Improving PCA‐based anomaly detection by using multiple time scale analysis and Kullback–Leibler divergence

Callegari, Christian; Gazzarrini, Loris; Giordano, Stefano; Pagano, Michele; Pepe, Teresa

doi:10.1002/dac.2432

Cited by 29 publications

(23 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As a criterion of the optimization of parameters, during ASR learning, we used statistical parameters (information measures) for the variants of solutions with two alternatives [18,25,26] for a modified entropic indicator, as well as the Kullback-Leibler divergence (for three hypotheses) [27]. Table 1 Stages of splitting FS into clusters…”

Section: The Aim and Tasks Of Researchmentioning

confidence: 99%

Development of a system for the detection of cyber attacks based on the clustering and formation of reference deviations of attributes

Lakhno

Malyukov

Domrachev

et al. 2017

EEJET

View full text Add to dashboard Cite

Section: The Aim and Tasks Of Researchmentioning

confidence: 99%

Development of a system for the detection of cyber attacks based on the clustering and formation of reference deviations of attributes

Lakhno

Malyukov

Domrachev

et al. 2017

EEJET

View full text Add to dashboard Cite

“…For the problem under investigation, we resort to the simple statistics of x in order to avoid packet inspection and to guarantee quick feature building. The joint analysis of the anomalies at different timescales [14] or at different points of the system [15,16] sometimes helps improve performance. Anomaly-based detection may be more adaptive than ML as it simply looks at sudden changes of flows statistics [4,13], while providing good detection rates [12].…”

Section: Problem Formulationmentioning

confidence: 99%

“…An example is reported in the following performance evaluation. The joint analysis of the anomalies at different timescales [14] or at different points of the system [15,16] sometimes helps improve performance. In the presence of noisy measurements, the joint adoption of all the features in x may be crucial.…”

Section: Problem Formulationmentioning

confidence: 99%

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Aiello

Mongelli

Papaleo

2014

Int J Communication

View full text Add to dashboard Cite

The use of covert-channel methods to bypass security policies has increased considerably in the recent years. Malicious users neutralize security restriction by encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like Domain Name Server (DNS) or HTTP. This paper illustrates a machine learning approach to detect one particular covert-channel technique: DNS tunneling.Despite packet inspection may guarantee reliable intrusion detection in this context, it may suffer of scalability performance when a large set of sockets should be monitored in real time. Detecting the presence of DNS intruders by an aggregation-based monitoring is of main interest as it avoids packet inspection, thus preserving privacy and scalability. The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes. The analysis is complicated by two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field).Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and by making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. An insightful analysis of the performance leads to discover a unique intrusion detection tool, applicable in the presence of different tunneled applications. ¶ The n s with an order of magnitude more (n s D 10 4 ) captures features with a higher measurement stability, thus allowing to reach the steady state after K=811 samples.

show abstract

“…In this phase, as major part of the initial traffic is removed, the volume of the data is reduced significantly, and so intrusion detection can be performed much easier and faster than before. Unlike many anomaly detection techniques described in the literature (e.g., [47][48][49], and [50]), extracting the TCP flow interarrival times, estimating their Weibull parameters, and evaluating their discrepancy with a Weibull distribution is not computationally intensive and can easily be carried out in real time.…”

Section: Resultsmentioning

confidence: 99%

An empirical study on TCP flow interarrival time distribution for normal and anomalous traffic

Arshadi

Jahangir

2014

Int J Communication

View full text Add to dashboard Cite

SUMMARYIn this paper, we study the effects of anomalies on the distribution of TCP flow interarrival time process. We show empirically that despite the variety of data networks in size, number of users, applications, and load, the interarrival times of normal flows comply with the Weibull distribution, whereas specific irregularities (anomalies) causes deviations from the distribution. We first estimate the scale and shape parameters and then check the discrepancy of the data from a Weibull distribution with the estimated parameters. We also utilize the Weibull counting model to recheck the conformance of small flow interarrival times with the distribution. We perform our experiments on a diverse variety of traffic data sets from backbone connections to endpoints of academic and commercial networks. Moreover, we propose a window-based anomaly detection method as a possible application of our findings in which we first estimate the Weibull parameters of interarrival times in each window and then check the discrepancy of the data with a Weibull distribution with the estimated parameters and set an alarm whenever the difference is significant. We apply this method on one of our data sets and present the results to clarify the idea and show its capability in detecting volume anomalies.

show abstract

Improving PCA‐based anomaly detection by using multiple time scale analysis and Kullback–Leibler divergence

Cited by 29 publications

References 15 publications

Development of a system for the detection of cyber attacks based on the clustering and formation of reference deviations of attributes

Development of a system for the detection of cyber attacks based on the clustering and formation of reference deviations of attributes

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

An empirical study on TCP flow interarrival time distribution for normal and anomalous traffic

Contact Info

Product

Resources

About