Improving the effectiveness of intrusion detection systems for hierarchical data

Abstract A high false alarm rate of anomaly-based, on-line, high throughput intrusion detection systems (IDS) is a serious concern, often rendering these IDSs impractical for use in real-world systems. The usual approach to this problem is to try to decrease or limit the false alarm rate. However, IDSs that adopt this approach are usually attack or algorithm specific and are not considered generally applicable. In this paper, we propose a general method for lowering the false positive rate (FPR) of any existing state-of-the-art anomaly-based IDS for hierarchical data, while minimizing the potential decrease in the detection rate. This is done by automatically learning the underlying hierarchy of sub-classes from a dataset of normal instances and iteratively applying the IDS on each sub-class. Compared to previous work, our method is more practical because it does not require users to possess any knowledge about the data’s hierarchical structure or make assumptions about its distribution. We evaluate our method’s ability to improve the effectiveness of recent state-of-the-art IDSs on a variety of attacks on operational networks of IP cameras and IoT devices as well as attacks on the MIL-STD-1553 communication protocol. We test numerous configurations of all IDSs and show that our method can improve detection performance in more than 98% of our tests. We demonstrate that our method can improve IDSs that operate on any type of data, e.g. independent feature vector data instances or sequences of dependent data records. By evaluating on datasets with different attack occurrence rates, we also demonstrate that our ability to improve an IDS’s effectiveness becomes more significant as attacks occur more rarely. This further emphasizes our method’s contribution to real-life intrusion detection scenarios in which the attack occurrence rates can be very low.

[1]  Charu C. Aggarwal,et al.  Outlier Detection for Temporal Data , 2014, Outlier Detection for Temporal Data.

[2]  Yongdae Kim,et al.  A machine learning framework for network anomaly detection using SVM and GA , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[3]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[4]  Erhan Guven,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2016, IEEE Communications Surveys & Tutorials.

[5]  Hiroki Takakura,et al.  Unsupervised Anomaly Detection Based on Clustering and Multiple One-Class SVM , 2009, IEICE Trans. Commun..

[6]  Sergei Vassilvitskii,et al.  How slow is the k-means method? , 2006, SCG '06.

[7]  Ajith Abraham,et al.  Modeling intrusion detection system using hybrid intelligent systems , 2007, J. Netw. Comput. Appl..

[8]  Peter J. Rousseeuw,et al.  Finding Groups in Data: An Introduction to Cluster Analysis , 1990 .

[9]  Alexander Gammerman,et al.  Conformal Anomaly Detection of Trajectories with a Multi-class Hierarchy , 2015, SLDS.

[10]  Yuval Elovici,et al.  Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection , 2018, NDSS.

[11]  Seiichi Uchida,et al.  A Comparative Evaluation of Unsupervised Anomaly Detection Algorithms for Multivariate Data , 2016, PloS one.

[12]  Taeshik Shon,et al.  A hybrid machine learning approach to network anomaly detection , 2007, Inf. Sci..

[13]  S. P. Lloyd,et al.  Least squares quantization in PCM , 1982, IEEE Trans. Inf. Theory.

[14]  Gisung Kim,et al.  A novel hybrid intrusion detection method integrating anomaly detection with misuse detection , 2014, Expert Syst. Appl..

[15]  Cheng Xiang,et al.  Design of Multiple-Level Hybrid Classifier for Intrusion Detection System , 2005, 2005 IEEE Workshop on Machine Learning for Signal Processing.

[16]  Shai Bagon,et al.  Large Scale Correlation Clustering Optimization , 2011, ArXiv.

[17]  Juan E. Tapiador,et al.  Randomized Anagram revisited , 2014, J. Netw. Comput. Appl..

[18]  Shaomin Mu,et al.  Sequence-similarity kernels for SVMs to detect anomalies in system calls , 2007, Neurocomputing.

[19]  Salvatore J. Stolfo,et al.  Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[20]  Jason Robinson,et al.  SHARD: A Framework for Sequential, Hierarchical Anomaly Ranking and Detection , 2012, PAKDD.

[21]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[22]  Sandro Etalle,et al.  N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols , 2012, RAID.

[23]  B. Matthews Comparison of the predicted and observed secondary structure of T4 phage lysozyme. , 1975, Biochimica et biophysica acta.

[24]  Avrim Blum,et al.  Correlation Clustering , 2004, Machine Learning.

[25]  Alex A. Freitas,et al.  A survey of hierarchical classification across different application domains , 2010, Data Mining and Knowledge Discovery.

[26]  Ehud Gudes,et al.  Identifying Knots of Trust in Virtual Communities , 2011, IFIPTM.

[27]  Hui Wang,et al.  All Common Subsequences , 2007, IJCAI.

[28]  Sven Dietrich,et al.  Detecting zero-day attacks using context-aware anomaly detection at the application-layer , 2017, International Journal of Information Security.

[29]  Charu C. Aggarwal,et al.  Outlier Analysis , 2013, Springer New York.

[30]  Olgica Milenkovic,et al.  Correlation Clustering with Constrained Cluster Sizes and Extended Weights Bounds , 2014, SIAM J. Optim..

[31]  Nello Cristianini,et al.  Classification using String Kernels , 2000 .

[32]  Shaoning Pang,et al.  String Kernel Based SVM for Internet Security Implementation , 2009, ICONIP.

[33]  Charu C. Aggarwal,et al.  An Introduction to Outlier Ensembles , 2017 .

[34]  James Kelly,et al.  AutoClass: A Bayesian Classification System , 1993, ML.

[35]  Dimitris S. Papailiopoulos,et al.  Parallel Correlation Clustering on Big Graphs , 2015, NIPS.

[36]  Robert P. W. Duin,et al.  Data domain description using support vectors , 1999, ESANN.

[37]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[38]  Neminath Hubballi,et al.  Rangegram: A novel payload based anomaly detection technique against web traffic , 2015, 2015 IEEE International Conference on Advanced Networks and Telecommuncations Systems (ANTS).

[39]  Yuval Elovici,et al.  RT Spoofing Attacks on MIL-STD-1553 Communication Traffic , 2018 .

[40]  Michael E. Schuckers Receiver Operating Characteristic Curve and Equal Error Rate , 2010 .

[41]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[42]  Vipin Kumar,et al.  Anomaly Detection for Discrete Sequences: A Survey , 2012, IEEE Transactions on Knowledge and Data Engineering.

[43]  Wenke Lee,et al.  McPAD: A multiple classifier system for accurate payload-based anomaly detection , 2009, Comput. Networks.