A training-resistant anomaly detection system

Muller, Steve; Lancrenon, Jean; Harpes, Carlo; Traon, Yves Le; Gombault, Sylvain; Bonnin, Jean-Marie

doi:10.1016/j.cose.2018.02.015

Cited by 16 publications

(21 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We implemented this approach and performed a case study on a denial-of-service attack detection scenario using network traffic data recorded from a real-world system. Our results show that our framework can systematically generate attack schemes bypassing the current state-of-the-art defences, i.e., multiple clustering instances [11]. We also show that for any successful attack our framework can generate an appropriate defence without disturbing the normal (benign) traffic.…”

Section: Introductionmentioning

confidence: 82%

“…Outliers corresponds to statistical abnormalities that do not reflect changes in the system behaviour. As such, they are considered unharmful [11]. On the contrary, the formation of clusters at unexpected spaces of the grid may result from threatening persistent attacks.…”

Section: Background and Case Study 21 Clustering-based Idsmentioning

confidence: 99%

“…Unfortunately, machine-learning-based IDS are vulnerable to new types of attacks, called training attacks [11]. These attacks exploit the live learning mechanism of the systems by progressively injecting small portions of abnormal data.…”

Section: Introductionmentioning

confidence: 99%

“…Clustering-based IDS are no exception [4], as attackers can slowly modify the numbers and shapes of the clusters. Previous work has shown that a clustering-based IDS monitoring network traffic against Denial-of-Service (DoS) attacks can be deceived [11]. To counterbalance this problem, state-of-the-art countermeasures run multiple instances of clustering algorithms with different parameters to monitor the traffic in parallel.…”

Section: Introductionmentioning

confidence: 99%

“…(2) We generalize the countermeasure proposed by Muller et al. [11] and design a genetic algorithm to search for a defence strategy (in the form of new parameter sets) that succeeds in detecting the attack induced by a given test case. (3) We show that our testing framework enables the continuous improvement of IDS detection capabilities.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Search-based test and improvement of machine-learning-based anomaly detection systems

Cordy

Muller²,

Papadakis

et al. 2019

Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis

Self Cite

View full text Add to dashboard Cite

Machine-learning-based anomaly detection systems can be vulnerable to new kinds of deceptions, known as training attacks, which exploit the live learning mechanism of these systems by progressively injecting small portions of abnormal data. The injected data seamlessly swift the learned states to a point where harmful data can pass unnoticed. We focus on the systematic testing of these attacks in the context of intrusion detection systems (IDS). We propose a search-based approach to test IDS by making training attacks. Going a step further, we also propose searching for countermeasures, learning from the successful attacks and thereby increasing the resilience of the tested IDS. We evaluate our approach on a denial-of-service attack detection scenario and a dataset recording the network traffic of a real-world system. Our experiments show that our search-based attack scheme generates successful attacks bypassing the current state-of-the-art defences. We also show that our approach is capable of generating attack patterns for all configuration states of the studied IDS and that it is capable of providing appropriate countermeasures. By co-evolving our attack and defence mechanisms we succeeded at improving the defence of the IDS under test by making it resilient to 49 out of 50 independently generated attacks. CCS CONCEPTS • Security and privacy → Intrusion detection systems; • Software and its engineering → Software testing and debugging.

show abstract

Section: Introductionmentioning

confidence: 82%

Section: Background and Case Study 21 Clustering-based Idsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Search-based test and improvement of machine-learning-based anomaly detection systems

Cordy

Muller²,

Papadakis

et al. 2019

Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis

Self Cite

View full text Add to dashboard Cite

show abstract

Clustering‐based real‐time anomaly detection—A breakthrough in big data technologies

Habeeb

Nasaruddin

Gani

et al. 2019

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Off late, the ever increasing usage of a connected Internet‐of‐Things devices has consequently augmented the volume of real‐time network data with high velocity. At the same time, threats on networks become inevitable; hence, identifying anomalies in real time network data has become crucial. To date, most of the existing anomaly detection approaches focus mainly on machine learning techniques for batch processing. Meanwhile, detection approaches which focus on the real‐time analytics somehow deficient in its detection accuracy while consuming higher memory and longer execution time. As such, this paper proposes a novel framework which focuses on real‐time anomaly detection based on big data technologies. In addition, this paper has also developed streaming sliding window local outlier factor coreset clustering algorithms (SSWLOFCC), which was then implemented into the framework. The proposed framework that comprises BroIDS, Flume, Kafka, Spark streaming, SparkMLlib, Matplot and HBase was evaluated to substantiate its efficacy, particularly in terms of accuracy, memory consumption, and execution time. The evaluation is done by performing critical comparative analysis using existing approaches, such as K‐means, hierarchical density‐based spatial clustering of applications with noise (HDBSCAN), isolation forest, spectral clustering and agglomerative clustering. Moreover, Adjusted Rand Index and memory profiler package were used for the evaluation of the proposed framework against the existing approaches. The outcome of the evaluation has substantially proven the efficacy of the proposed framework with a much higher accuracy rate of 96.51% when compared to other algorithms. Besides, the proposed framework also outperformed the existing algorithms in terms of lesser memory consumption and execution time. Ultimately the proposed solution enable analysts to precisely track and detect anomalies in real time.

show abstract