An efficient hybrid SVDD/clustering approach for anomaly-based intrusion detection

Kenaza, Tayeb; Bennaceur, Khadidja; Labed, Abdenour

doi:10.1145/3167132.3167180

Cited by 13 publications

(8 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These models are then used in testing whether an observation is normal or abnormal, assuming unforeseen anomalies do not follow the learned patterns. Kanaza et al [3] integrated supports vector data description and clustering algorithms, and Liu et al [4] integrated K-prototype clustering and k-NN classification algorithms to detect anomalous data points, assuming anomalies are rare or accidental events. When prior domain knowledge is available for linking causal or dependency relations among subjects, objects and operations, graph-based anomaly detection methods (such as Elicit [9], Log2Vec [16], Oprea et al [17]) could be powerful.…”

Section: Related Workmentioning

confidence: 99%

“…What is worse, emerging cyber threats are more difficult to be identified by signature-based detection methods, because more and more evasive techniques are available to adversaries. To identify the emerging cyber threats before they can cause greater damage, anomaly detection upon user behaviors has attracted focuses from largescale enterprises [3]- [9], as anomaly detection enables security analysts to find suspicious activities that could be aftermath of cyber threats (including cyberattacks and insider threats). Adversarial activities often manifest themselves in abnormal behavioral changes compared to past habitual patterns.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users

Yuan,

Choo,

et al. 2020

Preprint

View full text Add to dashboard Cite

Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In this paper, we propose ACOBE, an Anomaly detection method based on COmpound BEhavior, which takes into consideration long-term patterns and group behaviors. ACOBE leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that ACOBE outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that ACOBE is applicable in practice for cyberattack detection.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users

Yuan,

Choo,

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…Most anomaly detection methods are zero-positive machine learning models that are trained by only normal (i.e., negative) data and then used in testing whether observation data is normal or abnormal, assuming unforeseen anomalies do not follow the learned normal patterns. For example, Kenaza et al [27] integrated supports vector data description and clustering algorithms, and Liuq et al [33] integrated Kprototype clustering and k-NN classification algorithms to detect anomalous data points, assuming anomalies are rare or accidental events. When prior domain knowledge is available for linking causal or dependency relations among subjects and objects and operations, graph-based anomaly detection methods (such as Elicit [35], Log2Vec [29], Oprea et al [38]) could be powerful.…”

Section: Related Workmentioning

confidence: 99%

“…One of the most challenging problems in the field of intrusion detection is anomaly detection for discrete event logs. Researchers have been trying to resolve this challenge for two decades, and most work have focused on applying unsupervised learning upon engineered features from normal data, assuming unforeseen anomalies do not follow the learned normal patterns (e.g., [27], [33], [25], [35], [29], [38], [3], [36], [31], [32]). Recently, solving this challenge with deep learning has gained a substantial amount of traction in the security community (e.g., [15], [6], [17], [16], [47]), partially due to the unique advantages of deep learning in natural language processing.…”

Section: Introductionmentioning

confidence: 99%

Recomposition vs. Prediction: A Novel Anomaly Detection for Discrete Events Based On Autoencoder

Yuan,

Liu,

Zhu

2020

Preprint

View full text Add to dashboard Cite

One of the most challenging problems in the field of intrusion detection is anomaly detection for discrete event logs. While most earlier work focused on applying unsupervised learning upon engineered features, most recent work has started to resolve this challenge by applying deep learning methodology to abstraction of discrete event entries. Inspired by natural language processing, LSTM-based anomaly detection models were proposed. They try to predict upcoming events, and raise an anomaly alert when a prediction fails to meet a certain criterion. However, such a predict-next-event methodology has a fundamental limitation: event predictions may not be able to fully exploit the distinctive characteristics of sequences. This limitation leads to high false positives (FPs) and high false negatives (FNs). It is also critical to examine the structure of sequences and the bi-directional causality among individual events. To this end, we propose a new methodology: Recomposing event sequences as anomaly detection. We propose DabLog, a LSTM-based Deep Autoencoder-Based anomaly detection method for discrete event Logs. The fundamental difference is that, rather than predicting upcoming events, our approach determines whether a sequence is normal or abnormal by analyzing (encoding) and reconstructing (decoding) the given sequence. Our evaluation results show that our new methodology can significantly reduce the numbers of FPs and FNs, hence achieving a higher F1 score.

show abstract

“…In [15], a terrain classification method for ensuring navigation safety of mobile service robots based on SVDD is proposed. To enhance the performance of SVDD, numerous extensions and hybridization techniques have been proposed [8], [16], [17], [18], [19] [20]. The main extensions of SVDD can be categorized into four main categories.…”

Section: Introductionmentioning

confidence: 99%

Ellipsoidal Subspace Support Vector Data Description

Sohrab,

Raitoharju,

Iosifidis

et al. 2020

Preprint

View full text Add to dashboard Cite

In this paper, we propose a novel method for transforming data into a low-dimensional space optimized for one-class classification. The proposed method iteratively transforms data into a new subspace optimized for ellipsoidal encapsulation of target class data. We provide both linear and non-linear formulations for the proposed method. The method takes into account the covariance of the data in the subspace; hence, it yields a more generalized solution as compared to Subspace Support Vector Data Description for a hypersphere. We propose different regularization terms expressing the class variance in the projected space. We compare the results with classic and recently proposed one-class classification methods and achieve better results in the majority of cases. The proposed method is also noticed to converge much faster than recently proposed Subspace Support Vector Data Description.

show abstract

An efficient hybrid SVDD/clustering approach for anomaly-based intrusion detection

Cited by 13 publications

References 13 publications

Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users

Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users

Recomposition vs. Prediction: A Novel Anomaly Detection for Discrete Events Based On Autoencoder

Ellipsoidal Subspace Support Vector Data Description

Contact Info

Product

Resources

About