Anomaly Detection and Attribution in Networks With Temporally Correlated Traffic

Nevat, Ido; Divakaran, Dinil Mon; Nagarajan, Sai Ganesh; Zhang, Pengfei; Su, Le; Ko, Li Ling; Thing, Vrizlynn L. L.

doi:10.1109/tnet.2017.2765719

Cited by 72 publications

(42 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…is a widely and deeply studied research problem. Past works have developed solutions based on varying approches, for example, rule-based systems [9], information theoretic techniques [10], [11], signal analysis [12], statistical models and hypothesis testing [13], [14], as well as data mining and machine learning algorithms [15], [16]. As computational resources becoming cheaper, there has been an increasing interest in applying machine learning techniques for detecting anomalies in network.…”

Section: Related Workmentioning

confidence: 99%

GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection

Nguyen

Lim

Divakaran³

et al. 2019

2019 IEEE Conference on Communications and Network Security (CNS)

Self Cite

120

View full text Add to dashboard Cite

This paper looks into the problem of detecting network anomalies by analyzing NetFlow records. While many previous works have used statistical models and machine learning techniques in a supervised way, such solutions have the limitations that they require large amount of labeled data for training and are unlikely to detect zero-day attacks. Existing anomaly detection solutions also do not provide an easy way to explain or identify attacks in the anomalous traffic. To address these limitations, we develop and present GEE, a framework for detecting and explaining anomalies in network traffic. GEE comprises of two components: (i) Variational Autoencoder (VAE) -an unsupervised deep-learning technique for detecting anomalies, and (ii) a gradient-based fingerprinting technique for explaining anomalies. Evaluation of GEE on the recent UGR dataset demonstrates that our approach is effective in detecting different anomalies as well as identifying fingerprints that are good representations of these various attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection

Nguyen

Lim

Divakaran³

et al. 2019

2019 IEEE Conference on Communications and Network Security (CNS)

Self Cite

120

View full text Add to dashboard Cite

show abstract

“…Machine learning (including deep learning) has been increasingly employed for security purposes, such as anomaly detection [34], [35], malicious domain detection [8], etc. In this section, we provide the background on phishing classifiers, including the different features used for building ML-based classifiers.…”

Section: Motivationmentioning

confidence: 99%

Building Robust Phishing Detection System: an Empirical Analysis

Lee¹,

Ye²,

Liu³

et al. 2020

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web

Self Cite

View full text Add to dashboard Cite

To tackle phishing attacks, recent research works have resorted to the application of machine learning (ML) algorithms, yielding promising results. Often, a binary classification model is trained on labeled datasets of benign and phishing URLs (and contents) obtained via crawling. While phishing classifiers have high accuracy (precision and recall), they, however, are also prone to adversarial attacks wherein an adversary tries to evade the ML-based classifier by mimicking (feature values of) benign web pages. Based on this observation, in our work, we propose a simple approach to build a robust phishing page detection system. Our detection system, based on voting, employs multiple models, such that each model is trained by inserting (controlled) noises in a subset of randomly selected features from the full feature set. We conduct comprehensive experiments using real datasets, and based on a number of evasive strategies, evaluate the robustness of, both, the traditional native ML model and our proposed detection system. The results demonstrate that our proposed system, on one hand, performs close to the native model when there is no adversarial attack, and on the other hand, is more robust against evasion attacks than the native model.

show abstract

“…The source and destination IP addresses in the packets can be treated as different hosts or users, and we can perform anomaly detection by analyzing the communication patterns among those hosts [19], [20], [21]. There are a number of statistical methods can be used for this kind of pattern analysis, such as the Markov chain and binary composite hypothesis testing [22], [23], [24]. However, with the increasing number of network users and bandwidth, especially sophisticated hackers, they tend to gradually change their behaviors.…”

Section: Related Workmentioning

confidence: 99%

Symmetry Degree Measurement and its Applications to Anomaly Detection

Qin

Liu

Wang

et al. 2020

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Anomaly detection is an important technique to identify network unusual behaviour patterns and keep the network under control. The network attacks are increasing in both number and sophistication. To avoid causing significant traffic patterns and being detected by existing techniques, many newly attacks tend to gradually adjust their behaviors, which always generate incomplete sessions due to their running mechanisms. In this work, we employ the behavior symmetry degree to profile the anomalies and further identify and detect unusual behaviors. By identifying the incomplete sessions generated by unusual behaviors that only contain forward or backward packets, we first proposed a behaviour symmetry degree to capture the features of these unusual behaviors; then, we employ the sketch to calculate the symmetry degree of an unusual behaviour to improve the identification efficient for online application. To reduce the memory cost and probability of collision, we divide the IP addresses into four segments that can be used as keys of the hash functions. To further improve the detection accuracy, a threshold selection method is proposed for the dynamic traffic pattern analysis. Then, the hash functions in the sketch are designed using Chinese remainder theory, which can trace the IP addresses associated with the anomalies analytically. We tested the proposed techniques based on the traffic data collected from northwest center of CERNET (China Education and Research Network) and the results show that the proposed methods can effectively detect anomalies in complex networks.

show abstract

Anomaly Detection and Attribution in Networks With Temporally Correlated Traffic

Cited by 72 publications

References 29 publications

GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection

GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection

Building Robust Phishing Detection System: an Empirical Analysis

Symmetry Degree Measurement and its Applications to Anomaly Detection

Contact Info

Product

Resources

About