On the usefulness of machine learning techniques in collaborative anomaly detection

Due to the increase in network attacks, anomaly detection has gained importance. In this paper, we present and investigate the idea of institutions cooperating for performing anomaly detection, i.e. institutions jointly analyzing their network traffic, in order to identify malicious attacks, using classification-based machine learning techniques. We compare the results of such a collaborative analysis with a single analysis. Moreover, as institutions might not be willing to share confidential data, we analyze the benefits of a collaborative approach if some parts of the traffic are being anonymized. While, intuitively, having more data at hand should lead to improved detection rates, our results indicate that a federated analysis using standard classification-based methods improves detection rates only slightly. Moreover, when using anonymized data, the obtained detection rates of a joint data analysis further deteriorate such that the analysis of individual traffic is more useful. Thus, our research indicates that the classical classification based machine learning approaches for anomaly detection must be adapted and improved in order to leverage the advantage of having data from various sources.

[1]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[2]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[3]  Annie George,et al.  Anomaly Detection based on Machine Learning Dimensionality Reduction using PCA and Classification using SVM , 2012 .

[4]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[5]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[6]  Hazem M. El-Bakry,et al.  A real-time intrusion detection algorithm for network security , 2008 .

[7]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[8]  ElshoushHuwaida Tagelsir,et al.  Alert correlation in collaborative intelligent intrusion detection systems-A survey , 2011 .

[9]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[10]  V Jyothsna,et al.  A Review of Anomaly based Intrusion Detection Systems , 2011 .

[11]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[12]  Giuseppe Antonio Di Luna,et al.  An event-based platform for collaborative threats detection and monitoring , 2014, Inf. Syst..

[13]  Rituparna Chaki,et al.  Intrusion Detection in Wireless Ad-Hoc Networks , 2014 .

[14]  Martin Kappes,et al.  A Self-Learning Network Anomaly Detection System using Majority Voting , 2014, INC.

[15]  Don R. Hush,et al.  A Classification Framework for Anomaly Detection , 2005, J. Mach. Learn. Res..

[16]  Huwaida Tagelsir Elshoush,et al.  Alert correlation in collaborative intelligent intrusion detection systems - A survey , 2011, Appl. Soft Comput..

[17]  Ali M. Meligy,et al.  Internet Host Reliability Modeling with Time Petri Nets , 2012 .

[18]  Gaia Maselli Design and Implementation of an Anomaly Detection System: an Empirical Approach , 2003 .

[19]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..