detection but ignore the user anomaly behavior detection. In real scenarios, the anomaly network behavior may harm the user interests. In this paper, we propose an anomaly detection model based on time-decay closed frequent patterns to address this problem. The model mines closed frequent patterns from the network traffic of each user and uses a time-decay factor to distinguish the weight of current and historical network traffic. Because of the dynamic nature of user network behavior, a detection model update strategy is provided in the anomaly detection framework. Additionally, the closed frequent patterns can provide interpretable explanations for anomalies. Experimental results show that the proposed method can detect user behavior anomaly, and the network anomaly detection performance achieved by the proposed method is similar to the state-of-the-art methods and significantly better than the baseline methods.

Download Full-text

Contextual Anomaly Detection Methods for Addressing Intrusion Detection

Handbook of Research on Cyber Crime and Information Privacy - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-5728-0.ch009 ◽

2021 ◽

pp. 151-181

Author(s):

Florian Gottwalt ◽

Elizabeth J. Chang ◽

Tharam S. Dillon

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Promising Method ◽

Detection Methods ◽

False Alarms ◽

Cyber Crime ◽

Number Of False Alarms ◽

Network Anomaly Detection

One promising method to detect cyber-crime is anomaly detection, which enables one to detect new, unseen attacks. Despite this ability, anomaly detection methods only have limited utilization in practice, due to the high number of false alarms generated. Recent research has shown that the number of false alarms can be reduced drastically by considering the context in which these alarms occur. However, important questions include, What does context mean in the realm of anomaly detection? and How can it be incorporated to identify potential cyber-crime? To address these questions, this chapter provides novel definitions of context and contextual anomaly detection methods. Based on these, a new taxonomy is proposed for contextual anomaly detection methods, which organizes the methods by the specific problems they address. Further, the chapter highlights the potential of contextual anomaly detection for the reduction of false alarms, particularly for network anomaly detection and provides an introduction and holistic overview of the field for professionals and researchers.

Download Full-text

Intelligent Cyber Attack Detection and Classification for Network-Based Intrusion Detection Systems

Applied Sciences ◽

10.3390/app11041674 ◽

2021 ◽

Vol 11 (4) ◽

pp. 1674

Author(s):

Nuno Oliveira ◽

Isabel Praça ◽

Eva Maia ◽

Orlando Sousa

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Information And Communication Technologies ◽

Network Traffic ◽

Short Term Memory ◽

Attack Detection ◽

Intrusion Detection Systems ◽

Machine Learning Techniques ◽

Cyber Attack ◽

Detection Systems

With the latest advances in information and communication technologies, greater amounts of sensitive user and corporate information are shared continuously across the network, making it susceptible to an attack that can compromise data confidentiality, integrity, and availability. Intrusion Detection Systems (IDS) are important security mechanisms that can perform the timely detection of malicious events through the inspection of network traffic or host-based logs. Many machine learning techniques have proven to be successful at conducting anomaly detection throughout the years, but only a few considered the sequential nature of data. This work proposes a sequential approach and evaluates the performance of a Random Forest (RF), a Multi-Layer Perceptron (MLP), and a Long-Short Term Memory (LSTM) on the CIDDS-001 dataset. The resulting performance measures of this particular approach are compared with the ones obtained from a more traditional one, which only considers individual flow information, in order to determine which methodology best suits the concerned scenario. The experimental outcomes suggest that anomaly detection can be better addressed from a sequential perspective. The LSTM is a highly reliable model for acquiring sequential patterns in network traffic data, achieving an accuracy of 99.94% and an f1-score of 91.66%.

Download Full-text

Anomaly Intrusion Detection System in Real Time Environment using Ensemble Learning Model

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.d8534.118419 ◽

2019 ◽

Vol 8 (4) ◽

pp. 4908-4917

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Real Time ◽

Network Traffic ◽

Intrusion Detection System ◽

Detection System ◽

False Negative ◽

Ensemble Classification ◽

Data Set ◽

Rule Set

System security is of essential part now days for huge organizations. The Intrusion Detection System (IDS) are getting to be irreplaceable for successful assurance against intrusions that are continually changing in size and intricacy. With information honesty, privacy and accessibility, they must be solid, simple to oversee and with low upkeep cost. Different adjustments are being connected to IDS consistently to recognize new intrusions and handle them. This paper proposes model based on combination of ensemble classification for network traffic anomaly detection. Intrusion detection system is try to perform in real time, but they cannot improved due to the network connections. This research paper is trying to implement intrusion detection system (IDS) using ensemble method for misuse as well anomaly detection for HIDS and NIDS based also. This system used various individual classification methods and its ensemble model on KDD99 and NSL-KDD data set to check the performance of model. It also check the performance on creating real time network traffic using own attack creator and send this to the remote machine which has our proposed IDS system. This system used training rule set as a background knowledge which are generated by genetic algorithm. Ensemble approach contains three algorithms as Naive Bayes, Artificial Neural Network and J48. Ensemble classifiers apply on network packets mapping with GA rule set and generate the result. Finally our proposed model produces highest detection rate and lower false negative ratio compare to others. Also find the accuracy of each attack types.

Download Full-text

Comparison of Clustering-based Network Traffic Anomaly Detection Methods

2021 IEEE 4th Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC) ◽

10.1109/imcec51613.2021.9482304 ◽

2021 ◽

Author(s):

Shuai Guo ◽

Wenbing Lin ◽

Kaiyang Zhao ◽

Yang Su

Keyword(s):

Anomaly Detection ◽

Network Traffic ◽

Detection Methods ◽

Traffic Anomaly ◽

Traffic Anomaly Detection

Download Full-text

Threat Hunting in Windows Using Big Security Log Data

Security, Privacy, and Forensics Issues in Big Data - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-5225-9742-1.ch007 ◽

2020 ◽

pp. 168-188 ◽

Cited By ~ 1

Author(s):

Mohammad Rasool Fatemi ◽

Ali A. Ghorbani

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Detection System ◽

Intrusion Detection Systems ◽

Detection Methods ◽

Sources Of Information ◽

Detection Systems ◽

System Logs ◽

Analysis System ◽

Anomaly Detection System

System logs are one of the most important sources of information for anomaly and intrusion detection systems. In a general log-based anomaly detection system, network, devices, and host logs are all collected and used together for analysis and the detection of anomalies. However, the ever-increasing volume of logs remains as one of the main challenges that anomaly detection tools face. Based on Sysmon, this chapter proposes a host-based log analysis system that detects anomalies without using network logs to reduce the volume and to show the importance of host-based logs. The authors implement a Sysmon parser to parse and extract features from the logs and use them to perform detection methods on the data. The valuable information is successfully retained after two extensive volume reduction steps. An anomaly detection system is proposed and performed on five different datasets with up to 55,000 events which detects the attacks using the preserved logs. The analysis results demonstrate the significance of host-based logs in auditing, security monitoring, and intrusion detection systems.

Download Full-text