Application-Level Unsupervised Outlier-Based Intrusion Detection and Prevention

Abstract: As cyber threats are permanently jeopardizing individuals privacy and organizations’ security, there have been several efforts to empower software applications with built-in immunity. In this paper, we present our approach to immune applications through application-level, unsupervised, outlier-based intrusion detection and prevention. Our framework allows tracking application domain objects all along the processing lifecycle. It also leverages the application business context and learns from production data, w… Show more

“…(2) In the clustering block, the w-k-means algorithm [40] is adopted, which reduces the influence of noise attributes on the clustering performance by calculating and assigning a weight to each attribute. (3) In the outlier detection block, the outlier score of objects that are identified as candidate outliers for the first time is set to 1, and then enter to the next current data are labeled as true point outlier (10) else (11) if count in threshold then (12) all data between current data and the data corresponding to abDiff are labeled as candidate collective outliers (13) else if count outside threshold then (14) the data corresponding to abDiff is labeled as a candidate jump outlier (15) end if (16) end if (17) reset the temporary variables (18) end if (19) else (20) if count in threshold then (21) label the data corresponding to abDiff as a true jump outlier (22) reset the temporary variables (23) end if (24) end if (25) end if ALGORITHM 1: Outlier detection based on neighbor difference (ODND).…”

“…In addition, to detect abnormal data, outlier detection can also be used to discover some abnormal events [16]. Because of the importance of data security in all walks of life, massive outlier detection approaches have been proposed and used in many applications, such as intrusion detection [17,18], health diagnosis [19], and social network detection [20,21]. However, most outlier detection approaches require the collected data to be scanned several times, but the characteristics of streaming sensor data do not allow the multiple scans of data since the time, cost, and computational complexity are very high [22], which leads to these approaches not being effectively used in WSNs.…”

“…Input: the streaming sensors data after outlier detection Output: outliers and their sources (01) if there is no outlier in current window then (02) exit (03) else (04) if the data instance is detected as point outlier then (05) label its source as error (06) end if (07) if the data instance is detected as jump outlier then (08) label its source as event (09) end if (10) if the data instance is detected as collective outlier or contextual outlier then (11) calculate the correlation coefficient (12) if correlation coefficient > th 1 then (13) if more than half of attributes are labeled as outliers then (14) label its source as event ( 15) else (16) label its source as error (17) end if (18) else if |correlation coefficient| > th 2 then (19) read these correlative variables of data instances (20) predict the mean and variance of normal values with 10-folder cross validation (21) if the outlier is out of the predicted range then (22) label its source as error ( 23) else (24) label its source as suspected event (25) end if (26) end if (27) else (28) label the source of collective outliers as unknown (29) label the source of contextual outliers as normal (30) end if (31) end if ALGORITHM 3: Outlier sources identification based on correlation (OSIC).…”

An Efficient Outlier Detection Approach for Streaming Sensor Data Based on Neighbor Difference and Clustering

“…(2) In the clustering block, the w-k-means algorithm [40] is adopted, which reduces the influence of noise attributes on the clustering performance by calculating and assigning a weight to each attribute. (3) In the outlier detection block, the outlier score of objects that are identified as candidate outliers for the first time is set to 1, and then enter to the next current data are labeled as true point outlier (10) else (11) if count in threshold then (12) all data between current data and the data corresponding to abDiff are labeled as candidate collective outliers (13) else if count outside threshold then (14) the data corresponding to abDiff is labeled as a candidate jump outlier (15) end if (16) end if (17) reset the temporary variables (18) end if (19) else (20) if count in threshold then (21) label the data corresponding to abDiff as a true jump outlier (22) reset the temporary variables (23) end if (24) end if (25) end if ALGORITHM 1: Outlier detection based on neighbor difference (ODND).…”

“…In addition, to detect abnormal data, outlier detection can also be used to discover some abnormal events [16]. Because of the importance of data security in all walks of life, massive outlier detection approaches have been proposed and used in many applications, such as intrusion detection [17,18], health diagnosis [19], and social network detection [20,21]. However, most outlier detection approaches require the collected data to be scanned several times, but the characteristics of streaming sensor data do not allow the multiple scans of data since the time, cost, and computational complexity are very high [22], which leads to these approaches not being effectively used in WSNs.…”

“…Input: the streaming sensors data after outlier detection Output: outliers and their sources (01) if there is no outlier in current window then (02) exit (03) else (04) if the data instance is detected as point outlier then (05) label its source as error (06) end if (07) if the data instance is detected as jump outlier then (08) label its source as event (09) end if (10) if the data instance is detected as collective outlier or contextual outlier then (11) calculate the correlation coefficient (12) if correlation coefficient > th 1 then (13) if more than half of attributes are labeled as outliers then (14) label its source as event ( 15) else (16) label its source as error (17) end if (18) else if |correlation coefficient| > th 2 then (19) read these correlative variables of data instances (20) predict the mean and variance of normal values with 10-folder cross validation (21) if the outlier is out of the predicted range then (22) label its source as error ( 23) else (24) label its source as suspected event (25) end if (26) end if (27) else (28) label the source of collective outliers as unknown (29) label the source of contextual outliers as normal (30) end if (31) end if ALGORITHM 3: Outlier sources identification based on correlation (OSIC).…”

An Efficient Outlier Detection Approach for Streaming Sensor Data Based on Neighbor Difference and Clustering

“…Iraqi and Bakkali [14] developed a framework that can learn to detect outlier behavior in method invocations without supervision. The method invocation features required for the learning process are implemented as a feature extractor aspect, which demonstrates another use case for integrating attack awareness with AOP.…”

A Taxonomy of Approaches for Integrating Attack Awareness in Applications

Anomaly detection for fault detection in wireless community networks using machine learning