Deep IP flow inspection to detect beyond network anomalies

Amaral, Alexandre A.; Mendes, Leonardo de Souza; Zarpelão, Bruno Bogaz; Proença, Mário Lemes

doi:10.1016/j.comcom.2016.12.007

Cited by 30 publications

(18 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Another important variant of parameterized entropy, i.e., Tsallis entropy, is utilized by researchers for anomaly detection. A feature-based Anomaly Detection System (ADS) using Tsallis entropy at device level is proposed in [23] and is capable of detecting and classifying known and unknown anomalies with additional information regarding network usage. Primitive properties of flows like SA, DA, SP, and DP and derived flow properties at device and network level, i.e., out-degree, in-degree, per flow, per packet, per byte, packet per sample (pps), etc., are used in flow extraction process.…”

Section: Literature Reviewmentioning

confidence: 99%

“…Static thresholds need to be reconfigured on changing network conditions to adjust for high DR and low FPR and that makes it unsuitable for SG. Moreover, Shannon entropy provides low DR and FPR as compared to Tsallis entropy [23] and on detection of DDoS attack, it is important to mitigate it as well to prevent its penetration further in the network; that is missing in DDoS protection approaches. In order to improve the security and reliability of SG in reference to DDoS attacks, researchers have suggested an SDN-based approach to handle the glitches in the conventional network paradigms.…”

Section: Motivation and Problem Statementmentioning

confidence: 99%

“…Probability of x mi happening in window W can be calculated using (2). Further, Tsallis entropy is denoted by "H q " which can be calculated by (3) [23]. For q > 1, higher probabilities have more impact on the final entropy value compared to lower 6…”

Section: Anomaly Detector Module (Ad Module)mentioning

confidence: 99%

See 2 more Smart Citations

S-DPS: An SDN-Based DDoS Protection System for Smart Grids

Mahmood

Shaheen

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

Information Communication Technology (ICT) environment in traditional power grids makes detection and mitigation of DDoS attacks more challenging. Existing security technologies, besides their efficiency, are not adequate to cater to DDoS security in Smart Grids (SGs) due to highly distributed and dynamic network environments. Recently, emerging Software Defined Networking- (SDN-) based approaches are proposed by researchers for SG’s DDoS protection; however, they are only able to protect against flooding attacks and are dependent on static thresholds. The proposed approach, i.e., Software Defined Networking-based DDoS Protection System (S-DPS), is efficiently addressing these issues by employing light-weight Tsallis entropy-based defense mechanisms using SDN environment. It provides early detection mechanism with mitigation of anomaly in real time. The approach offers the best deployment location of defense mechanism due to the centralized control of network. Moreover, the employment of a dynamic threshold mechanism is making detection process adaptive to the changing network conditions. S-DPS has demonstrated its effectiveness and efficiency in terms of Detection Rate (DR) and minimal CPU/RAM utilization, considering DDoS protection focusing smurf attacks, socket stress attacks, and SYN flood attacks.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Section: Motivation and Problem Statementmentioning

confidence: 99%

See 1 more Smart Citation

S-DPS: An SDN-Based DDoS Protection System for Smart Grids

Mahmood

Shaheen

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Para contornar esta questão, considerou-se neste trabalho uma base de dados com 95 GB de pacotes capturados do laboratório do Grupo de Teleinformática e Automação (GTA) da Universidade Federal do Rio de Janeiro (UFRJ), contendo tráfego normal e ataques de rede reais divididos em duas principais classes: Denial of Service (DoS) e Probe [Lobato et al 2016 A base de dados é um dos fatores que determinam quais os tipos de ataques serão detectados, implicando também na escalabilidade, que deve ser levada em consideração para a implantação da solução em grandes redes [Amaral et al 2017]. Portanto, todos os pacotes com comportamento normal foram convertidos para fluxos IP com base no padrão Netflow através da ferramenta Nfpcapd considerando uma janela temporal de 60 segundos.…”

Section: Base De Dadosunclassified

Análise do impacto da agregação dos fluxos IP nos algoritmos de aprendizado de máquina supervisionado voltados para a detecção de intrusão

Moro

Amaral

et al. 2019

Anais Do XXXVII Simpósio Brasileiro De Redes De Computadores E Sistemas Distribuídos (SBRC 2019)

View full text Add to dashboard Cite

O aprendizado de máquina tem sido utilizado na segurança cibernética para suprir as limitações das técnicas de identificação de padrões no tráfego de rede. A existência de inúmeros algoritmos na literatura faz com que a escolha de qual é o mais adequado para a detecção de intrusão, não seja uma tarefa trivial. Neste trabalho é realizada uma análise comparativa de 6 algoritmos de aprendizado de máquina supervisionado avaliando o impacto da agregação dos fluxos IP nas predições, tempo de treinamento e teste. Os experimentos mostraram que o método de agregação melhora a classificação e reduz o tempo de processamento dos modelos. Nas análises realizadas, o Decision Tree obteve o melhor equilíbrio nos resultados.

show abstract

“…Due to various new users, new devices and new applications constantly connecting to the network, network service has been widely applied in all fields [1]. With the rapid development of the network, different anomalies and attacks occur frequently, which produces great damages to network performance and security [2]. Facing this situation, multiple security mechanisms, such as antivirus software, firewall technology, user authentication and access control [3], have been designed and applied to prevent abnormal behaviors and detect potential risks [4].…”

Section: Introductionmentioning

confidence: 99%

A Novel Network Anomaly Detection Method based on Data Balancing and Recursive Feature Addition

2020

KSII TIIS

View full text Add to dashboard Cite

Network anomaly detection system plays an essential role in detecting network anomaly and ensuring network security. Anomaly detection system based machine learning has become an increasingly popular solution. However, due to the unbalance and high-dimension characteristics of network traffic, the existing methods unable to achieve the excellent performance of high accuracy and low false alarm rate. To address this problem, a new network anomaly detection method based on data balancing and recursive feature addition is proposed. Firstly, data balancing algorithm based on improved KNN outlier detection is designed to select part respective data on each category. Combination optimization about parameters of improved KNN outlier detection is implemented by genetic algorithm. Next, recursive feature addition algorithm based on correlation analysis is proposed to select effective features, in which a cross contingency test is utilized to analyze correlation and obtain a features subset with a strong correlation. Then, random forests model is as the classification model to detection anomaly. Finally, the proposed algorithm is evaluated on benchmark datasets KDD Cup 1999 and UNSW_NB15. The result illustrates the proposed strategies enhance accuracy and recall, and decrease the false alarm rate. Compared with other algorithms, this algorithm still achieves significant effects, especially recall in the small category.

show abstract

Deep IP flow inspection to detect beyond network anomalies

Cited by 30 publications

References 24 publications

S-DPS: An SDN-Based DDoS Protection System for Smart Grids

S-DPS: An SDN-Based DDoS Protection System for Smart Grids

Análise do impacto da agregação dos fluxos IP nos algoritmos de aprendizado de máquina supervisionado voltados para a detecção de intrusão

A Novel Network Anomaly Detection Method based on Data Balancing and Recursive Feature Addition

Contact Info

Product

Resources

About