Detecting Application-Layer Attacks Based on User's Application-Layer Behaviors

2013 ◽  
Vol 411-414 ◽  
pp. 607-612
Author(s):  
Bai Lin Xie ◽  
Sheng Yi Jiang
Keyword(s):  
Anomaly Detection ◽  
Detection Method ◽  
Attack Detection ◽  
Detection Accuracy ◽  
Application Layer ◽  
Arrival Times ◽  
Positive Ratio ◽  
False Positive Ratio ◽  
Theory Application ◽  
Application Layer Protocol

This paper presents an application-layer attack detection method based on user’s application-layer behaviors. In this method, the keywords of an application-layer protocol and their inter-arrival times are used as the observations, a hidden semi-Markov model is used to describe the application-layer behaviors of a normal user who is using the application-layer protocol. This method is also based anomaly detection. In theory, application-layer anomaly detection can identify the known, unknown and novel attacks happened on application-layer. The experimental results show that this method can identify several application-layer attacks, and has high detection accuracy and low false positive ratio.

Detecting Application-Layer Attacks Based on Hidden Semi-Markov Models

2014 ◽  
Vol 631-632 ◽  
pp. 923-927
Author(s):  
Bai Lin Xie ◽  
Qian Sheng Zhang
Keyword(s):  
Anomaly Detection ◽  
Markov Models ◽  
Attack Detection ◽  
Detection Accuracy ◽  
Application Layer ◽  
Arrival Times ◽  
Positive Ratio ◽  
False Positive Ratio ◽  
Theory Application ◽  
Application Layer Protocol

This paper presents an application-layer attack detection method based on hidden semi-markov models. In this method, the keywords of an application-layer protocol and their inter-arrival times are used as the observations, a hidden semi-markov model is used to describe the application-layer behaviors of a normal user who is using some application-layer protocol. This method is also based anomaly detection. In theory, application-layer anomaly detection can identify the known, unknown and novel attacks happened on application-layer. The experimental results show that this method can identify several application-layer attacks, and has high detection accuracy and low false positive ratio.

scholarly journals OUTLIER DETECTION METHOD USE FOR THE NETWORK FLOW ANOMALY DETECTION / IŠSKIRČIŲ RADIMO METODŲ TAIKYMAS ANOMALIJOMS KOMPIUTERIŲ TINKLO PAKETŲ SRAUTUOSE APTIKTI

2016 ◽  
Vol 8 (3) ◽  
pp. 327-333 ◽  
Author(s):  
Rimas Ciplinskas ◽  
Nerijus Paulauskas
Keyword(s):  
Anomaly Detection ◽  
Network Flow ◽  
Detection Method ◽  
Attack Detection ◽  
Detection Methods ◽  
Cyber Attack ◽  
Normal Network ◽  
New Type ◽  
Flow Detection ◽  
F Measure

New and existing methods of cyber-attack detection are constantly being developed and improved because there is a great number of attacks and the demand to protect from them. In prac-tice, current methods of attack detection operates like antivirus programs, i. e. known attacks signatures are created and attacks are detected by using them. These methods have a drawback – they cannot detect new attacks. As a solution, anomaly detection methods are used. They allow to detect deviations from normal network behaviour that may show a new type of attack. This article introduces a new method that allows to detect network flow anomalies by using local outlier factor algorithm. Accom-plished research allowed to identify groups of features which showed the best results of anomaly flow detection according the highest values of precision, recall and F-measure. Kibernetinių atakų gausa ir įvairovė bei siekis nuo jų apsisaugoti verčia nuolat kurti naujus ir tobulinti jau esamus atakų aptikimo metodus. Kaip rodo praktika, dabartiniai atakų atpažinimo metodai iš esmės veikia pagal antivirusinių programų principą, t.y. sudaromi žinomų atakų šablonai, kuriais remiantis yra aptinkamos atakos, tačiau pagrindinis tokių metodų trūkumas – negalėjimas aptikti naujų, dar nežinomų atakų. Šiai problemai spręsti yra pasitelkiami anomalijų aptikimo metodai, kurie leidžia aptikti nukrypimus nuo normalios tinklo būsenos. Straipsnyje yra pateiktas naujas metodas, leidžiantis aptikti kompiuterių tinklo paketų srauto anomalijas taikant lokalių išskirčių faktorių algoritmą. Atliktas tyrimas leido surasti požymių grupes, kurias taikant anomalūs tinklo srautai yra atpažįstami geriausiai, t. y. pasiekiamos didžiausios tikslumo, atkuriamumo ir F-mato reikšmės.

scholarly journals A Real-Time Detection Method for Abnormal Data of Internet of Things Sensors Based on Mobile Edge Computing

2021 ◽  
Vol 2021 ◽  
pp. 1-7
Author(s):  
Xuguang Liu
Keyword(s):  
Time Series ◽  
Anomaly Detection ◽  
Data Processing ◽  
Real Time ◽  
Detection Method ◽  
Edge Computing ◽  
Sensor Data ◽  
Detection Accuracy ◽  
Spatiotemporal Correlation ◽  
Real Time Detection

Aiming at the anomaly detection problem in sensor data, traditional algorithms usually only focus on the continuity of single-source data and ignore the spatiotemporal correlation between multisource data, which reduces detection accuracy to a certain extent. Besides, due to the rapid growth of sensor data, centralized cloud computing platforms cannot meet the real-time detection needs of large-scale abnormal data. In order to solve this problem, a real-time detection method for abnormal data of IoT sensors based on edge computing is proposed. Firstly, sensor data is represented as time series; K-nearest neighbor (KNN) algorithm is further used to detect outliers and isolated groups of the data stream in time series. Secondly, an improved DBSCAN (Density Based Spatial Clustering of Applications with Noise) algorithm is proposed by considering spatiotemporal correlation between multisource data. It can be set according to sample characteristics in the window and overcomes the slow convergence problem using global parameters and large samples, then makes full use of data correlation to complete anomaly detection. Moreover, this paper proposes a distributed anomaly detection model for sensor data based on edge computing. It performs data processing on computing resources close to the data source as much as possible, which improves the overall efficiency of data processing. Finally, simulation results show that the proposed method has higher computational efficiency and detection accuracy than traditional methods and has certain feasibility.

Research on the Detection Method of the Malicious Attacks on Campus Network

2014 ◽  
Vol 644-650 ◽  
pp. 3291-3294
Author(s):  
Jing Lei Wang
Keyword(s):  
Support Vector Machine ◽  
Detection Method ◽  
Attack Detection ◽  
Support Vector ◽  
Detection Accuracy ◽  
Campus Network ◽  
Malicious Attacks ◽  
Accuracy Rate ◽  
Malicious Attack ◽  
Conventional Manner

The problem of malicious attacks detection on campus network is studied to improve the accuracy of detection. When detecting malicious attacks on campus network, a conventional manner is usually conducted in malicious attack detection of campus network. If a malicious signature is mutated into a new feature, the conventional detection method cannot recognize the new malicious signature, resulting in a relative low detection accuracy rate of malicious attacks. To avoid these problems, in this paper, the malicious attacks detection method for campus network based on support vector machine algorithm is proposed. The plane of support vector machine classification is constructed, to complete the malicious attacks detection of campus network. Experiments show that this approach can improve the accuracy rate of the malicious attack detection, and achieve satisfactory results.

scholarly journals Tcp Syn Flood Attack Detection and Prevention System using Adaptive Thresholding Method

2021 ◽  
Vol 37 ◽  
pp. 01016
Author(s):  
B N Ramkumar ◽  
T Subbulakshmi
Keyword(s):  
Transmission Control Protocol ◽  
Denial Of Service ◽  
Attack Detection ◽  
Adaptive Thresholding ◽  
Defence Mechanism ◽  
Transmission Control ◽  
Positive Ratio ◽  
False Positive Ratio ◽  
Prevention System ◽  
Thresholding Algorithm

Transmission Control Protocol Synchronized (SYN) flooding contributes to a major part of the Denial of service attacks (Dos) because of the easy to exploit nature of the TCP three way handshake mechanism. Attackers use this weakness to overflow the TCP queue of the server and make its re-sources consumed resulting it to be unavailable for the requests of legitimate users. So we are in need of a quick and precise defence mechanism to detect the TCP-SYN Flood attack. The main objective of the paper is to propose a detection and prevention mechanism of the TCP-SYN flood attack using adaptive thresholding. Adaptive threshold algorithm (ATA) is used to calculate dynamic threshold .Thus this algorithm helps to overcome the limitations of static thresholding like high false positive ratio and also alert users after violation of the threshold calculated by adaptive thresholding algorithm. The result of the suggested mechanism is very effective in the detection and prevention of the TCP SYN flood attack using adaptive thresholding algorithm.

scholarly journals Calibrating Thresholds based on Trade-Offs Between Detection Accuracy and FPR for Copy Move Forgery Detection

2019 ◽  
Vol 8 (2) ◽  
pp. 3658-3663
Keyword(s):  
False Positive ◽  
Feature Vector ◽  
Roc Curves ◽  
Optimal Threshold ◽  
Detection Accuracy ◽  
Forgery Detection ◽  
Positive Ratio ◽  
False Positive Ratio ◽  
Harris Corner ◽  
Corner Points

In this paper, prominent keypoint based features are compared in order to analyze their reliability and efficiency against forgery detection. Four features specifically SURF, KAZE, Harris corner points and BRISK features are used individually on a set of images. The method includes four phases: Image pre-processing, keypoint detection, feature vector description and feature vector matching. In feature matching, MaxRatio has been chosen as a varying parameter for calculating values of false positives and false negatives for each feature. MaxRatio defines the ratio for rejecting ambiguous matches of feature descriptors in the images. The optimal threshold value for MaxRatio is calibrated with the help of trade-off between detection accuracy and false positive ratio. The changes in false negative ratio and false positive ratio are picturized in order to find out optimal threshold for detection accuracy. ROC curves are also plotted for each feature at different values of MaxRatio and area under the ROC curves are calculated. The experiments are performed on two benchmark datasets, namely CASIA version 2.0 and MICC-F600. It has been perceived from experimental outcomes that KAZE features gave best values for all the performance metrics namely accuracy, precision, area under the ROC curve and F1-score with little compromise in time complexity, whereas Harris corner points gave the worst results as compared to rest of the features. Further, in order to improve the execution time, the computation of non-linear scale space process in KAZE can be simplified and GPU programming for real-time performance may also be used.

scholarly journals False Data Injection Attack Detection in Power Systems Based on Cyber-Physical Attack Genes

2021 ◽  
Vol 9 ◽  
Author(s):  
Zhaoyang Qu ◽  
Yunchang Dong ◽  
Nan Qu ◽  
Huashun Li ◽  
Mingshi Cui ◽  
...  
Keyword(s):  
Power Systems ◽  
Detection Method ◽  
Attack Detection ◽  
Fine Tuning ◽  
Model Parameters ◽  
Detection Accuracy ◽  
Complex Data ◽  
False Data Injection ◽  
Physical Attack ◽  
False Data Injection Attack

In the process of the detection of a false data injection attack (FDIA) in power systems, there are problems of complex data features and low detection accuracy. From the perspective of the correlation and redundancy of the essential characteristics of the attack data, a detection method of the FDIA in smart grids based on cyber-physical genes is proposed. Firstly, the principle and characteristics of the FDIA are analyzed, and the concept of the cyber-physical FDIA gene is defined. Considering the non-functional dependency and nonlinear correlation of cyber-physical data in power systems, the optimal attack gene feature set of the maximum mutual information coefficient is selected. Secondly, an unsupervised pre-training encoder is set to extract the cyber-physical attack gene. Combined with the supervised fine-tuning classifier to train and update the network parameters, the FDIA detection model with stacked autoencoder network is constructed. Finally, a self-adaptive cuckoo search algorithm is designed to optimize the model parameters, and a novel attack detection method is proposed. The analysis of case studies shows that the proposed method can effectively improve the detection accuracy and effect of the FDIA on cyber-physical power systems.

An Anomaly Detection Method with Exemplar Subsequence for Time Series Data

2016 ◽  
Vol 136 (3) ◽  
pp. 363-372
Author(s):  
Takaaki Nakamura ◽  
Makoto Imamura ◽  
Masashi Tatedoko ◽  
Norio Hirai
Keyword(s):  
Time Series ◽  
Anomaly Detection ◽  
Time Series Data ◽  
Detection Method ◽  
Series Data

Proposal of the Anomaly Detection Method of Live-alone by LOF using Multiple Sensors

2015 ◽  
Vol 135 (12) ◽  
pp. 749-755
Author(s):  
Taiyo Matsumura ◽  
Ippei Kamihira ◽  
Katsuma Ito ◽  
Takashi Ono
Keyword(s):  
Anomaly Detection ◽  
Detection Method ◽  
Multiple Sensors
Sign in / Sign up

Export Citation Format

Share Document