More Web Proxy on the site http://driver.im/

research-article

A robust anomaly detection method using a constant false alarm rate approach

Authors:

Basil AsSadhan,

Rayan AlShaalan,

Abraham Alzoghaiby,

Saleh Alshebeili,

Jalal Al-Muhtadi,

Hesham Bin-Abbas,

Fathi Abd El-SamieAuthors Info & Claims

Multimedia Tools and Applications, Volume 79, Issue 17-18

Pages 12727 - 12750

https://doi.org/10.1007/s11042-020-08653-8

Published: 01 May 2020 Publication History

Abstract

With the rapid growth of information and communication technologies, the number of security threats in computer networks is substantially increasing; thus, the development of more proactive security warning measures is required. In this work, we propose a new anomaly detection method that operates by decomposing TCP traffic into control and data planes, which exhibit similar behaviors in the absence of attacks. The proposed method exploits the statistics of the cross-correlation function of the two planes traffic and the constant false alarm rate (CFAR) scheme for detecting anomalies of the underlying network traffic. Both the fixed and adaptive thresholding schemes are implemented. The adaptive thresholding is setup by adjusting the value of the threshold in accordance with the local statistics of the cross-correlation function of the two planes traffic. We evaluate the performance of the proposed method by analyzing the real traffic captured from a deployed network and traffic obtained from other publicly available datasets; we focus on TCP traffic with three different aggregated count features: packet count, IP address count, and port count sequences. Although both the fixed and adaptive thresholding schemes perform well and detect the presence of a distributed denial-of-service efficiently. The adaptive thresholding scheme is more reliable because it detects anomalies as they start.

References

[1]

Agosta J, Diuk-Wasser C, J (2007) An adaptive anomaly detector for worm detection. Proceeding of the 2nd USENIX Workshop Tackling Computer Systems Problem with Machine Learning Techniques 1--6.

[2]

AlShaalan R, AsSadhan B, Al-Muhtadi J, Bin-Abbas H, Abd El-Samie F, Alshebeili S (2013) Constant false alarm rate anomaly-based approach for network intrusion detection. In: 2013 High capacity optical networks and emerging/enabling technologies. IEEE, pp 141–145.

[3]

AsSadhan B, Hyong K, Moura J, Xiaohui W (2008) Network traffic behavior analysis by decomposition into control and data planes. In: 2008 IEEE international symposium on parallel and distributed processing. IEEE, pp 1–8.

[4]

AsSadhan B, Zeb K, Al-Muhtadi J, and Alshebeili S Anomaly detection based on LRD behavior analysis of decomposed control and data Planes network traffic using SOSS and FARIMA models IEEE Access 2017 5 13501-13519

[5]

AsSadhan B, Bashaiwth A, Al-Muhtadi J, and Alshebeili S Analysis of P2P, IRC and HTTP traffic for botnets detection Peer-to-Peer Network and Applications 2018 11 848-861

[6]

Blowers M, Williams J (2014) Machine learning applied to cyber operations. 155–175. https://doi.org/10.1007/978-1-4614-7597-2_10.

[7]

Brahmi H, Brahmi I, and Ben Yahia S OMC-IDS: at the cross-roads of OLAP mining and intrusion detection Lecture notes in computer science 2012 Berlin Springer 13-24

[8]

Cannady JD (1998) Artificial neural networks for misuse detection. Proceedings of the 21st National Information Systems Security Conference, 368–381. https://doi.org/citeulike-article-id:9827770.

[9]

Chitrakar R, Chuanhe H (2012) Anomaly based intrusion detection using hybrid learning approach of combining k-medoids clustering and naïve bayes classification. In: 2012 international conference on wireless communications, networking and Mobile computing, WiCOM 2012. IEEE, pp 1–5.

[10]

Davis JJ and Clark AJ Data preprocessing for anomaly based network intrusion detection: a review Computers and Security 2011 30 353-375

[11]

Ege E, Uzaslan E, Ursavaş A, Güçlü M, Özkalemkaş F, and Tolunay Ş Primary pulmonary amyloidosis associated with multiple myeloma Tuberk Toraks 2006 54 65-70

[12]

Farnia F (2017) Low-rate false alarm anomaly-based intrusion detection system with one-class SVM.

[13]

Gan X, Duanmu J, Wang J, Cong W (2013) Anomaly intrusion detection based on PLS feature extraction and core vector machine Knowledge-Based Systems:40. 10.1016/J.KNOSYS.2012.09.004

[14]

He D and Leung H Network intrusion detection using CFAR abrupt-change detectors IEEE Transactions Instrumentation Measurement 2008 57 490-497

[15]

He D and Leung HNetwork intrusion detection using a stochastic resonance CFAR techniqueCircuits, Systems, and Signal Processing200928361-3751175.94051

[16]

Hernández PC (2010) Statistical analysis of network traffic for anomaly detection and quality of service provisioning Soutenue. l’École Nationale Supérieure des Télécommunications de Bretagne.

[17]

Hernandez PC, Mazel J, and Owezarski P Unsupervised network intrusion detection systems: detecting the unknown without knowledge Comput Commun 2012 35 772-783

[18]

Javaid A, Niyaz Q, Sun W, Alam M (2016) A deep learning approach for network intrusion detection system. In: proceedings of the 9th EAI international conference on bio-inspired information and communications technologies (formerly BIONETICS).

[19]

Jemili F, Zaghdoud M, Ben Mohamed A (2007) A Framework for an Adaptive Intrusion Detection System using Bayesian Network. In: 2007 IEEE intelligence and security informatics. IEEE, pp 66–70

[20]

Jiang C-B, Liu I-H, Chung Y-N, and Li J-S Novel intrusion prediction mechanism based on honeypot log similarity Int J Netw Manag 2016 26 156-175

[21]

Kang EW (2008) Radar system analysis, design, and simulation. Artech House.

[22]

Kim S and Reddy A Statistical techniques for detecting traffic anomalies through packet header data IEEE/ACM Trans Networking 2008 16 562-575

[23]

Kruegel C and Toth T Using decision trees to improve signature-based intrusion detection 2003 Berlin Springer 173-191

[24]

Lakhina A, Crovella M, Diot C (2004) Characterization of network-wide anomalies in traffic flows. In: proceedings of the 4th ACM SIGCOMM conference on internet measurement - IMC ‘04. P 2019.

[25]

Li Y, Xia J, Zhang S, Yan J, Ai X, and Dai K An efficient intrusion detection system based on support vector machines and gradually feature removal method Expert Syst Appl 2012 39 424-430

[26]

Liang D, Lu C, and Jin H Soft multimedia anomaly detection based on neural network and optimization driven support vector machine Multimed ia Tools and Applications 2019 78 4131-4154

[27]

Lu X, Han J, Ren Q, Dai H, Li J, Ou J (2018) Network threat detection based on correlation analysis of multi-platform multi-source alert data. Multimedia tools and applications. 1–15.

[28]

Ma T, Wang F, Cheng J, YuY CX (2016) A hybrid spectral clustering and deep neural network ensemble algorithm for intrusion detection in sensor networks. Sensors (Switzerland) 16. 10.3390/s16101701

[29]

Mazel J, Casas P, Fontugne R, Fukuda K, and Owezarski P Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection Int J Netw Manag 2015 25 283-305

[30]

Min E, Long J, Liu Q, Cui J, and Chen W TR-IDS: anomaly-based intrusion detection through text-convolutional neural network and random Forest Security Communication Networks 2018 2018 1-9

[31]

Mourad B Signal detection and estimation 2005 2

[32]

Omar S, Ngadi A, H. Jebur H (2013) Machine learning techniques for anomaly detection: an overview. International Journal of Computer Application 79:33–41. 10.5120/13715-1478.

[33]

Price water house Coopers (PwC) (2013) The global state of information security survey 20146.

[34]

Shavlik J, Shavlik M (2004) Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In: KDD-2004 - proceedings of the tenth ACM SIGKDD international conference on knowledge discovery and data mining. Pp 276–285.

[35]

Su MY Using clustering to improve the KNN-based classifiers for online anomaly network traffic identification J Netw Comput Appl 2011 34 722-730

[36]

Tartakovsky AG, Rozovskii BL, Blazek RB, and Hongjoong KA novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methodsIEEE Transactions Signal Processing2006543372-33821373.68144

[37]

Thatte G, Mitra U, and Heidemann J Parametric methods for anomaly detection in aggregate traffic IEEE/ACM Trans Networking 2011 19 512-525

[38]

The CAIDA UCSD "DDoS Attack 2007" Dataset. https://www.caida.org/data/passive/ddos-20070804_dataset.xml. Accessed 3 Nov 2018.

[39]

Torres P, Catania C, Garcia S, Garino CG (2016) An analysis of Recurrent Neural Networks for Botnet detection behavior. In: 2016 IEEE biennial congress of Argentina, ARGENCON 2016. IEEE, pp 1–6.

[40]

Wang H Anomaly detection of network traffic based on prediction and self-adaptive threshold International Journal of Future Generation Communication Networking 2015 8 205-214

[41]

Wang W, Guyet T, Quiniou R, Cordier MO, Masseglia F, and Zhang X Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks Knowl-Based Syst 2014 70 103-117

[42]

Wang W, Zhu M, Zeng X, Ye X, Sheng Y (2017) Malware traffic classification using convolutional neural network for representation learning. In: International Conference on Information Networking. pp 712–717.

[43]

Wang W, Sheng Y, Wang J, Zeng X, Ye X, Huang Y, and Zhu M HAST-IDS: learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection IEEE Access 2017 6 1792-1806

[44]

Whalen TM, Savage GT, and Jeong GD An evaluation of the self-determined probability-weighted moment method for estimating extreme wind speeds J Wind Eng Ind Aerodyn 2004 92 219-239

[45]

Wireshark (2017) Wireshark Go Deep. https://www.wireshark.org/. Accessed 3 Nov 2018.

[46]

Wood P, Nahorney B, Chandrasekar K, Haley K, Wallace S (2016) Internet security threat report.

[47]

Yousefi-Azar M, Varadharajan V, Hamey L, Tupakula U (2017) Autoencoder-based feature learning for cyber security applications. In: Proceedings of the International Joint Conference on Neural Networks. IEEE, pp 3854–3861.

[48]

Yu M An adaptive method for source-end detection of pulsing DoS attacks International Journal of Security its Applications 2013 7 279-288

[49]

Yu Y, Long J, and Cai Z Network intrusion detection through stacking dilated convolutional autoencoders Security and Communication Networks 2017 2017 1-10

[50]

Zeb K, AsSadhan B, Al-Muhtadi J, Alshebeili S, Bashaiwth A (2014) Volume based anomaly detection using LRD analysis of decomposed network traffic. In: fourth edition of the international conference on the innovative computing technology (INTECH 2014). IEEE, pp 52–57.

[51]

Zhang J, Zulkernine M, and Haque A Random-forests-based network intrusion detection systems IEEE Transactions on Systems Man Cybernetics Part C Application Reviews 2008 38 649-659

Cited By

Prabhakar PArora SKhosla ABeniwal RArthur MArias-Gonzáles JAreche F(2022)Cyber Security of Smart Metering Infrastructure Using Median Absolute Deviation MethodologySecurity and Communication Networks10.1155/2022/62001212022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/6200121
Ko DLee SPark J(2021)A study on manufacturing facility safety system using multimedia tools for cyber physical systemsMultimedia Tools and Applications10.1007/s11042-020-09925-z80:26-27(34553-34570)Online publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1007/s11042-020-09925-z

Recommendations

Detection of saccadic eye movements using the order statistic constant false alarm rate technique
BioMED '08: Proceedings of the Sixth IASTED International Conference on Biomedical Engineering

A saccade detection method built upon the order statistic constant false alarm rate technique was applied to the detection of saccadic eye movements from electrooculographic signals. The technique is based on the adaptive thresholding approach, in which ...
Constant false alarm rate detection of saccadic eye movements in electro-oculography

The analysis of eye movements has proven to be valuable in both clinical work and research as well as in other fields besides medicine. The detection of saccadic eye movements and the extraction of related saccade parameters, such as maximum angular ...
Reducing False Alarm Rate in Anomaly Detection with Layered Filtering
ICCS '08: Proceedings of the 8th international conference on Computational Science, Part I

There is a general class of methods of detecting anomalies in a computer system which are based on heuristics or artificial intelligence techniques. These methods are to distinguish between normal and anomalous system behaviour. The main weakness of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Multimedia Tools and Applications

Multimedia Tools and Applications Volume 79, Issue 17-18

May 2020

1446 pages

ISSN:1380-7501

Issue’s Table of Contents

© Springer Science+Business Media, LLC, part of Springer Nature 2020.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 May 2020

Accepted: 03 January 2020

Revision received: 12 December 2019

Received: 05 May 2019

Author Tags

Qualifiers

Research-article

Funding Sources

Deanship of Scientific Research, King Saud University

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Prabhakar PArora SKhosla ABeniwal RArthur MArias-Gonzáles JAreche F(2022)Cyber Security of Smart Metering Infrastructure Using Median Absolute Deviation MethodologySecurity and Communication Networks10.1155/2022/62001212022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/6200121
Ko DLee SPark J(2021)A study on manufacturing facility safety system using multimedia tools for cyber physical systemsMultimedia Tools and Applications10.1007/s11042-020-09925-z80:26-27(34553-34570)Online publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1007/s11042-020-09925-z

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents