A Deep Learning Approach for Network Anomaly Detection Based on AMF-LSTM

Zhu, Mingyi; Ye, Kejiang; Wang, Yang; Xu, Cheng‐Zhong

doi:10.1007/978-3-030-05677-3_13

Cited by 35 publications

(17 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other temporal approaches for anomaly detection are based on Autoregressive Integrated Moving Average (ARIMA) [20][21][22] and Exponential Smoothing [23] (with Holt-Winters seasonal method [24] being the most common), where historical values are used to forecast the next value of a time series, and anomaly detection is built on top of values far from the outcome of the model. Finally, neural networks methods such as LSTM Autoencoder [25,26] can be used to detect anomalies, where the model is trained with a set of 'normal' data and then tries to reproduce the rest of the dataset. A degradation in the accuracy of the reconstructed signal means an anomaly is present.…”

Section: Anomaly Detection: Existing Methodsmentioning

confidence: 99%

Leveraging Website Popularity Differences to Identify Performance Anomalies

Grassi

Teixeira

Barakat

et al. 2021

IEEE INFOCOM 2021 - IEEE Conference on Computer Communications

View full text Add to dashboard Cite

Web performance anomalies (e.g. time periods when metrics like page load time are abnormally high) have significant impact on user experience and revenues of web service providers. Existing methods to automatically detect web performance anomalies focus on popular websites (e.g. with tens of thousands of visits per minute). Across a wider diversity of websites, however, the number of visits per hour varies enormously, and some sites will only have few visits per hour. Low rates of visits create measurement gaps and noise that prevent the use of existing methods. This paper develops WMF, a web performance anomaly detection method applicable across a range of websites with highly variable measurement volume. To demonstrate our method, we leverage data from a website monitoring company, which allows us to leverage cross-site measurements. WMF uses matrix factorization to mine patterns that emerge from a subset of the websites to "fill in" missing data on other websites. Our validation using both a controlled website and synthetic anomalies shows that WMF's F1-score is more than double that of the state-of-the-art method. We then apply WMF to three months of web performance measurements to shed light on performance anomalies across a variety of 125 small to medium websites.

show abstract

Section: Anomaly Detection: Existing Methodsmentioning

confidence: 99%

Leveraging Website Popularity Differences to Identify Performance Anomalies

Grassi

Teixeira

Barakat

et al. 2021

IEEE INFOCOM 2021 - IEEE Conference on Computer Communications

View full text Add to dashboard Cite

show abstract

“…The second ML model was the CNN model. Besides being successful in image and video recognition, recommender systems, and natural language processing, CNN and its derivatives have their frequent implementation in the field of anomaly detection [39]- [41].…”

Section: ) Model Training and Testingmentioning

confidence: 99%

Anomaly-Based Intrusion Detection by Machine Learning: A Case Study on Probing Attacks to an Institutional Network

2021

View full text Add to dashboard Cite

Cyber attacks constitute a significant threat to organizations with implications ranging from economic, reputational, and legal consequences. As cybercriminals' techniques get sophisticated, information security professionals face a more significant challenge to protecting information systems. In today's interconnected realm of computer systems, each attack vector has a network dimension. The present study investigates network intrusion attempts with anomaly-based machine learning models to provide better protection than the conventional misuse-based models. Two models, namely an ensemble learning model and a convolutional neural network model, were built and implemented on a data set gathered from a real-life, institutional production environment. To demonstrate the models' reliability and validity, they were applied to the UNSW-NB15 benchmarking data set. The type of attack was limited to probing attacks to keep the scope of the study manageable. The findings revealed high accuracy rates, the CNN model being slightly more accurate.INDEX TERMS Anomaly-based, misuse-based, intrusion detection systems, probing attacks.

show abstract

“…The performance of both the models are evaluated and it can observed that DL model acheveils 97.80% of accuracy while SVM achieves an accuracy of 69.79%. In [479], an anomaly detection model based on LSTM network is proposed. The model uses multiple flows to extract the temporal features.…”

Section: A Deep Learning In Intrusion Detectionmentioning

confidence: 99%