Your search keyword '"Network traffic analysis"' showing total 34 results

1. A Deep Detection Method of Abnormal State of Industrial Control System Based on Hierarchical Clustering Analysis

Author

Zhang, Zheyu, Zhang, Xiaofei, Wang, Rui, Cao, Yu, Jia, Mengdi, Sun, Jun, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Gu, Zhaoquan, editor, Zhou, Wanlei, editor, Zhang, Jiawei, editor, Xu, Guandong, editor, and Jia, Yan, editor

Published

2024

2. AI Enhanced Cyber Security Methods for Anomaly Detection

Author

Shaik, Abdul Subhahan, Shaik, Amjan, Tsihrintzis, George A., Series Editor, Virvou, Maria, Series Editor, Jain, Lakhmi C., Series Editor, Dehuri, Satchidananda, editor, Cho, Sung-Bae, editor, Padhy, Venkat Prasad, editor, Shanmugam, Poonkuntrun, editor, and Ghosh, Ashish, editor

Published

2024

3. Real-Time Symbolic Reasoning Framework for Cryptojacking Detection Based on Netflow-Plus Analysis

Author

Yang, Zhen, Li, Jing, Cui, Fei, Liu, Jia Qi, Cheng, Yu, Tang, Xi Nan, Gui, Shuai, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, and Ge, Chunpeng, editor

Published

2024

4. Peer-to-peer botnets: exploring behavioural characteristics and machine/deep learning-based detection

Author

Arkan Hammoodi Hasan Kabla, Achmad Husni Thamrin, Mohammed Anbar, Selvakumar Manickam, and Shankar Karuppayah

Subjects

P2P botnets, Network traffic analysis, Intrusion detection system, Anomaly detection, Machine learning, Deep learning, Computer engineering. Computer hardware, TK7885-7895, Electronic computers. Computer science, QA75.5-76.95

Abstract

Abstract The orientation of emerging technologies on the Internet is moving toward decentralisation. Botnets have always been one of the biggest threats to Internet security, and botmasters have adopted the robust concept of decentralisation to develop and improve peer-to-peer botnet tactics. This makes the botnets cleverer and more artful, although bots under the same botnet have symmetrical behaviour, which is what makes them detectable. However, the literature indicates that the last decade has lacked research that explores new behavioural characteristics that could be used to identify peer-to-peer botnets. For the abovementioned reasons, in this study, we propose new two methods to detect peer-to-peer botnets: first, we explored a new set of behavioural characteristics based on network traffic flow analyses that allow network administrators to more easily recognise a botnet’s presence, and second, we developed a new anomaly detection approach by adopting machine-learning and deep-learning techniques that have not yet been leveraged to detect peer-to-peer botnets using only the five-tuple static indicators as selected features. The experimental analyses revealed new and important behavioural characteristics that can be used to identify peer-to-peer botnets, whereas the experimental results for the detection approach showed a high detection accuracy of 99.99% with no false alarms. Graphical Abstract

Published

2024

5. Peer-to-peer botnets: exploring behavioural characteristics and machine/deep learning-based detection.

Author

Kabla, Arkan Hammoodi Hasan, Thamrin, Achmad Husni, Anbar, Mohammed, Manickam, Selvakumar, and Karuppayah, Shankar

Subjects

BOTNETS, COMPUTER network traffic, TECHNOLOGICAL innovations, INTERNET security, ANOMALY detection (Computer security), TRAFFIC flow

Abstract

The orientation of emerging technologies on the Internet is moving toward decentralisation. Botnets have always been one of the biggest threats to Internet security, and botmasters have adopted the robust concept of decentralisation to develop and improve peer-to-peer botnet tactics. This makes the botnets cleverer and more artful, although bots under the same botnet have symmetrical behaviour, which is what makes them detectable. However, the literature indicates that the last decade has lacked research that explores new behavioural characteristics that could be used to identify peer-to-peer botnets. For the abovementioned reasons, in this study, we propose new two methods to detect peer-to-peer botnets: first, we explored a new set of behavioural characteristics based on network traffic flow analyses that allow network administrators to more easily recognise a botnet's presence, and second, we developed a new anomaly detection approach by adopting machine-learning and deep-learning techniques that have not yet been leveraged to detect peer-to-peer botnets using only the five-tuple static indicators as selected features. The experimental analyses revealed new and important behavioural characteristics that can be used to identify peer-to-peer botnets, whereas the experimental results for the detection approach showed a high detection accuracy of 99.99% with no false alarms. [ABSTRACT FROM AUTHOR]

Published

2024

6. Autoencoder-Based Botnet Detection for Enhanced IoT Security

Author

Mahajan, Radhika, Kumar, Manoj, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Whig, Pawan, editor, Silva, Nuno, editor, Elngar, Ahmed A., editor, Aneja, Nagender, editor, and Sharma, Pavika, editor

Published

2023

7. Anomaly detection in network traffic using entropy-based methods: application to various types of cyberattacks.

Author

Bashurov, Vadim and Safonov, Paul

Subjects

COMPUTER network traffic, ANOMALY detection (Computer security), INTRUSION detection systems (Computer security), CYBERTERRORISM, UNCERTAINTY (Information theory), COMPUTER network security, SCALABILITY

Abstract

This paper proposes an entropy-based approach for detecting anomalies in network traffic. With the exponential growth of data and sophisticated cyberattacks traditional methods struggle to identify evolving attack patterns. To address this, we leverage Shannon and Renyi entropies to analyze network traffic datasets. We are focusing on the entire network traffic. Using a publicly available dataset with labeled traffic samples, we calculate the entropy of different traffic features to assess their effectiveness in anomaly detection and attack identification. The scalability and sensitivity of this approach make it suitable for analyzing diverse and high-volume network data, capturing changes in traffic distributions, and detecting anomalies missed by traditional metrics. The method is easily implementable and interpretable, requiring minimal training data. Our findings show promising results for nine different types of cyberattacks, offering practical insights for robust anomaly detection systems in network security. [ABSTRACT FROM AUTHOR]

Published

2023

8. Traffic Management in IoT Backbone Networks Using GNN and MAB with SDN Orchestration.

Author

Guo, Yanmin, Wang, Yu, Khan, Faheem, Al-Atawi, Abdullah A., Abdulwahid, Abdulwahid Al, Lee, Youngmoon, and Marapelli, Bhaskar

Subjects

*TRAFFIC patterns, *SOFTWARE-defined networking, *QUEUING theory, *SPINE, *INTERNET of things

Abstract

Traffic management is a critical task in software-defined IoT networks (SDN-IoTs) to efficiently manage network resources and ensure Quality of Service (QoS) for end-users. However, traditional traffic management approaches based on queuing theory or static policies may not be effective due to the dynamic and unpredictable nature of network traffic. In this paper, we propose a novel approach that leverages Graph Neural Networks (GNNs) and multi-arm bandit algorithms to dynamically optimize traffic management policies based on real-time network traffic patterns. Specifically, our approach uses a GNN model to learn and predict network traffic patterns and a multi-arm bandit algorithm to optimize traffic management policies based on these predictions. We evaluate the proposed approach on three different datasets, including a simulated corporate network (KDD Cup 1999), a collection of network traffic traces (CAIDA), and a simulated network environment with both normal and malicious traffic (NSL-KDD). The results demonstrate that our approach outperforms other state-of-the-art traffic management methods, achieving higher throughput, lower packet loss, and lower delay, while effectively detecting anomalous traffic patterns. The proposed approach offers a promising solution to traffic management in SDNs, enabling efficient resource management and QoS assurance. [ABSTRACT FROM AUTHOR]

Published

2023

9. Network Anomaly Detection Based on Sparse Representation and Incoherent Dictionary Learning

Author

Kierul, Tomasz, Andrysiak, Tomasz, Kierul, Michał, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Zamojski, Wojciech, editor, Mazurkiewicz, Jacek, editor, Sugier, Jarosław, editor, and Walkowiak, Tomasz, editor

Published

2022

10. Multivariate network traffic analysis using clustered patterns

Author

Kim, J, Sim, A, Tierney, B, Suh, S, and Kim, I

Subjects

Network traffic analysis, Clustered patterns, Change detection, Anomaly detection, Multivariate analysis, Mathematical Sciences, Information And Computing Sciences, Numerical & Computational Mathematics, Information and Computing Sciences

Abstract

Traffic analysis is a core element in network operations and management for various purposes including change detection, traffic prediction, and anomaly detection. In this paper, we introduce a new approach to online traffic analysis based on a pattern-based representation for high-level summarization of the traffic measurement data. Unlike the past online analysis techniques limited to a single variable to summarize (e.g., sketch), the focus of this study is on capturing the network state from the multivariate attributes under consideration. To this end, we employ clustering with its benefit of the aggregation of multidimensional variables. The clustered result represents the state of the network with regard to the monitored variables, which can also be compared with the observed patterns from previous time windows enabling intuitive analysis. We demonstrate the proposed method with two popular use cases, one for estimating state changes and the other for identifying anomalous states, to confirm its feasibility. Our extensive experimental results with public traces and collected monitoring measurements from ESnet traffic traces show that our pattern-based approach is effective for multivariate analysis of online network traffic with visual and quantitative tools.

Published

2019

11. Open–source–based Environment for Network Traffic Anomaly Detection

Author

Michalak, Marcin, Wawrowski, Łukasz, Sikora, Marek, Kurianowicz, Rafał, Kozłowski, Artur, Białas, Andrzej, Kacprzyk, Janusz, Series Editor, Pal, Nikhil R., Advisory Editor, Bello Perez, Rafael, Advisory Editor, Corchado, Emilio S., Advisory Editor, Hagras, Hani, Advisory Editor, Kóczy, László T., Advisory Editor, Kreinovich, Vladik, Advisory Editor, Lin, Chin-Teng, Advisory Editor, Lu, Jie, Advisory Editor, Melin, Patricia, Advisory Editor, Nedjah, Nadia, Advisory Editor, Nguyen, Ngoc Thanh, Advisory Editor, Wang, Jun, Advisory Editor, Zamojski, Wojciech, editor, Mazurkiewicz, Jacek, editor, Sugier, Jarosław, editor, and Walkowiak, Tomasz, editor

Published

2021

12. Traffic Management in IoT Backbone Networks Using GNN and MAB with SDN Orchestration

Author

Yanmin Guo, Yu Wang, Faheem Khan, Abdullah A. Al-Atawi, Abdulwahid Al Abdulwahid, Youngmoon Lee, and Bhaskar Marapelli

Subjects

traffic management, anomaly detection, intrusion detection, network security, internet of things, network traffic analysis, Chemical technology, TP1-1185

Abstract

Traffic management is a critical task in software-defined IoT networks (SDN-IoTs) to efficiently manage network resources and ensure Quality of Service (QoS) for end-users. However, traditional traffic management approaches based on queuing theory or static policies may not be effective due to the dynamic and unpredictable nature of network traffic. In this paper, we propose a novel approach that leverages Graph Neural Networks (GNNs) and multi-arm bandit algorithms to dynamically optimize traffic management policies based on real-time network traffic patterns. Specifically, our approach uses a GNN model to learn and predict network traffic patterns and a multi-arm bandit algorithm to optimize traffic management policies based on these predictions. We evaluate the proposed approach on three different datasets, including a simulated corporate network (KDD Cup 1999), a collection of network traffic traces (CAIDA), and a simulated network environment with both normal and malicious traffic (NSL-KDD). The results demonstrate that our approach outperforms other state-of-the-art traffic management methods, achieving higher throughput, lower packet loss, and lower delay, while effectively detecting anomalous traffic patterns. The proposed approach offers a promising solution to traffic management in SDNs, enabling efficient resource management and QoS assurance.

Published

2023

13. GAMPAL: an anomaly detection mechanism for Internet backbone traffic by flow size prediction with LSTM-RNN.

Author

Wakui, Taku, Kondo, Takao, and Teraoka, Fumio

Abstract

This paper proposes a general-purpose anomaly detection mechanism for Internet backbone traffic named GAMPAL (General-purpose Anomaly detection Mechanism using Prefix Aggregate without Labeled data). GAMPAL does not require labeled data to achieve general-purpose anomaly detection. For scalability to the number of entries in the BGP RIB (Border Gateway Protocol Routing Information Base), GAMPAL introduces prefix aggregate. The BGP RIB entries are classified into prefix aggregates, each of which is identified with the first three AS (Autonomous System) numbers in the AS_PATH attribute. GAMPAL establishes a prediction model for traffic sizes based on past traffic sizes. It adopts a LSTM-RNN (Long Short-Term Memory Recurrent Neural Network) model that focuses on the periodicity of the Internet traffic patterns at a weekly scale. The validity of GAMPAL is evaluated using real traffic information, BGP RIBs exported from the WIDE backbone network (AS2500), a nationwide backbone network for research and educational organizations in Japan, and the dataset of an ISP (Internet Service Provider) in Spain. As a result, GAMPAL successfully detects anomalies such as increased traffic due to an event, DDoS (Distributed Denial of Service) attacks targeted at a stub organization, a connection failure, an SSH (Secure Shell) scan attack, and anomaly spam. [ABSTRACT FROM AUTHOR]

Published

2022

14. Anomaly Detection Based on LRD Behavior Analysis of Decomposed Control and Data Planes Network Traffic Using SOSS and FARIMA Models

Author

Basil AsSadhan, Khan Zeb, Jalal Al-Muhtadi, and Saleh Alshebeili

Subjects

Anomaly detection, intrusion detection, Internet traffic, LRD, self-similarity, network traffic analysis, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The detection of anomalies in network traffic, such as low volume attacks and abnormalities, has become a pressing problem in today's large volume of Internet traffic. To this end, various anomaly detection techniques have been developed, including techniques based on long-range dependence (LRD) behavior estimation of network traffic. However, the existing LRD-based techniques analyze the aggregated WHOLE (control plus data) traffic, which might not be sufficient to detect short-duration and low-volume attacks and abnormalities in the traffic. This is because such anomalies might pass unnoticed in large volume of the normal background traffic. To address this issue, we propose a method that examines the LRD behavior of control and data planes traffic separately, which improves the detection efficacy. For LRD behavior analysis, the proposed method integrates the correlation structures of second-order self-similar and fractional autoregressive integrated moving average models. The performance of the proposed method is empirically evaluated and validated over a relatively recent real Internet traffic captured at King Saud University's network. The analysis and results demonstrate that the proposed method efficiently detects such low volume and short duration attacks and abnormalities in the traffic, which would not be detected by merely analyzing the aggregated WHOLE traffic without decomposing it into control and data planes traffic.

Published

2017

15. Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems.

Author

Yang, Tao, Hao, Weijie, Yang, Qiang, and Wang, Wenhai

Subjects

*TRAFFIC monitoring, *ANOMALY detection (Computer security), *ALARMS, *CYBER physical systems, *INDUSTRIALISM, *FEATURE extraction, *INTRUSION detection systems (Computer security), *CONVOLUTIONAL neural networks

Abstract

• A cloud-edge coordinated traffic anomaly detection approach is proposed. • An anomalous traffic alarm model is used to detect anomalous traffic continuously. • A feature extraction algorithm is proposed to efficiently extract traffic features. • Real industrial cyber-physical system traffic is used to evaluate our approach. Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system's security and reliability. However, existing research on network traffic anomaly detection for ICPS has several limitations. First, most traffic anomaly detection models focus on centralized detection. Thus, all traffic packets have to be uploaded to the control center for detection, which leads to a heavy traffic load. However, real-time and reliable communication is crucial to ICPSs. The heavy traffic load may cause communication delays or packets lost by corruption. Second, Seasonal AutoRegressive Integrated Moving Average (SARIMA) is popular in ICPS network traffic anomaly detection. However, most SARIMA-based detection models can only detect anomalous traffic once. Thus, they are unable to detect anomalies continuously and are not suitable for actual ICPS. Third, the features extracted from network traffic affect the classification performance. However, most existing feature extraction models cannot sufficiently extract traffic features, leading to poor detection performance. To address the limitations above, this paper proposes a cloud-edge coordinated network traffic anomaly detection approach. The proposed approach consists of a set of anomalous traffic alarm models deployed in the edge areas and an anomalous traffic analysis model deployed in the cloud. The former is implemented based on Improved Online SARIMA (IOSARIMA) algorithm that can detect anomalous traffic continuously and upload it to the cloud for further analysis, filtering massive normal traffic packets and making traffic load smaller. The anomalous traffic analysis model consists of a feature extraction algorithm and a Convolutional Neural Network (CNN) classifier, which can sufficiently extract traffic features and identify the attack types precisely. The proposed anomaly detection approach is extensively evaluated on a realistic ICPS testbed, including 3 edges (i.e., power generation, power transmission and power distribution) and a cloud consisting of an engineering workstation and a Supervisory Control And Data Acquisition (SCADA) workstation. The experimental results confirm the smaller traffic load and better detection performance, compared with the existing detection models. [ABSTRACT FROM AUTHOR]

Published

2023

16. ANOMALY DETECTION ON FLOWS AND INCOMING PACKETS WITH GAUSSIAN MIXTURES

Author

Menon, Tarun, Barton, Armon C., Singh, Gurminder, and Computer Science (CS)

Subjects

network traffic analysis, Gaussian Mixtures, cyber, unsupervised learning, anomaly detection

Abstract

Firewalls are key for maintaining a secure network, but it cannot be assumed that network traffic that manages to get through one is completely safe. Anomaly detection refers to methods that can be used to discover unique or uncommon occurrences within a particular dataset. Unsupervised machine learning techniques involve machine learning with unlabeled data, and can be utilized in order to perform anomaly detection by ingesting a given set of data and finding instances that diverge from the rest in meaningful ways that may not be obvious to the human eye. In this study we aim to analyze anomalies that are detected in incoming packet and flow network traffic data that successfully passed through a firewall and determine what significance there may be within such anomalies. Considering the vast amount of malicious traffic that exists and gets generated regularly, this study shows that Gaussian Mixtures can be used for discovery of anomalies within network traffic that passed through a firewall to discover potential undesirable or malicious traffic. Civilian Approved for public release. Distribution is unlimited.

Published

2023

17. Network Traffic Classification by Common Subsequence Finding

Author

Fabjański, Krzysztof, Kruk, Tomasz, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Bubak, Marian, editor, van Albada, Geert Dick, editor, Dongarra, Jack, editor, and Sloot, Peter M. A., editor

Published

2008

18. A Data Mining Methodology for Anomaly Detection in Network Data

Author

Caruso, Costantina, Malerba, Donato, Carbonell, Jaime G., editor, Siekmann, Jörg, editor, Apolloni, Bruno, editor, Howlett, Robert J., editor, and Jain, Lakhmi, editor

Published

2007

19. Learning the Daily Model of Network Traffic

Author

Caruso, Costantina, Malerba, Donato, Papagni, Davide, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Dough, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Carbonell, Jaime G., editor, Siekmann, Jörg, editor, Hacid, Mohand-Said, editor, Murray, Neil V., editor, Raś, Zbigniew W., editor, and Tsumoto, Shusaku, editor

Published

2005

20. An empirical study on TCP flow interarrival time distribution for normal and anomalous traffic.

Author

Arshadi, Laleh and Jahangir, Amir Hossein

Subjects

*COMPUTER simulation of traffic flow, *TCP/IP, *COMPUTER networks, *IRREGULARITIES of distribution (Number theory), *EMPIRICAL research

Abstract

In this paper, we study the effects of anomalies on the distribution of TCP flow interarrival time process. We show empirically that despite the variety of data networks in size, number of users, applications, and load, the interarrival times of normal flows comply with the Weibull distribution, whereas specific irregularities (anomalies) causes deviations from the distribution. We first estimate the scale and shape parameters and then check the discrepancy of the data from a Weibull distribution with the estimated parameters. We also utilize the Weibull counting model to recheck the conformance of small flow interarrival times with the distribution. We perform our experiments on a diverse variety of traffic data sets from backbone connections to endpoints of academic and commercial networks. Moreover, we propose a window-based anomaly detection method as a possible application of our findings in which we first estimate the Weibull parameters of interarrival times in each window and then check the discrepancy of the data with a Weibull distribution with the estimated parameters and set an alarm whenever the difference is significant. We apply this method on one of our data sets and present the results to clarify the idea and show its capability in detecting volume anomalies. Copyright © 2014 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]

Published

2017

21. Sistema de deteção de intrusões inteligente

Author

Marques, Fernando Emanuel Ferreira, Zúquete, André, and Ferreira, Paulo

Subjects

Network traffic analysis, Monitoring, Machine learning, Intrusion detection systems, User behavior analysis, Anomaly detection

Abstract

Currently, multiple personal machines and network systems suffer some type of computer attack with possible motivations related to computer power abuse, information tampering or vandalism. Despite the existence of intrusion detection systems, there are some barriers to their application in real scenarios, such as the difficulty in tracing user behavioral profiles, the ability to camouflage various attacks in the network and the time it takes to recognize the signatures used by new attacks. In the case of studying behavioral profiles, there is research and work in various areas such as social networks, recommendation systems, medical health and user authentication. This dissertation proposes an anomaly detection system based on the behavioral analysis of a user on the network. After extracting network traffic metrics related to the network and transport layers of the OSI model, the calculation of features that will be used as input for learning models, such as the One-Class Support Vector Machine, is performed. The work was developed using two types of network traffic: user traffic and anomaly traffic. Considered normal traffic, user traffic was captured using a switch with port mirroring in a corporate environment. To test the models in the detection task, two types of anomalies were considered: manipulation of information by transferring files and executing commands remotely in the terminal via an SSH session. In a first phase, the anomaly traffic was generated in an isolated way, to simulate a scenario in which the intrusion is the only active traffic in the network. For the case of file transfer anomaly, the results obtained have perfect F1-score with no percentage of false positives. In a second phase, anomaly traffic is camouflaged with the user’s normal traffic, in a scenario where anomaly occurs when there is external activity on the network. The results demonstrate that the anomaly is clearly more difficult to detect, for the case of the mixed file transfer anomaly, with F1-score of 0.010 and percentage of false positives of 0.86 %. Atualmente, múltiplas máquinas pessoais e sistemas de rede sofrem algum tipo de ataque informático com possiveis motivações relacionadas com abuso de poder computacional, adulteração de informação ou vandalismo. Apesar da existência de sistemas de deteção de intrusões, existem algumas barreiras à sua aplicação em cenários reais, tais como dificuldade em traçar perfis comportamentais de utilizadores, a capacidade de camuflamento na rede de diversos ataques e o tempo de demora no reconhecimento de assinaturas usadas por novos ataques. No caso de estudo dos perfis comportamentais, existe pesquisa e trabalhos em diversas áreas como redes sociais, sistemas de recomendação, saúde médica e autenticação de utilizadores. Esta dissertação propõe um sistema de deteção de anomalias baseado na análise comportamental de um utilizador na rede. Após a extração de métricas do tráfego de rede relativas à camadas de rede e transporte do modelo OSI, é feito o cálculo de features que serão usadas como entrada para aprendizagem de modelos, tais como One-Class Support Vector Machine. O trabalho foi desenvolvido com a utilização de dois tipos de tráfego de rede: tráfego do utilizador e tráfego das anomalias. Considerado o tráfego normal, o tráfego do utilizador foi capturado com recurso a um switch com port mirroring num ambiente empresarial. Para testar os modelos na tarefa de deteção, foram considerados dois tipos de anomalias: manipulação de informação através da transferência de ficheiros e execução de comandos no terminal de forma remota atráves de uma sessão SSH. Numa primeira fase, o tráfego das anomalias foi gerado de forma isolada, para simular um cenário em que a intrusão é o único tráfego ativo na rede. Para o caso da anomalia de tranferência de ficheiros, os resultados obtidos tem o F1-score perfeito sem deteção de falsos positivos. Numa segunda fase, o tráfego das anomalias é camuflado com o tráfego normal do utilizador, num cenário em que anomalia ocorre quando existe atividades externas na rede. Os resultados demonstram que a anomalia fica claramente mais difícil de detetar, para caso da anomalia de transferência de ficheiros misturada, com F1-score de 0.010 e percentagem de falsos positivos de 0.86 %. Mestrado em Engenharia de Computadores e Telemática

Published

2021

22. Characterizing network traffic behaviour using granule-based association rule mining.

Author

Bian, Yongna, Liu, Bin, Li, Yuefeng, and Gao, Jianmin

Subjects

ASSOCIATION rule mining, COMPUTER networks, DATA mining, CONTENT mining, AUTOMATIC extracting (Information science)

Abstract

Association rule mining is one important technique to characterize the behaviour of network traffic. However, mining association rules from network traffic data still have three obstacles such as efficiency, huge number of results and insufficiency to represent the behaviour of network traffic. Aiming to tackle these issues, this paper presents a granule-based association rule mining approach, called association hierarchy mining. The proposed approach adopts top-down rule mining strategy to directly generate interesting rules according to subjectively specified rule template hierarchies, which improves the efficiency of rule generation and subjectively filters user uninterested rules. The approach also proposes to prune a new type of redundant rules defined by this research to reduce the number of rules. Finally, the approach introduces the concept of diversity, aiming to select the interesting rules for better interpreting the behaviour of network traffic. The experiments performed on the MAWI network traffic traces show the efficiency and effectiveness of the proposed approach. Copyright © 2016 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]

Published

2016

23. Network traffic anomaly detection using machine learning approaches.

Author

Limthong, Kriangkrai and Tawsook, Thidarat

Abstract

One of the biggest challenges for both network administrators and researchers is detecting anomalies in network traffic. If they had a tool that could accurately and expeditiously detect these anomalies, they would prevent many of the serious problems caused by them. We conducted experiments in order to study the relationship between interval-based features of network traffic and several types of network anomalies by using two famous machine learning algorithms: the na¨ıve Bayes and k-nearest neighbor. Our findings will help researchers and network administrators to select effective interval-based features for each particular type of anomaly, and to choose a proper machine learning algorithm for their own network system. [ABSTRACT FROM PUBLISHER]

Published

2012

24. Toward a Sustainable Cybersecurity Ecosystem

Author

Leslie F. Sikos, A. K. M. Najmul Islam, Mohiuddin Ahmed, and Shahrin Sadik

Subjects

blockchain, cybersecurity, Computer Networks and Communications, Computer science, Emerging technologies, 020209 energy, Internet of Things, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 02 engineering and technology, Computer security, computer.software_genre, lcsh:QA75.5-76.95, Smart city, 0202 electrical engineering, electronic engineering, information engineering, cyber-risk assessment, smart grid, data analytics, Implementation, network traffic analysis, Government, cybernetics, 020207 software engineering, cybersecurity life cycle, sustainability, anomaly detection, Human-Computer Interaction, Smart grid, smart city, Sustainability, Key (cryptography), lcsh:Electronic computers. Computer science, Cyberspace, computer

Abstract

Cybersecurity issues constitute a key concern of today&rsquo, s technology-based economies. Cybersecurity has become a core need for providing a sustainable and safe society to online users in cyberspace. Considering the rapid increase of technological implementations, it has turned into a global necessity in the attempt to adapt security countermeasures, whether direct or indirect, and prevent systems from cyberthreats. Identifying, characterizing, and classifying such threats and their sources is required for a sustainable cyber-ecosystem. This paper focuses on the cybersecurity of smart grids and the emerging trends such as using blockchain in the Internet of Things (IoT). The cybersecurity of emerging technologies such as smart cities is also discussed. In addition, associated solutions based on artificial intelligence and machine learning frameworks to prevent cyber-risks are also discussed. Our review will serve as a reference for policy-makers from the industry, government, and the cybersecurity research community.

Published

2020

25. Studying Class Membership Scores in Machine Learning Classification for Imbalanced Binary Data

Author

Katzengruber, Matthias

Subjects

network traffic analysis, machine learning, classification, anomaly detection

Abstract

Machine learning is getting increasing importance and is strongly promotedby the rise of computational power. A paramount application of machinelearning is anomaly detection, sometimes understood as one-class classification,i.e., a binary classification problem in which there is a significantimbalance between the minority class (anomalies/outliers) and the majorityclass (normal/inlier). Real-life cases of such scenarios are, for example, fraud detection or attack detection in network communications. In this work, we study if the assumption is correct that wrongly classified instances are closerto decision boundaries and if this information can help to refine classificationperformances. We conducted experiments on network traffic and onother imbalanced datasets and found that, as a general rule, classificationalgorithms are able to leverage class membership scores to improve the “averageprecision” metric, which is suitable for evaluating imbalanced cases.Hence, class membership scores—defined based on distances to classificationthresholds—help to improve classification while keeping the model explainabilityand the algorithm complexity simple.

Published

2020

26. Multivariate network traffic analysis using clustered patterns

Author

Jinoh Kim, Brian Tierney, Ikkyun Kim, Sang C. Suh, and Alex Sim

Subjects

Multivariate statistics, Traffic analysis, Multivariate analysis, Computer science, Numerical & Computational Mathematics, Anomaly detection, 02 engineering and technology, computer.software_genre, Network operations center, Mathematical Sciences, Theoretical Computer Science, Information and Computing Sciences, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Cluster analysis, Numerical Analysis, Clustered patterns, 020206 networking & telecommunications, Automatic summarization, Computer Science Applications, Computational Mathematics, Network traffic analysis, Computational Theory and Mathematics, Change detection, Data mining, computer, Software

Abstract

© 2018 Springer-Verlag GmbH Austria, part of Springer Nature Traffic analysis is a core element in network operations and management for various purposes including change detection, traffic prediction, and anomaly detection. In this paper, we introduce a new approach to online traffic analysis based on a pattern-based representation for high-level summarization of the traffic measurement data. Unlike the past online analysis techniques limited to a single variable to summarize (e.g., sketch), the focus of this study is on capturing the network state from the multivariate attributes under consideration. To this end, we employ clustering with its benefit of the aggregation of multidimensional variables. The clustered result represents the state of the network with regard to the monitored variables, which can also be compared with the observed patterns from previous time windows enabling intuitive analysis. We demonstrate the proposed method with two popular use cases, one for estimating state changes and the other for identifying anomalous states, to confirm its feasibility. Our extensive experimental results with public traces and collected monitoring measurements from ESnet traffic traces show that our pattern-based approach is effective for multivariate analysis of online network traffic with visual and quantitative tools.

Published

2018

27. Detecting and Visualizing Domain-Based DNS Tunnels Through N-Gram Frequency Analysis.

Author

Born, Kenton and Gustafson, David A.

Subjects

INTERNET domain names, DATA transmission systems, BROADBAND communication systems, CYBERSQUATTING, DIGITAL communications

Abstract

High-bandwidth covert channels pose significant risks to sensitive and proprietary information inside company networks. Domain Name System (DNS) tunnels provide a means to covertly infiltrate and exfiltrate large amounts of information past network boundaries. This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has more evenly distributed character frequencies. Anomalies are quickly discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic. A tool called NgViz is developed that examines DNS traffic and shows anomalies in n-gram frequencies of domains found in query and response resource records. This is accomplished by comparing input files against a fingerprint of legitimate traffic. Both quantitative analysis and visual aids are provided that allow the user to make determinations about the legitimacy of the DNS traffic. [ABSTRACT FROM AUTHOR]

Published

2011

28. Anomaly Detection Based on LRD Behavior Analysis of Decomposed Control and Data Planes Network Traffic Using SOSS and FARIMA Models

Author

Jalal Al-Muhtadi, Basil AsSadhan, Saleh A. Alshebeili, and Khan Zeb

Subjects

General Computer Science, Computer science, intrusion detection, 02 engineering and technology, Anomaly detection, computer.software_genre, Internet traffic, Data modeling, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Autoregressive integrated moving average, Electrical and Electronic Engineering, Traffic generation model, network traffic analysis, Traffic congestion reconstruction with Kerner's three-phase theory, self-similarity, business.industry, General Engineering, Volume (computing), 020206 networking & telecommunications, LRD, 020201 artificial intelligence & image processing, The Internet, Data mining, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971, Computer network

Abstract

The detection of anomalies in network traffic, such as low volume attacks and abnormalities, has become a pressing problem in today’s large volume of Internet traffic. To this end, various anomaly detection techniques have been developed, including techniques based on long-range dependence (LRD) behavior estimation of network traffic. However, the existing LRD-based techniques analyze the aggregated WHOLE (control plus data) traffic, which might not be sufficient to detect short-duration and low-volume attacks and abnormalities in the traffic. This is because such anomalies might pass unnoticed in large volume of the normal background traffic. To address this issue, we propose a method that examines the LRD behavior of control and data planes traffic separately, which improves the detection efficacy. For LRD behavior analysis, the proposed method integrates the correlation structures of second-order self-similar and fractional autoregressive integrated moving average models. The performance of the proposed method is empirically evaluated and validated over a relatively recent real Internet traffic captured at King Saud University’s network. The analysis and results demonstrate that the proposed method efficiently detects such low volume and short duration attacks and abnormalities in the traffic, which would not be detected by merely analyzing the aggregated WHOLE traffic without decomposing it into control and data planes traffic.

Published

2017

29. GAMPAL: Anomaly Detection for Internet Backbone Traffic by Flow Prediction with LSTM-RNN

Author

Takao Kondo, Taku Wakui, Fumio Teraoka, Keio University, Graduate School of the Natural Science and Technology [Kanazawa], Kanazawa University (KU), Faculty of Science and Technology [Tokyo], Seikei University, Selma Boumerdassi, Éric Renault, Paul Mühlethaler, and TC 6

Subjects

Backbone network, Internet Backbone, Computer science, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Internet backbone, 020206 networking & telecommunications, Denial-of-service attack, Throughput, 02 engineering and technology, Airfield traffic pattern, General-Purpose Anomaly Detection, [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], Scalability, 0202 electrical engineering, electronic engineering, information engineering, LSTM-RNN, 020201 artificial intelligence & image processing, The Internet, Anomaly detection, [INFO]Computer Science [cs], business, Network Traffic Analysis, Computer network

Abstract

International audience; This paper proposes a general-purpose anomaly detection mechanism for Internet backbone traffic named GAMPAL (General-purpose Anomaly detection Mechanism using Path Aggregate without Labeled data). GAMPAL does not require labeled data to achieve a general-purpose anomaly detection. For scalability to the number of entries in the BGP RIB (Routing Information Base), GAMPAL introduces path aggregates. The BGP RIB entries are classified into the path aggregates, each of which is identified with the first three AS numbers in the AS_PATH attribute. GAMPAL establishes a prediction model of traffic throughput based on past traffic throughput. It adopts the LSTM-RNN (Long Short-Term Memory Recurrent Neural Network) model focusing on periodicity in weekly scale of the Internet traffic pattern. The validity of GAMPAL is evaluated using the real traffic information and the BGP RIB exported from the WIDE backbone network (AS2500), a nation-wide backbone network for research and educational organizations in Japan. As a result, GAMPAL successfully detects traffic increases due to events and DDoS attacks targeted to a stub organization.

Published

2019

30. A statistical and distributed packet filter against DDoS attacks in Cloud environment

Author

PANDEY, VIKASH C, PEDDOJU, SATEESH K, and DESHPANDE, PRACHI S

Published

2018

31. Machine learning for network application security: Empirical evaluation and optimization.

Author

Aledhari, Mohammed, Razzak, Rehma, and Parizi, Reza M.

Subjects

*COMPUTER network security, *MACHINE learning, *RECURRENT neural networks, *DECISION trees

Abstract

Machine learning (ML) has demonstrated great potential to revolutionize the networking field. In this paper, we present a large-scale empirical study to evaluate the effectiveness of state-of-the-art ML algorithms for network application security. In our experiments, six classical ML algorithms and three neural network algorithms are evaluated over three networking datasets, KDDCup 99, NSL-KDD, and ADFA IDS 2017. Measurements are made between the non-optimized and optimized versions of ML algorithms. Furthermore, various training and testing ratios are experimented to assess each algorithm's optimal performance. The results revealed that optimizing ML algorithms could help achieve better performance in detecting networking attacks. In particular, the Decision Tree proved to be the most accurate and fastest algorithm in the classical ML while the Recurrent Neural Network achieved the best performance among neural network algorithms. [Display omitted] • Providing a comprehensive empirical evaluation of ML algorithms. • Applying optimization methods to evaluate performance with respect to networking attacks. • Providing accuracy results with and without optimization with different ML algorithms. [ABSTRACT FROM AUTHOR]

Published

2021

32. Toward a Sustainable Cybersecurity Ecosystem.

Author

Sadik, Shahrin, Ahmed, Mohiuddin, Sikos, Leslie F., and Islam, A. K. M. Najmul

Subjects

SMART cities, INTERNET security, INTERNET of things, ARTIFICIAL intelligence, BLOCKCHAINS, ECOSYSTEMS

Abstract

Cybersecurity issues constitute a key concern of today's technology-based economies. Cybersecurity has become a core need for providing a sustainable and safe society to online users in cyberspace. Considering the rapid increase of technological implementations, it has turned into a global necessity in the attempt to adapt security countermeasures, whether direct or indirect, and prevent systems from cyberthreats. Identifying, characterizing, and classifying such threats and their sources is required for a sustainable cyber-ecosystem. This paper focuses on the cybersecurity of smart grids and the emerging trends such as using blockchain in the Internet of Things (IoT). The cybersecurity of emerging technologies such as smart cities is also discussed. In addition, associated solutions based on artificial intelligence and machine learning frameworks to prevent cyber-risks are also discussed. Our review will serve as a reference for policy-makers from the industry, government, and the cybersecurity research community. [ABSTRACT FROM AUTHOR]

Published

2020

33. Выявление аномальной активности в сети методами статистического анализа заголовков IP-пакетов

Subjects

анализ сетевого трафика, Network traffic analysis, intrusion detection, выявление аномалий, обнаружение вторжений, сетевая безопасность, Anomaly detection, Network security

Abstract

Рассматривается теория и практика метода выявления аномальной активности на основе адаптивного построения профиля нормального состояния системы, в качестве характеристики которой используется распределение потока пакетов по IP-адресам. На основе соответствующих критериев согласия решается вопрос о мере расхождения между характеристиками нормального и аномального состояния системы. Приводится пример практического использования предлагаемого метода., The article provides information on theory and practice of unsupervised anomaly detection. It's suggested weight function method for computation local and global characteristics of network traffic. The paper touches upon divergence rate between this characteristics using fitting criterions. It's also given evaluation of effectiveness of suggested method.

Published

2010

34. Построение и использование функции плотности в пространстве характеристик для выявления аномальных событий

Subjects

ANOMALY DETECTION, PACKET ANALYSIS, ВЫЯВЛЕНИЕ АНОМАЛИЙ, КЛАСТЕРЫ ПРОИЗВОЛЬНОЙ ФОРМЫ, ARBITRARY SHAPE OF CLUSTERS, СЕТЕВАЯ БЕЗОПАСНОСТЬ, NETWORK SECURITY, АНАЛИЗ ПАКЕТОВ, АЛГОРИТМЫ КЛАСТЕРИЗАЦИИ, INTRUSION DETECTION, CLUSTERING ALGORITHMS, АНАЛИЗ СЕТЕВОГО ТРАФИКА, ОБНАРУЖЕНИЕ ВТОРЖЕНИЙ, NETWORK TRAFFIC ANALYSIS

Abstract

В этой работе предлагается использовать методы кластеризации для обнаружения аномальных события в сети. В частности, для разделения нормальных и аномальных событий используется функция плотности в пространстве характеристик. В качестве примера практического использования этого метода мы рассматриваем и анализируем множество TCP соединений в некоторой локальной сети., In this work we suggest to use a clusterbased estimation for detection abnormal events in a network. In particular, function of density of events in space of characteristics is used for division of normal and abnormal events in a network. As an example of practical use of this method we consider and analyze set TCP of connections in some local network.

Published

2008