Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape

Tommaso Zoppi; Andrea Ceccarelli; Tommaso Capecchi; Andrea Bondavalli

doi:10.1145/3441140

Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape

ACM/IMS Transactions on Data Science ◽

10.1145/3441140 ◽

2021 ◽

Vol 2 (2) ◽

pp. 1-26

Author(s):

Tommaso Zoppi ◽

Andrea Ceccarelli ◽

Tommaso Capecchi ◽

Andrea Bondavalli

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Binary Classification ◽

Clustering Algorithms ◽

Good Alternative ◽

Experimental Comparison ◽

Support Vector ◽

Self Organizing Maps ◽

Wide Range ◽

The Individual

Anomaly detection aims at identifying unexpected fluctuations in the expected behavior of a given system. It is acknowledged as a reliable answer to the identification of zero-day attacks to such extent, several ML algorithms that suit for binary classification have been proposed throughout years. However, the experimental comparison of a wide pool of unsupervised algorithms for anomaly-based intrusion detection against a comprehensive set of attacks datasets was not investigated yet. To fill such gap, we exercise 17 unsupervised anomaly detection algorithms on 11 attack datasets. Results allow elaborating on a wide range of arguments, from the behavior of the individual algorithm to the suitability of the datasets to anomaly detection. We conclude that algorithms as Isolation Forests, One-Class Support Vector Machines, and Self-Organizing Maps are more effective than their counterparts for intrusion detection, while clustering algorithms represent a good alternative due to their low computational complexity. Further, we detail how attacks with unstable, distributed, or non-repeatable behavior such as Fuzzing, Worms, and Botnets are more difficult to detect. Ultimately, we digress on capabilities of algorithms in detecting anomalies generated by a wide pool of unknown attacks, showing that achieved metric scores do not vary with respect to identifying single attacks.

Download Full-text

Performance comparison of intrusion detection system based anomaly detection using artificial neural network and support vector machine

10.1063/1.4958506 ◽

2016 ◽

Cited By ~ 6

Author(s):

Aditya Nur Cahyo ◽

Risanuri Hidayat ◽

Dani Adhipta

Keyword(s):

Neural Network ◽

Artificial Neural Network ◽

Support Vector Machine ◽

Intrusion Detection ◽

Anomaly Detection ◽

Intrusion Detection System ◽

Detection System ◽

Performance Comparison ◽

Support Vector ◽

Artificial Neural

Download Full-text

Hybrid Intrusion Detection Framework for Ad hoc networks

International Journal of Information Security and Privacy ◽

10.4018/ijisp.2016100101 ◽

2016 ◽

Vol 10 (4) ◽

pp. 1-32 ◽

Cited By ~ 5

Author(s):

Abdelaziz Amara Korba ◽

Mehdi Nafaa ◽

Salim Ghanemi

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Ad Hoc Networks ◽

Intrusion Detection System ◽

Ad Hoc ◽

Detection System ◽

Security Framework ◽

Detection Techniques ◽

Wide Range ◽

Hoc Networks

In this paper, a cluster-based hybrid security framework called HSFA for ad hoc networks is proposed and evaluated. The proposed security framework combines both specification and anomaly detection techniques to efficiently detect and prevent wide range of routing attacks. In the proposed hierarchical architecture, cluster nodes run a host specification-based intrusion detection system to detect specification violations attacks such as fabrication, replay, etc. While the cluster heads run an anomaly-based intrusion detection system to detect wormhole and rushing attacks. The proposed specification-based detection approach relies on a set of specifications automatically generated, while anomaly-detection uses statistical techniques. The proposed security framework provides an adaptive response against attacks to prevent damage to the network. The security framework is evaluated by simulation in presence of malicious nodes that can launch different attacks. Simulation results show that the proposed hybrid security framework performs significantly better than other existing mechanisms.

Download Full-text

COMPUTER INTRUSION DETECTION WITH CLASSIFICATION AND ANOMALY DETECTION, USING SVMs

International Journal of Pattern Recognition and Artificial Intelligence ◽

10.1142/s0218001403002459 ◽

2003 ◽

Vol 17 (03) ◽

pp. 441-458 ◽

Cited By ~ 20

Author(s):

MIKE FUGATE ◽

JAMES R. GATTIKER

Keyword(s):

Support Vector Machine ◽

Intrusion Detection ◽

Anomaly Detection ◽

Mahalanobis Distance ◽

Supervised Classification ◽

Cyber Attacks ◽

Support Vector ◽

Joint Performance ◽

Modeling And Prediction ◽

Computer Intrusion Detection

This paper describes experiences and results applying Support Vector Machine (SVM) to a Computer Intrusion Detection (CID) dataset. First, issues in supervised classification are discussed, then the incorporation of anomaly detection enhancing the modeling and prediction of cyber-attacks. SVM methods are seen as competitive with benchmark methods and other studies, and are used as a standard for the anomaly detection investigation. The anomaly detection approaches compare one class SVMs with a thresholded Mahalanobis distance to define support regions. Results compare the performance of the methods and investigate joint performance of classification and anomaly detection. The dataset used is the DARPA/KDD-99 publicly available dataset of features from network packets, classified into nonattack and four-attack categories.

Download Full-text

An efficient hybrid system for anomaly detection in social networks

Cybersecurity ◽

10.1186/s42400-021-00074-w ◽

2021 ◽

Vol 4 (1) ◽

Author(s):

Md. Shafiur Rahman ◽

Sajal Halder ◽

Md. Ashraf Uddin ◽

Uzzal Kumar Acharjee

Keyword(s):

Machine Learning ◽

Social Networks ◽

Social Network ◽

Anomaly Detection ◽

Research Area ◽

Machine Learning Algorithms ◽

Security And Privacy ◽

Support Vector ◽

The Social ◽

Wide Range

AbstractAnomaly detection has been an essential and dynamic research area in the data mining. A wide range of applications including different social medias have adopted different state-of-the-art methods to identify anomaly for ensuring user’s security and privacy. The social network refers to a forum used by different groups of people to express their thoughts, communicate with each other, and share the content needed. This social networks also facilitate abnormal activities, spread fake news, rumours, misinformation, unsolicited messages, and propaganda post malicious links. Therefore, detection of abnormalities is one of the important data analysis activities for the identification of normal or abnormal users on the social networks. In this paper, we have developed a hybrid anomaly detection method named DT-SVMNB that cascades several machine learning algorithms including decision tree (C5.0), Support Vector Machine (SVM) and Naïve Bayesian classifier (NBC) for classifying normal and abnormal users in social networks. We have extracted a list of unique features derived from users’ profile and contents. Using two kinds of dataset with the selected features, the proposed machine learning model called DT-SVMNB is trained. Our model classifies users as depressed one or suicidal one in the social network. We have conducted an experiment of our model using synthetic and real datasets from social network. The performance analysis demonstrates around 98% accuracy which proves the effectiveness and efficiency of our proposed system.

Download Full-text

LC-IDS: Loci-Constellation-Based Intrusion Detection for Reconfigurable Wireless Networks

Electronics ◽

10.3390/electronics10243053 ◽

2021 ◽

Vol 10 (24) ◽

pp. 3053

Author(s):

Jaime Zuniga-Mejia ◽

Rafaela Villalpando-Hernandez ◽

Cesar Vargas-Rosales ◽

Mahdi Zareei

Keyword(s):

Wireless Networks ◽

Intrusion Detection ◽

Anomaly Detection ◽

Dimensional Space ◽

Temporal Structure ◽

Detection Performance ◽

Detection Accuracy ◽

Routing Attacks ◽

Network Intrusion ◽

Wide Range

Detection accuracy of current machine-learning approaches to intrusion detection depends heavily on feature engineering and dimensionality-reduction techniques (e.g., variational autoencoder) applied to large datasets. For many use cases, a tradeoff between detection performance and resource requirements must be considered. In this paper, we propose Loci-Constellation-based Intrusion Detection System (LC-IDS), a general framework for network intrusion detection (detection of already known and previously unknown routing attacks) for reconfigurable wireless networks (e.g., vehicular ad hoc networks, unmanned aerial vehicle networks). We introduce the concept of ‘attack-constellation’, which allows us to represent all the relevant information for intrusion detection (misuse detection and anomaly detection) on a latent 2-dimensional space that arises naturally by considering the temporal structure of the input data. The attack/anomaly-detection performance of LC-IDS is analyzed through simulations in a wide range of network conditions. We show that for all the analyzed network scenarios, we can detect known attacks, with a good detection accuracy, and anomalies with low false positive rates. We show the flexibility and scalability of LC-IDS that allow us to consider a dynamic number of neighboring nodes and routing attacks in the ‘attack-constellation’ in a distributed fashion and with low computational requirements.

Download Full-text

VOLTA: adVanced mOLecular neTwork Analysis

Bioinformatics ◽

10.1093/bioinformatics/btab642 ◽

2021 ◽

Author(s):

Alisa Pavel ◽

Antonio Federico ◽

Giusy del Giudice ◽

Angela Serra ◽

Dario Greco

Keyword(s):

Network Analysis ◽

Clustering Algorithms ◽

Expression Patterns ◽

Direct Access ◽

Supplementary Information ◽

Complete Analysis ◽

Wide Range ◽

Novice Users ◽

Analytical Step ◽

The Individual

Abstract Motivation Network analysis is a powerful approach to investigate biological systems. It is often applied to study gene co-expression patterns derived from transcriptomics experiments. Even though co-expression analysis is widely used, there is still a lack of tools that are open and customizable on the basis of different network types and analysis scenarios (e.g. through function accessibility), but are also suitable for novice users by providing complete analysis pipelines. Results We developed VOLTA, a Python package suited for complex co-expression network analysis. VOLTA is designed to allow users direct access to the individual functions, while they are also provided with complete analysis pipelines. Moreover, VOLTA offers when possible multiple algorithms applicable to each analytical step (e.g. multiple community detection or clustering algorithms are provided), hence providing the user with the possibility to perform analysis tailored to their needs. This makes VOLTA highly suitable for experienced users who wish to build their own analysis pipelines for a wide range of networks as well as for novice users for which a ‘plug and play’ system is provided. Availability and implementation The package and used data are available at GitHub: https://github.com/fhaive/VOLTA and 10.5281/zenodo.5171719. Supplementary information Supplementary data are available at Bioinformatics online.

Download Full-text

Mobile Anomaly Detection Based on Improved Self-Organizing Maps

Mobile Information Systems ◽

10.1155/2017/5674086 ◽

2017 ◽

Vol 2017 ◽

pp. 1-9 ◽

Cited By ~ 3

Author(s):

Chunyong Yin ◽

Sun Zhang ◽

Kwang-jun Kim

Keyword(s):

Anomaly Detection ◽

Mobile Devices ◽

Clustering Algorithms ◽

Recall Rate ◽

Accuracy Rate ◽

Optimal Method ◽

Self Organizing Maps ◽

Different Characteristics ◽

Precision Rate ◽

Self Organizing

Anomaly detection has always been the focus of researchers and especially, the developments of mobile devices raise new challenges of anomaly detection. For example, mobile devices can keep connection with Internet and they are rarely turned off even at night. This means mobile devices can attack nodes or be attacked at night without being perceived by users and they have different characteristics from Internet behaviors. The introduction of data mining has made leaps forward in this field. Self-organizing maps, one of famous clustering algorithms, are affected by initial weight vectors and the clustering result is unstable. The optimal method of selecting initial clustering centers is transplanted from K-means to SOM. To evaluate the performance of improved SOM, we utilize diverse datasets and KDD Cup99 dataset to compare it with traditional one. The experimental results show that improved SOM can get higher accuracy rate for universal datasets. As for KDD Cup99 dataset, it achieves higher recall rate and precision rate.

Download Full-text

An Exhaustive Research on the Application of Intrusion Detection Technology in Computer Network Security in Sensor Networks

Journal of Sensors ◽

10.1155/2021/5558860 ◽

2021 ◽

Vol 2021 ◽

pp. 1-11

Author(s):

Yajing Wang ◽

Juan Ma ◽

Ashutosh Sharma ◽

Pradeep Kumar Singh ◽

Gurjot Singh Gaba ◽

...

Keyword(s):

Network Security ◽

Intrusion Detection ◽

Anomaly Detection ◽

Outlier Detection ◽

Computer Network ◽

Clustering Algorithms ◽

Nearest Neighbors ◽

Detection Technology ◽

Computer Network Security ◽

Semisupervised Clustering

Intrusion detection is crucial in computer network security issues; therefore, this work is aimed at maximizing network security protection and its improvement by proposing various preventive techniques. Outlier detection and semisupervised clustering algorithms based on shared nearest neighbors are proposed in this work to address intrusion detection by converting it into a problem of mining outliers using the network behavior dataset. The algorithm uses shared nearest neighbors as similarity, judges whether it is an outlier according to the number of nearest neighbors of a data point, and performs semisupervised clustering on the dataset where outliers are deleted. In the process of semisupervised clustering, vast prior knowledge is added, and the dataset is clustered according to the principle of graph segmentation. The novelty of the proposed algorithm lies in outlier detection while effectively avoiding the dependence on parameters, thus eliminating the influence of outliers on clustering. This article uses real datasets: lypmphography and glass for simulation purposes. The simulation results show that the algorithm proposed in this paper can effectively detect outliers and has a good clustering effect. Furthermore, the experimentation reveals that the outlier detection-based SCA-SNN algorithm has the best practical effect on the dataset without outliers, clearly validating the clustering performance of the outlier detection-based SCA-SNN algorithm. Furthermore, compared to the other state-of-the-art anomaly detection method, it was revealed that the anomaly detection technology based on outlier mining does not require a training process. Thus, they overcome the current anomaly detection problems caused due to incomplete normal patterns in training samples.

Download Full-text

A Hierarchical Intrusion Detection System for Industrial Control Networks based on EtherNet/IP

10.20944/preprints201912.0174.v1 ◽

2019 ◽

Author(s):

Wenbin Yu ◽

Yiyin Wang ◽

Lei Song

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Prediction Model ◽

Intrusion Detection System ◽

Detection System ◽

Traffic Prediction ◽

Support Vector ◽

Industrial Control ◽

Traffic Pattern ◽

Detection Model

Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Download Full-text

Network Anomaly Detection for NSL-KDD Dataset Using Deep Learning

INFORMATION TECHNOLOGY IN INDUSTRY ◽

10.17762/itii.v9i2.419 ◽

2021 ◽

Vol 9 (2) ◽

pp. 821-827

Author(s):

Kavitha S, Dr. Uma Maheswari N, Dr.R.Venkatesh

Keyword(s):

Deep Learning ◽

Active Learning ◽

Intrusion Detection ◽

Anomaly Detection ◽

Intelligent System ◽

Essential Element ◽

Machine Learning Techniques ◽

Support Vector ◽

Learning Method ◽

Active Learning Method

Deep learning based intrusion detection cyber security methods gained increased popularity. The essential element to provide protection to the ICT infrastructure is the intrusion detection systems (IDSs). Intelligent solutions are necessary to control the complexity and increase in the new attack types. The intelligent system (DL/ML) has been widely used with its benefits to effectively deal with complex and great dimensional data. The IDS has various attack types like known, unknown, zero day attacks are attractive to and detected using unsupervised machine learning techniques. A novel methodology has been proposed that combines the benefits of Isolation forest (One Class) Support Vector Machine (OCSVM) with active learning method to detect threats without any prior knowledge. The NSL-KDD dataset has been used to evaluate the various DL methods with active learning method. The results show that this method performs better than other techniques. The design methodology inspires the efforts to emerging anomaly detection.

Download Full-text