Anomaly extraction in backbone networks using association rules

Brauckhoff, Daniela; Dimitropoulos, Xenofontas; Wagner, Arno; Salamatian, Kavé

doi:10.1145/1644893.1644897

Cited by 95 publications

(97 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In several review papers [26][27][28][29][30][31][32] various network anomaly detection methods have been summarized. From aforementioned surveys one can find that the most effective methods of network anomaly detection are Principle Component Analysis [33][34][35], Wavelet analysis [36][37][38], Markovian models [39,40], Clustering [41][42][43], Histograms [44,45], Sketches [46,47], and Entropies [8,15,48].…”

Section: General Overview Of Network Anomaly Techniquesmentioning

confidence: 99%

“…In their method histogram-based baselines were constructed from selected essential network traffic features distributions like addresses and ports. This work was augmented by Brauckhoff et al in [47] who applied association rule mining, in order to identify flows representing anomalous network traffic. The main problem with non-entropic feature distributions summarization techniques is a proper tuning [9].…”

Section: Detection Via Feature Distributionsmentioning

confidence: 99%

See 1 more Smart Citation

An Entropy-Based Network Anomaly Detection Method

Bereziński

Jasiul

Szpyrka

2015

Entropy

161

View full text Add to dashboard Cite

Data mining is an interdisciplinary subfield of computer science involving methods at the intersection of artificial intelligence, machine learning and statistics. One of the data mining tasks is anomaly detection which is the analysis of large quantities of data to identify items, events or observations which do not conform to an expected pattern. Anomaly detection is applicable in a variety of domains, e.g., fraud detection, fault detection, system health monitoring but this article focuses on application of anomaly detection in the field of network intrusion detection.The main goal of the article is to prove that an entropy-based approach is suitable to detect modern botnet-like malware based on anomalous patterns in network. This aim is achieved by realization of the following points: (i) preparation of a concept of original entropy-based network anomaly detection method, (ii) implementation of the method, (iii) preparation of original dataset, (iv) evaluation of the method.

show abstract

Section: General Overview Of Network Anomaly Techniquesmentioning

confidence: 99%

Section: Detection Via Feature Distributionsmentioning

confidence: 99%

An Entropy-Based Network Anomaly Detection Method

Bereziński

Jasiul

Szpyrka

2015

Entropy

161

View full text Add to dashboard Cite

show abstract

“…We evaluate our technique using the widely accepted 1998 DARPA [13] and 1999 KDD Cup [14] datasets. The logic behind using these datasets is that they have been used in a large proportion of research on network traffic analysis [15][16][17][18][19]. We also use the Kyoto dataset [32], which contains a present-day network traffic and attacks, to prove that our approach performs well not only with relatively old but also current network infrastructures.…”

Section: Motivationmentioning

confidence: 99%

Novel Approach for Network Traffic Pattern Analysis using Clustering-based Collective Anomaly Detection

Ahmed

Mahmood

2015

Ann. Data. Sci.

View full text Add to dashboard Cite

There is increasing interest in the data mining and network management communities in improving existing techniques for the prompt analysis of underlying traffic patterns. Anomaly detection is one such technique for detecting abnormalities in many different domains, such as computer network intrusion, gene expression analysis, financial fraud detection and many more. Clustering is a useful unsupervised method for both identifying underlying patterns in data and anomaly detection. However, existing clustering-based techniques have high false alarm rates and consider only individual data instances for anomaly detection. Interestingly, there are traffic flows which seem legitimate but are targeted at disrupting a normal computing environment, such as the Denial of Service (DoS) attack. The presence of such anomalous data instances explains the poor performances of existing clustering-based anomaly detection techniques. In this paper, we formulate the problem of detecting DoS attacks as a collective anomaly which is a pattern in the data when a group of similar data instances behave anomalously with respect to the entire dataset. We propose a framework for collective anomaly detection using a partitional clustering technique to detect anomalies based on an empirical analysis of an attack's characteristics. We validate our approach by comparing its results with those from existing techniques using benchmark datasets.

show abstract

“…The newly created ground truth of anomalies was manually validated and created independently of the tools. We used frequent itemset mining (FIM), a data mining technique that has been recently used in the literature to extract sets of anomalous flows [13,14]. We randomly selected sixteen 30-minute samples of NetFlow within dataset-1 and run FIM on them.…”

Section: Anomaly Overlap and False Negatives Analysismentioning

confidence: 99%

“…Given that NR does not provide volume information together with the reported anomalies, we used the raw NetFlow data saved for the subset of six days that we manually validated. In order to obtain the correct flows associated to each anomaly, we used the same method described in Section 3.4, a recent extension [14] of the Apriori algorithm [13] . Table 4 shows that the volumes associated to each sort of anomaly are significantly different.…”

Section: Magnitude Of the Anomaliesmentioning

confidence: 99%

Operational experiences with anomaly detection in backbone networks

Molina

Paredes-Oliva²,

Routly

et al. 2012

Computers & Security

View full text Add to dashboard Cite

Although network security is a crucial aspect for network operators, there are still very few works that have examined the anomalies present in large backbone networks and evaluated the performance of existing anomaly detection solutions in operational environments. The objective of this work is to fill this gap by reporting hands-on experience in the evaluation and deployment of an anomaly detection solution for the GÉANT backbone network. During this process, we analyzed three different commercial tools for anomaly detection and then deployed one of them for several months in the 18 points-of-presence of GÉANT. We first explain the general requirements that an anomaly detection system should satisfy from the point of view of a network operator. Afterwards, we describe the evaluation of the tools and present a study of the anomalies found in a continental backbone network after operationally using the finally deployed tool for half a year. We think that this first hand information can be of great interest to both professionals and researchers working on network security and can also guide future research towards more practical problems faced by network operators.

show abstract

Anomaly extraction in backbone networks using association rules

Cited by 95 publications

References 21 publications

An Entropy-Based Network Anomaly Detection Method

An Entropy-Based Network Anomaly Detection Method

Novel Approach for Network Traffic Pattern Analysis using Clustering-based Collective Anomaly Detection

Operational experiences with anomaly detection in backbone networks

Contact Info

Product

Resources

About