Anomaly detection system based on sparse signal representation

Anomaly detection system based on sparse signal representation In this paper we present further expansion of our matching pursuit methodology for anomaly detection in computer networks. In our previous work we proposed new signal based algorithm for intrusion detection systems based on anomaly detection approach on the basis of the Matching Pursuit algorithm. This time we present completely different approach to generating base functions (atoms) dictionary. We propose modification of K-SVD [1] algorithm in order to select atoms from real 1-D signal which represents network traffic features. Dictionary atoms selected in this way have the ability to approximate different 1-D signals representing network traffic features. Achieved dictionary was used to detect network anomalies on benchmark data sets. Results were compared to the dictionary based on analytical 1-D Gabor atoms.

[1]  Lukasz Saganowski,et al.  A Novel Signal-Based Approach to Anomaly Detection in IDS Systems , 2009, ICANNGA.

[2]  Dennis Gabor,et al.  Theory of communication , 1946 .

[3]  Stéphane Mallat,et al.  Matching pursuits with time-frequency dictionaries , 1993, IEEE Trans. Signal Process..

[4]  P. Frossard,et al.  Tree-Based Pursuit: Algorithm and Properties , 2006, IEEE Transactions on Signal Processing.

[5]  S. Mallat,et al.  Adaptive greedy approximations , 1997 .

[6]  Joel A. Tropp,et al.  Greed is good: algorithmic results for sparse approximation , 2004, IEEE Transactions on Information Theory.

[7]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[8]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[9]  Edward A. Lee,et al.  Adaptive Signal Models: Theory, Algorithms, and Audio Applications , 1998 .

[10]  Luigi Coppolino,et al.  Exploiting diversity and correlation to improve the performance of intrusion detection systems , 2009, 2009 International Conference on Network and Service Security.

[11]  M. Elad,et al.  $rm K$-SVD: An Algorithm for Designing Overcomplete Dictionaries for Sparse Representation , 2006, IEEE Transactions on Signal Processing.

[12]  Balas K. Natarajan,et al.  Sparse Approximate Solutions to Linear Systems , 1995, SIAM J. Comput..

[13]  Lori L. DeLooze,et al.  Attack Characterization and Intrusion Detection using an Ensemble of Self-Organizing Maps , 2006, The 2006 IEEE International Joint Conference on Neural Network Proceedings.

[14]  C Miller Image Sensor Data Base for the DARPA ALV (Defense Advanced Research Projects Agency Autonomous Land Vehicle) Program , 1986 .

[15]  Y. C. Pati,et al.  Orthogonal matching pursuit: recursive function approximation with applications to wavelet decomposition , 1993, Proceedings of 27th Asilomar Conference on Signals, Systems and Computers.

[16]  Lukasz Saganowski,et al.  Statistical and signal‐based network traffic recognition for anomaly detection , 2012, Expert Syst. J. Knowl. Eng..

[17]  Michael M. Goodwin,et al.  Adaptive Signal Models , 1998 .

[18]  S. Muthukrishnan,et al.  Approximation of functions over redundant dictionaries using coherence , 2003, SODA '03.