Detecting anomalies and attacks in network traffic monitoring with classification methods and XAI-based explainability

Wawrowski, Łukasz; Michalak, Marcin; Bialas, Andrzej; Kurianowicz, Rafał; Sikora, Marek; Uchroński, Mariusz; Kajzer, Adrian

doi:10.1016/j.procs.2021.08.239

Cited by 12 publications

(7 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The experiments were planned to be carried out in an extended version of the virtual environment mentioned in [ 73 ]. However, the number of simulated workstations was increased to two attacking systems and four victims.…”

Section: Methodsmentioning

confidence: 99%

Anomaly Detection Module for Network Traffic Monitoring in Public Institutions

Wawrowski

Bialas

Kajzer

et al. 2023

Sensors

Self Cite

View full text Add to dashboard Cite

It seems to be a truism to say that we should pay more and more attention to network traffic safety. Such a goal may be achieved with many different approaches. In this paper, we put our attention on the increase in network traffic safety based on the continuous monitoring of network traffic statistics and detecting possible anomalies in the network traffic description. The developed solution, called the anomaly detection module, is mostly dedicated to public institutions as the additional component of the network security services. Despite the use of well-known anomaly detection methods, the novelty of the module is based on providing an exhaustive strategy of selecting the best combination of models as well as tuning the models in a much faster offline mode. It is worth emphasizing that combined models were able to achieve 100% balanced accuracy level of specific attack detection.

show abstract

Section: Methodsmentioning

confidence: 99%

Anomaly Detection Module for Network Traffic Monitoring in Public Institutions

Wawrowski

Bialas

Kajzer

et al. 2023

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

“…Unlike noise, network outliers carry important information, which can inform proactive network threat management. For example, an unusually large number of requests coming from one computer could be an outlier generated by a different process, which could indicate a malicious attack or some other type of unusual activity [11]. Thus, network outliers can help detect malicious behavior or provide insight into abnormal traffic patterns.…”

Section: Related Workmentioning

confidence: 99%

“…By detecting unusual activity in the network, organizations can identify malicious activities and reduce the risk of security breaches. Network anomaly detection can also be used to improve network performance by identifying and addressing network congestion, latency issues, and slow response times [11,12]. Li et al [13] developed an optimized resource allocation and communication technique for the fault detection system.…”

Section: Related Workmentioning

confidence: 99%

An Efficient Support Vector Machine Algorithm Based Network Outlier Detection System

Alghushairy,

Alsini,

Alhassan

et al. 2024

IEEE Access

View full text Add to dashboard Cite

With the increase of cyber-attacks and security threats in the recent decade, it is necessary to safeguard sensitive data and provide robust protection to information systems and computer networks. In this paper, an anomaly-based network outlier detection system (NODS) is proposed and optimized to check and classify the incoming network traffic stream's behaviours that affect the computer networks. The proposed NODS has high classification efficiency. Network connection events classified as outliers are reported to the network admin to drop and block its packets. The NSL-KDD and CICIDS2017 intrusion datasets were employed to build the proposed system and test its detection capabilities. Sequential scenarios were implemented to optimize the system's effectiveness. Network features were normalized by min-max and Z-Score approaches, while the relevant features were selected individually by the principal component analysis (PCA) and correlated features selection (CFS) techniques. Support vector machine (SVM) and Gaussian Naive Bayes (GNB) algorithms are used to build the detection model, while the Genetic algorithm (GA) was employed to tune their control parameters. The obtained evaluation results proved that the proposed SVM based NODS is characterized by low false alarms and detection time as well as high classification accuracy. Furthermore, a comparative analysis was conducted with other existing techniques, and the results obtained demonstrate the effectiveness of the proposed SVM-IDS

show abstract

“…3) Use of XAI in IDS: There are several examples where XAI-methods have been used with ML-based IDS. Wawrowski et al [39] used SHAP with a ML techniques called gradient boosting to implement an anomaly detection system. Mane & Rao [18] used a neural network to detect network intrusions, while presenting a XAI framework which explains each step of the ML pipeline.…”

Section: A Xaimentioning

confidence: 99%

“…Several studies of SOC environments, including the use of AI in the SOC, have pointed towards adapting and using XAI techniques to support analysts [25], [7], [21], [9], [32], [2], [16], [26]. There have also been several attempts applying XAI to explain ML-generated alerts [39], [38], [28], [15], [20], [27], [34]. However, studies on how and if XAI actually provided the necessary explanation for a security analyst seems to be missing [11].…”

Section: Introductionmentioning

confidence: 99%

Towards XAI in the SOC – a user centric study of explainable alerts with SHAP and LIME

Eriksson

Grov

2022

2022 IEEE International Conference on Big Data (Big Data)

View full text Add to dashboard Cite

Many studies of the adoption of machine learning (ML) in Security Operation Centres (SOCs) have pointed to a lack of transparency and explanation -and thus trustas a barrier to ML adoption, and have suggested eXplainable Artificial Intelligence (XAI) as a possible solution. However, there is a lack of studies addressing to which degree XAI indeed helps SOC analysts. Focusing on two XAI-techniques, SHAP and LIME, we have interviewed several SOC analysts to understand how XAI can be used and adapted to explain ML-generated alerts. The results show that XAI can provide valuable insights for the analyst by highlighting features and information deemed important for a given alert. As far as we are aware, we are the first to conduct such a user study of XAI usage in a SOC and this short paper provides our initial findings.

show abstract

Detecting anomalies and attacks in network traffic monitoring with classification methods and XAI-based explainability

Cited by 12 publications

References 21 publications

Anomaly Detection Module for Network Traffic Monitoring in Public Institutions

Anomaly Detection Module for Network Traffic Monitoring in Public Institutions

An Efficient Support Vector Machine Algorithm Based Network Outlier Detection System

Towards XAI in the SOC – a user centric study of explainable alerts with SHAP and LIME

Contact Info

Product

Resources

About