Online and Scalable Unsupervised Network Anomaly Detection Method

Nowadays, network intrusion detectors mainly rely on knowledge databases to detect suspicious traffic. These databases have to be continuously updated which requires important human resources and time. Unsupervised network anomaly detectors overcome this issue by using “intelligent” techniques to identify anomalies without any prior knowledge. However, these systems are often very complex as they need to explore the network traffic to identify flows patterns. Therefore, they are often unable to meet real-time requirements. In this paper, we present a new online and real-time unsupervised network anomaly detection algorithm (ORUNADA). Our solution relies on a discrete time-sliding window to update continuously the feature space and an incremental grid clustering to detect rapidly the anomalies. The evaluations showed that ORUNADA can process online large network traffic while ensuring a low detection delay and good detection performance. The experiments performed on the traffic of a core network of a Spanish intermediate Internet service provider demonstrated that ORUNADA detects in less than half a second an anomaly after its occurrence. Furthermore, the results highlight that our solution outperforms in terms of true positive rate and false positive rate existing techniques reported in the literature.

[1]  Philippe Owezarski,et al.  UNADA: Unsupervised Network Anomaly Detection Using Sub-space Outliers Ranking , 2011, Networking.

[2]  C. Spearman The proof and measurement of association between two things. , 2015, International journal of epidemiology.

[3]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[4]  M. Bahrololum,et al.  Anomaly Intrusion Detection System Using Gaussian Mixture Model , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[5]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[6]  Juntae Kim,et al.  The Anomaly Detection by Using DBSCAN Clustering with Multiple Parameters , 2011, 2011 International Conference on Information Science and Applications.

[7]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[8]  David E. Irwin,et al.  Finding a "Kneedle" in a Haystack: Detecting Knee Points in System Behavior , 2011, 2011 31st International Conference on Distributed Computing Systems Workshops.

[9]  Mehmet Celenk,et al.  Predictive Network Anomaly Detection and Visualization , 2010, IEEE Transactions on Information Forensics and Security.

[10]  Nicolas Le Roux,et al.  The Curse of Highly Variable Functions for Local Kernel Machines , 2005, NIPS.

[11]  Philippe Owezarski,et al.  Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge , 2012, Comput. Commun..

[12]  Ling Huang,et al.  In-Network PCA and Anomaly Detection , 2006, NIPS.

[13]  Satinder Singh,et al.  Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters , 2005, ACSC.

[14]  Martin May,et al.  Impact of packet sampling on anomaly detection metrics , 2006, IMC '06.

[15]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .

[16]  Philippe Owezarski,et al.  Unsupervised Network Anomaly Detection in Real-Time on Big Data , 2015, ADBIS.

[17]  Kensuke Fukuda,et al.  MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking , 2010, CoNEXT.

[18]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[19]  Changjun Jiang,et al.  Online Adaptive Anomaly Detection for Augmented Network Flows , 2014, 2014 IEEE 22nd International Symposium on Modelling, Analysis & Simulation of Computer and Telecommunication Systems.

[20]  Xenofontas A. Dimitropoulos,et al.  Histogram-based traffic anomaly detection , 2009, IEEE Transactions on Network and Service Management.

[21]  Nita V. Jaiswal Unsupervised Network Anomaly Detection , 2013 .

[22]  Kavé Salamatian,et al.  Signal Processing-based Anomaly Detection Techniques: A Comparative Analysis , 2011 .

[23]  Hans-Peter Kriegel,et al.  The R*-tree: an efficient and robust access method for points and rectangles , 1990, SIGMOD '90.

[24]  Amutha Prabakar Muniyandi,et al.  Network Anomaly Detection by Cascading K-Means Clustering and C4.5 Decision Tree algorithm , 2012 .

[25]  Boleslaw K. Szymanski,et al.  Taming the Curse of Dimensionality in Kernels and Novelty Detection , 2004, WSC.

[26]  Kensuke Fukuda,et al.  Clustering Spam Campaigns with Fuzzy Hashing , 2014, AINTEC.

[27]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[28]  Chen Ning An Incremental Grid Density-Based Clustering Algorithm , 2002 .

[29]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.