Anomaly Detection Using Gaussian Mixture Probability Model to Implement Intrusion Detection System

Network intrusion detection systems (NIDS) detect attacks or anomalous network traffic patterns in order to avoid cybersecurity issues. Anomaly detection algorithms are used to identify unusual behavior or outliers in the network traffic in order to generate alarms. Traditionally, Gaussian Mixture Models (GMMs) have been used for probabilistic-based anomaly detection NIDS. We propose to use multiple simple GMMs to model each individual feature, and an asymmetric voting scheme that aggregates the individual anomaly detectors to provide. We test our approach using the NSL dataset. We construct the normal behavior models using only the samples labelled as normal in this dataset and evaluate our proposal using the official NSL testing set. As a result, we obtain a F1-score over 0.9, outperforming other supervised and unsupervised proposals.

[1]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[2]  Clayton D. Scott,et al.  Robust kernel density estimation , 2008, 2008 IEEE International Conference on Acoustics, Speech and Signal Processing.

[3]  Douglas A. Reynolds,et al.  Gaussian Mixture Models , 2018, Encyclopedia of Biometrics.

[4]  Julian Fierrez,et al.  Fingerprint Databases and Evaluation , 2015 .

[5]  Nour Moustafa,et al.  UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set) , 2015, 2015 Military Communications and Information Systems Conference (MilCIS).

[6]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD 2000.

[7]  Ioannis Lambadaris,et al.  Network traffic anomaly detection using clustering techniques and performance comparison , 2013, 2013 26th IEEE Canadian Conference on Electrical and Computer Engineering (CCECE).

[8]  Philippe Owezarski,et al.  Online and Scalable Unsupervised Network Anomaly Detection Method , 2017, IEEE Trans. Netw. Serv. Manag..

[9]  Zbigniew Kotulski,et al.  Analysis of neural networks usage for detection of a new attack in IDS , 2010, Ann. UMCS Informatica.

[10]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[11]  Victoria J. Hodge,et al.  A Survey of Outlier Detection Methodologies , 2004, Artificial Intelligence Review.

[12]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[13]  Jianmin Jiang,et al.  One class support vector machine for anomaly detection in the communication network performance data , 2007 .

[14]  A. Malathi,et al.  A Detailed Analysis on NSL-KDD Dataset Using Various Machine Learning Techniques for Intrusion Detection , 2013 .

[15]  Arthur B. Maccabe,et al.  The architecture of a network level intrusion detection system , 1990 .

[16]  M. Bahrololum,et al.  Anomaly Intrusion Detection System Using Gaussian Mixture Model , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[17]  Behzad Moshiri,et al.  Anomaly detection using a self-organizing map and particle swarm optimization , 2011, Sci. Iran..

[18]  Maurizio Filippone,et al.  A comparative evaluation of outlier detection algorithms: Experiments and analyses , 2018, Pattern Recognit..

[19]  Oren Barkan,et al.  Robust mixture models for anomaly detection , 2016, 2016 IEEE 26th International Workshop on Machine Learning for Signal Processing (MLSP).

[20]  Jill Slay,et al.  The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set , 2016, Inf. Secur. J. A Glob. Perspect..

[21]  Martin Kappes,et al.  A Self-Learning Network Anomaly Detection System using Majority Voting , 2014, INC.