Network anomaly detection using a cross‐correlation‐based long‐range dependence analysis

Abstract: The detection of anomalies in network traffic is an important task in today's Internet. Among various anomaly detection methods, the techniques based on examination of the long-range dependence (LRD) behavior of network traffic stands out to be powerful. In this paper, we reveal anomalies in aggregated network traffic by examining the LRD behavior based on the cross-correlation function of the bidirectional control and data planes traffic. Specifically, observing that the conventional cross-correlation functio… Show more

“…Data binning is a preprocessing step for presenting the network flow events in a form on which analysis algorithms can be applied. Binning the network events have been applied as a preprocessing step to detect low volume and short duration attacks [7] and separate a set of network traffic measurements that correspond to normal and abnormal behaviour [27]. A time-bin is defined as a window of one fixed time interval.…”

“…Their method used Principal Component Analysis to identify normal and abnormal network conditions by using a set of network traffic measurements. In [7], the authors modified the cross-correlation function to improve the anomaly detection performance of the conventional cross-correlation function. In [4], the authors setup shallow Convolution Neural Network (CNN), moderate CNN and deep CNN to assess enhancements for proactive attack handling.…”

“…To better support the processes of attack mitigation, it is helpful to first understand how an attack transpires in practice. Recent work that analyzed the network logs or process logs for anomaly detection [3]- [7] and malicious authentication detection [8]- [10] have revealed useful insights to address attacks in networks. The time elapsed between the precursor event and an attack is defined as the lead time.…”

“…Analyzing attacks in any large-scale or complex network require awareness of the sequence of events that is encountered by the network components. While researchers have focused on specific components [7], [10] depending on their target problem, answering how attacks occur needs a more integrated approach towards correlation-based log-mining [13]. Our work is novel in that it considers the flow connection-specific events along with their inter-component relationships to increase the lead times to identification of an attack boosting network attack prediction schemes.…”

“…However, it lacks the broader view. For example, analyzing the network routers [7] w.r.t. the hosts separately may miss anomalies in the event logs generated elsewhere.…”

Challenges in Identifying Network Attacks Using Netflow Data

“…Data binning is a preprocessing step for presenting the network flow events in a form on which analysis algorithms can be applied. Binning the network events have been applied as a preprocessing step to detect low volume and short duration attacks [7] and separate a set of network traffic measurements that correspond to normal and abnormal behaviour [27]. A time-bin is defined as a window of one fixed time interval.…”

“…Their method used Principal Component Analysis to identify normal and abnormal network conditions by using a set of network traffic measurements. In [7], the authors modified the cross-correlation function to improve the anomaly detection performance of the conventional cross-correlation function. In [4], the authors setup shallow Convolution Neural Network (CNN), moderate CNN and deep CNN to assess enhancements for proactive attack handling.…”

“…To better support the processes of attack mitigation, it is helpful to first understand how an attack transpires in practice. Recent work that analyzed the network logs or process logs for anomaly detection [3]- [7] and malicious authentication detection [8]- [10] have revealed useful insights to address attacks in networks. The time elapsed between the precursor event and an attack is defined as the lead time.…”

“…Analyzing attacks in any large-scale or complex network require awareness of the sequence of events that is encountered by the network components. While researchers have focused on specific components [7], [10] depending on their target problem, answering how attacks occur needs a more integrated approach towards correlation-based log-mining [13]. Our work is novel in that it considers the flow connection-specific events along with their inter-component relationships to increase the lead times to identification of an attack boosting network attack prediction schemes.…”

“…However, it lacks the broader view. For example, analyzing the network routers [7] w.r.t. the hosts separately may miss anomalies in the event logs generated elsewhere.…”

Challenges in Identifying Network Attacks Using Netflow Data

Deep reference autoencoder convolutional neural network for damage identification in parallel steel wire cables

Unraveling the Potential: A Systematic Review and Performance Evaluation of Data-Driven Network Anomaly Detection Techniques