Anomaly Detection Using Data Mining Methods in IT Systems: A Decision Support Application

Sönmez, Ferdi; Zontul, Metin; Kaynar, Oğuz; Tutar, Hayati

doi:10.16984/saufenbilder.365931

Cited by 4 publications

(3 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To validate the performance of integrating traffics with logs for anomaly detection, we conduct comparison experiments through only leveraging the traffic data (or the log data). As displayed in Tables 5-8 and Figures 3-6, it is clear that neither traffics nor logs can independently achieve desirable results in detecting cyberattacks (both the False Negative (FN) and False Positive (FP) values decrease significantly), which is consistent with [16]. On the contrast, when we integrate the traffic flows with network device logs, the detection performance can be significantly improved.…”

Section: Resultsmentioning

confidence: 60%

See 1 more Smart Citation

Integrating Traffics with Network Device Logs for Anomaly Detection

Zhuo

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

Advanced cyberattacks are often featured by multiple types, layers, and stages, with the goal of cheating the monitors. Existing anomaly detection systems usually search logs or traffics alone for evidence of attacks but ignore further analysis about attack processes. For instance, the traffic detection methods can only detect the attack flows roughly but fail to reconstruct the attack event process and reveal the current network node status. As a result, they cannot fully model the complex multistage attack. To address these problems, we present Traffic-Log Combined Detection (TLCD), which is a multistage intrusion analysis system. Inspired by multiplatform intrusion detection techniques, we integrate traffics with network device logs through association rules. TLCD correlates log data with traffic characteristics to reflect the attack process and construct a federated detection platform. Specifically, TLCD can discover the process steps of a cyberattack attack, reflect the current network status, and reveal the behaviors of normal users. Our experimental results over different cyberattacks demonstrate that TLCD works well with high accuracy and low false positive rate.

show abstract

Section: Resultsmentioning

confidence: 60%

“…However, due to the complexity of the behaviors from different networks and applications, it is difficult to accurately identify the normal behaviors. The existing anomaly detection methods are usually based on device logs or traffic flows alone [16]. In general, their methods are too simple to achieve satisfactory results [17].…”

Section: Related Workmentioning

confidence: 99%

Integrating Traffics with Network Device Logs for Anomaly Detection

Zhuo

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Online anomaly detection is significant because abnormal data can often convey essential and critical information in an extensive range of applications [4,5,6,7,8,9,10,11,12,13,14]. For example, when abnormal traffic occurs in a computer network, a hacker may be using the attacked computer to send sensitive data to the target computer [15].…”

Section: Introductionmentioning

confidence: 99%

Online Anomaly Detection with Sparse Gaussian Processes

Fei¹,

Sun²

2019

Preprint

View full text Add to dashboard Cite

Online anomaly detection of time-series data is an important and challenging task in machine learning. Gaussian processes (GPs) are powerful and flexible models for modeling time-series data. However, the high time complexity of GPs limits their applications in online anomaly detection. Attributed to some internal or external changes, concept drift usually occurs in time-series data, where the characteristics of data and meanings of abnormal behaviors alter over time. Online anomaly detection methods should have the ability to adapt to concept drift. Motivated by the above facts, this paper proposes the method of sparse Gaussian processes with Qfunction (SGP-Q). The SGP-Q employs sparse Gaussian processes (SGPs) whose time complexity is lower than that of GPs, thus significantly speeding up online anomaly detection. By using Q-function properly, the SGP-Q can adapt to concept drift well. Moreover, the SGP-Q makes use of few abnormal data in the training data by its strategy of updating training data, resulting in more accurate sparse Gaussian process regression models and better anomaly detection results. We evaluate the SGP-Q on various artificial and real-world datasets. Experimental results validate the effectiveness of the SGP-Q.

show abstract