A robust anomaly detection method using a constant false alarm rate approach

With the rapid growth of information and communication technologies, the number of security threats in computer networks is substantially increasing; thus, the development of more proactive security warning measures is required. In this work, we propose a new anomaly detection method that operates by decomposing TCP traffic into control and data planes, which exhibit similar behaviors in the absence of attacks. The proposed method exploits the statistics of the cross-correlation function of the two planes traffic and the constant false alarm rate (CFAR) scheme for detecting anomalies of the underlying network traffic. Both the fixed and adaptive thresholding schemes are implemented. The adaptive thresholding is setup by adjusting the value of the threshold in accordance with the local statistics of the cross-correlation function of the two planes traffic. We evaluate the performance of the proposed method by analyzing the real traffic captured from a deployed network and traffic obtained from other publicly available datasets; we focus on TCP traffic with three different aggregated count features: packet count, IP address count, and port count sequences. Although both the fixed and adaptive thresholding schemes perform well and detect the presence of a distributed denial-of-service efficiently. The adaptive thresholding scheme is more reliable because it detects anomalies as they start.

[1]  Eyung W. Kang,et al.  Radar system analysis, design, and simulation , 2008 .

[2]  Xiangliang Zhang,et al.  Autonomic intrusion detection: Adaptively detecting anomalies over unlabeled audit data streams in computer networks , 2014, Knowl. Based Syst..

[3]  Jalal Al-Muhtadi,et al.  Volume based anomaly detection using LRD analysis of decomposed network traffic , 2014, Fourth edition of the International Conference on the Innovative Computing Technology (INTECH 2014).

[4]  Christopher Krügel,et al.  Using Decision Trees to Improve Signature-Based Intrusion Detection , 2003, RAID.

[5]  Yang Yu,et al.  A Hybrid Spectral Clustering and Deep Neural Network Ensemble Algorithm for Intrusion Detection in Sensor Networks , 2016, Sensors.

[6]  U. Fagundes-neto,et al.  Acute diarrhea due to enteropathogenic Escherichia coli: epidemiological and clinical features in Brasilia Brazil. , 1996 .

[7]  John Mark Agosta,et al.  An adaptive anomaly detector for worm detection , 2007 .

[8]  Hongjoong Kim,et al.  A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods , 2006, IEEE Transactions on Signal Processing.

[9]  Pedro Casas Hernandez Statistical analysis of network traffic for anomaly detection and quality of service provisioning , 2010 .

[10]  Urbashi Mitra,et al.  Parametric Methods for Anomaly Detection in Aggregate Traffic , 2011, IEEE/ACM Transactions on Networking.

[11]  Philippe Owezarski,et al.  Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge , 2012, Comput. Commun..

[12]  Pablo Torres,et al.  An analysis of Recurrent Neural Networks for Botnet detection behavior , 2016, 2016 IEEE Biennial Congress of Argentina (ARGENCON).

[13]  Mohamed Ben Ahmed,et al.  A Framework for an Adaptive Intrusion Detection System using Bayesian Network , 2007, 2007 IEEE Intelligence and Security Informatics.

[14]  Yang Yu,et al.  Network Intrusion Detection through Stacking Dilated Convolutional Autoencoders , 2017, Secur. Commun. Networks.

[15]  Philippe Owezarski,et al.  Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection , 2015, Int. J. Netw. Manag..

[16]  Mansoor Alam,et al.  A Deep Learning Approach for Network Intrusion Detection System , 2016, EAI Endorsed Trans. Security Safety.

[17]  Misty K. Blowers,et al.  Machine Learning Applied to Cyber Operations , 2014, Network Science and Cybersecurity.

[18]  Ming Yu,et al.  An Adaptive Method for Source-end Detection of Pulsing DoS Attacks , 2013 .

[19]  Jing Ou,et al.  Network threat detection based on correlation analysis of multi-platform multi-source alert data , 2018, Multimedia Tools and Applications.

[20]  A. L. Narasimha Reddy,et al.  Statistical techniques for detecting traffic anomalies through packet header data , 2008, TNET.

[21]  Soumya Jana,et al.  SIGNAL DETECTION AND ESTIMATION , 2002 .

[22]  WangWei,et al.  Autonomic intrusion detection , 2014 .

[23]  José M. F. Moura,et al.  Network traffic behavior analysis by decomposition into control and data planes , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[24]  Jung-Shian Li,et al.  Novel intrusion prediction mechanism based on honeypot log similarity , 2016, Int. J. Netw. Manag..

[25]  James Cannady,et al.  Artificial Neural Networks for Misuse Detection , 1998 .

[26]  Mourad Barkat,et al.  Signal detection and estimation , 1991 .

[27]  F. Ozkalemkaş,et al.  Primary pulmonary amyloidosis associated with multiple myeloma. , 2006, Tuberkuloz ve toraks.

[28]  Qiang Liu,et al.  TR-IDS: Anomaly-Based Intrusion Detection through Text-Convolutional Neural Network and Random Forest , 2018, Secur. Commun. Networks.

[29]  Dong Liang,et al.  Soft multimedia anomaly detection based on neural network and optimization driven support vector machine , 2017, Multimedia Tools and Applications.

[30]  Ming-Yang Su,et al.  Using clustering to improve the KNN-based classifiers for online anomaly network traffic identification , 2011, J. Netw. Comput. Appl..

[31]  Henry Leung,et al.  Network Intrusion Detection Using a Stochastic Resonance CFAR Technique , 2009, Circuits Syst. Signal Process..

[32]  Ming Zhu,et al.  Malware traffic classification using convolutional neural network for representation learning , 2017, 2017 International Conference on Information Networking (ICOIN).

[33]  Timothy M. Whalen,et al.  An evaluation of the self-determined probability-weighted moment method for estimating extreme wind speeds , 2004 .

[34]  Bo Hu,et al.  A Survey on Secure Wireless Body Area Networks , 2017, Secur. Commun. Networks.

[35]  Hamid H. Jebur,et al.  Machine Learning Techniques for Anomaly Detection: An Overview , 2013 .

[36]  BASIL AsSADHAN,et al.  Anomaly Detection Based on LRD Behavior Analysis of Decomposed Control and Data Planes Network Traffic Using SOSS and FARIMA Models , 2017, IEEE Access.

[37]  Yiqiang Sheng,et al.  HAST-IDS: Learning Hierarchical Spatial-Temporal Features Using Deep Neural Networks to Improve Intrusion Detection , 2018, IEEE Access.

[38]  Jalal Al-Muhtadi,et al.  Analysis of P2P, IRC and HTTP traffic for botnets detection , 2018, Peer-to-Peer Netw. Appl..

[39]  Mohammad Zulkernine,et al.  Random-Forests-Based Network Intrusion Detection Systems , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[40]  Rui Ma,et al.  OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries , 2018, Secur. Commun. Networks.

[41]  Henry Leung,et al.  Network Intrusion Detection Using CFAR Abrupt-Change Detectors , 2008, IEEE Transactions on Instrumentation and Measurement.

[42]  Andrew J. Clark,et al.  Data preprocessing for anomaly based network intrusion detection: A review , 2011, Comput. Secur..

[43]  Jalal Al-Muhtadi,et al.  Constant false alarm rate anomaly-based approach for network intrusion detection , 2013, 2013 High Capacity Optical Networks and Emerging/Enabling Technologies.

[44]  Sadok Ben Yahia,et al.  OMC-IDS: At the Cross-Roads of OLAP Mining and Intrusion Detection , 2012, PAKDD.

[45]  Haiyan Wang,et al.  Anomaly Detection of Network Traffic Based on Prediction and Self-Adaptive Threshold , 2015 .

[46]  Huang Chuanhe,et al.  Anomaly Based Intrusion Detection Using Hybrid Learning Approach of Combining k-Medoids Clustering and Naïve Bayes Classification , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[47]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[48]  Mahmood Yousefi-Azar,et al.  Autoencoder-based feature learning for cyber security applications , 2017, 2017 International Joint Conference on Neural Networks (IJCNN).

[49]  Wei Cong,et al.  Anomaly intrusion detection based on PLS feature extraction and core vector machine , 2013, Knowl. Based Syst..

[50]  Fatemeh Farnia,et al.  Low-Rate False Alarm Anomaly-Based Intrusion Detection System with One-Class SVM , 2017 .

[51]  Yinhui Li,et al.  An efficient intrusion detection system based on support vector machines and gradually feature removal method , 2012, Expert Syst. Appl..

[52]  Jude W. Shavlik,et al.  Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage , 2004, KDD.