McPAD: A multiple classifier system for accurate payload-based anomaly detection

Perdisci, Roberto; Ariu, Davide; Fogla, Prahlad; Giacinto, Giorgio; Lee, Wenke

doi:10.1016/j.comnet.2008.11.011

Cited by 230 publications

(166 citation statements)

References 32 publications

Supporting

Mentioning

164

Contrasting

Unclassified

Order By: Relevance

“…The following data mining anomaly detection algorithms are illustrated in Table 2, the results showed that unsupervised models such as Mahalanobi Distance Map (MDM) (Jamdagni et al, 2013) and one-class Support Vector Machine (SVM) (Perdisci et al, 2008) had considerably higher accuracy and false positive rate in same dataset. Moreover, data mining association rule technique such as Fuzzy Association Rule Model (FARM) (Chan et al, 2013) proved to have high accuracy in recognize anomaly attacks as well as considerable low false positive rate.…”

Section: Discussionmentioning

confidence: 99%

“…Nevertheless, this dataset is reported to have some problems regarding its outdated data and the increasing growth of web behaviors in the course of time. Therefore, unsupervised data mining (Jamdagni et al, 2013) and semi-supervised anomaly detection (Perdisci et al, 2008) which has shown acceptable results, can be safe for HTTP Web Service request anomaly detection, but the quality of anomalous records is routinely and continuously changing which makes the outliers accurately unattainable for detections over HTTP web service request data. Moreover, high dimensional data always have some possible inaccuracy because of the limitations in quadratic computational complexity (Amer et al, 2013).…”

Section: Discussionmentioning

confidence: 99%

“…In recent years, some techniques of anomaly detection have been suggested (Perdisci et al, 2008) that are semi-supervised anomaly detection. These new techniques of anomaly-based network IDSs are able to identify (anonymous) zero-day attacks, however, the load of false positives that are produced by detection system needs to be taken care of and controlled.…”

Section: Semi-supervised Cluster Analysismentioning

confidence: 99%

See 2 more Smart Citations

A Survey of Anomaly Detection Using Data Mining Methods for Hypertext Transfer Protocol Web Services

Kakavand

Mustapha

Abdullah

et al. 2015

Journal of Computer Science

View full text Add to dashboard Cite

Abstract:In contrast to traditional Intrusion Detection Systems (IDSs), data mining anomaly detection methods/techniques has been widely used in the domain of network traffic data for intrusion detection and cyber threat. Data mining is widely recognized as popular and important intelligent and automatic tools to assist humans in big data security analysis and anomaly detection over IDSs. In this study we discuss our review in data mining anomaly detection methods for HTTP web services. Today, many online careers and actions including online shopping and banking are running through web-services. Consequently, the role of Hypertext Transfer Protocol (HTTP) in web services is crucial, since it is the standard facilitator for communication protocol. Hence, among the intruders that bound attacks, HTTP is being considered as a vital middle objective. In the recent years, an effective system that has attracted the attention of the researchers is the anomaly detection which is based on data mining methods. We provided an overview on four general data mining techniques such as classification, clustering, semi-supervised and association rule mining. These data mining anomaly detection methods can be used to computing intelligent HTTP request data, which are necessary in describing user behavior. To meet the challenges of data mining techniques, we provide challenges and issues section for intrusion detection systems in HTTP web services.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Semi-supervised Cluster Analysismentioning

confidence: 99%

See 1 more Smart Citation

A Survey of Anomaly Detection Using Data Mining Methods for Hypertext Transfer Protocol Web Services

Kakavand

Mustapha

Abdullah

et al. 2015

Journal of Computer Science

View full text Add to dashboard Cite

show abstract

“…Past researches reveal that anomaly based intrusion detection has several flaws, namely a high false positive rate and misjudging a correct data packet as attack packet. PAYL [20] and MCPAD [21] have tried to address these issues. In this research we will also focus on reducing these issues using both supervised and unsupervised anomaly-based intrusion detection.…”

Section: Intrusion Detection Systemmentioning

confidence: 99%

Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms

Haque¹,

Al-Kharobi²

2015

IJMLC

View full text Add to dashboard Cite

Abstract-In this paper, we propose a novel method using ensemble learning scheme for classifying network intrusion detection from the most renowned KDD cup dataset. We have shown that reducing the dimensionality of the large dataset provides most accurate detection. Additionally, several machine learning algorithms are used to generate the accuracy metrics and analyzed further for proper comparison. Our approach found out that this algorithm outperforms all other learning techniques. Our goal is to analyze the network intrusion data and find out the best components and use them for the attack analysis. This scheme can be used in parallel with the intrusion detection system to augment its prediction performance for the future data packets. Empirical results show that the input dimensionality reduction can provide lightweight intrusion detection system that can be embedded with the vulnerable system for generating correct classification with significance improvement in execution time.

show abstract

“…Therefore, packet clas-sifiers [10,11] (classifiers that attempt to classify every packet rather than every flow) are out of the scope of this literature review. We also do not discuss anomaly detectors as this is a different subset of Internet traffic classification than what we are pursuing [12][13][14][15].…”

Section: Literature Reviewmentioning

confidence: 99%

Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification

2009

View full text Add to dashboard Cite

Classifying Internet traffic flows online into applications or broader classes without inspecting the packet payloads or without relying on port numbers has become a necessity for network operators. The operators can use this information to monitor their networks and provide per-class quality of service. There has been a great deal of research done on Internet traffic classification recently and numerous techniques have been proposed. While the current techniques can obtain a high accuracy classifying Internet traffic, providing performance guarantees for particular classes of interest has never been addressed. In this thesis, we provide two novel types of online Internet traffic classifiers that can provide performance guarantees on the false alarm and false discovery rates, respectively. These guarantees can be for an entire class (class-wise) or between two classes (pair-wise). Controlling false alarm rates is well-suited for application prioritization (i.e. prioritizing time-sensitive applications like VoIP over HTTP) whereas controlling false discovery rates is better suited for blocking or rate-limiting a targeted class of traffic (i.e. Peer-to-Peer). The classifier that provides false alarm rate guarantees is based on a Neyman-Pearson classification framework while the classifier that provides false discovery rate guarantees is based on the Learning to Satisfy (LSAT) framework. Both of these classifiers are implemented using a machine learning technique, namely, the 2-nu Support Vector Machine (SVM). Moreover, all previous work done with these two statistical methodologies focused on binary classification only; we extend these statistical methodologies to a multi-class setting. In addition to the regular application classification problem, we also present preliminary work on a binary LSAT classifier that can detect, after the reception of only a handful of packets, whether a flow will be large, as defined by a network operator. This large flow detector can act as a preprocessor for regular application classifiers. By allowing only large flows to pass to the classifier, this allows the classifier to focus on the more resource-intensive flows. We validated our Internet traffic classifiers by testing our approaches using data provided by an ISP.ii Abrégé Identifier l'application (ou autre classe plus générale) qui génère un flux de trafic Internet, sans compter sur le numéro du port ou inspecter la charge des paquets, est devenu une nécessité pour les opérateurs de réseau. Les opérateurs peuvent utiliser cette information pour surveiller leurs réseaux et fournir une qualité de service propreà chaque classe. Il y a eu beaucoup de travaux de recherche portant sur la classification du trafic Internet effectué récemment et de nombreuses techniques ontété proposées. Bien que les techniques actuelles puissent obtenir une grande précision pour classer le trafic Internet, offrir des garanties de performance pour des catégories particulières est un problème encore inexploré.Dans ce mémoire, nous proposons deu...

show abstract

McPAD: A multiple classifier system for accurate payload-based anomaly detection

Cited by 230 publications

References 32 publications

A Survey of Anomaly Detection Using Data Mining Methods for Hypertext Transfer Protocol Web Services

A Survey of Anomaly Detection Using Data Mining Methods for Hypertext Transfer Protocol Web Services

Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms

Controlling False Alarm/Discovery Rates in Online Internet Traffic Flow Classification

Contact Info

Product

Resources

About