Data Clustering-based Anomaly Detection in Industrial ... - IEEE Xplore

Data Clustering-based Anomaly Detection in Industrial Control Systems István Kiss1, Béla Genge2, Piroska Haller2, Gheorghe Sebestyén1 1 Technical University of Cluj-Napoca, Romania, “Petru Maior” University of Târgu Mure, Romania, [email protected], [email protected], [email protected], [email protected] 2

related data. We take into account the large-scale characteristics of NCI, where data can originate from thousands of sensors. This requires efficient techniques to enable (near) real-time processing capabilities on large datasets. For this purpose we employ the Hadoop implementation of MapReduce paradigm, which provides a unique ability to detect potential cyber attacks in real-time. The main contribution of this paper lies in the unique combination of data clustering with large dataset processing techniques. The approach is evaluated against an installation consisting of multiple gas compressor stations. The paper is organized as follows: Section II presents the state of the art in the field of anomaly detection; Section III provides the theoretical background for the technique proposed in this paper; Section IV presents the proposed approach and its architecture; a case study on an existing cyber-physical system, including experimental results is detailed in Section V and the paper concludes in Section VI.

Abstract – Modern Networked Critical Infrastructures (NCI), involving cyber and physical systems, are exposed to intelligent cyber attacks targeting the stable operation of these systems. In order to ensure anomaly awareness, the observed data can be used in accordance with data mining techniques to develop Intrusion Detection Systems (IDS) or Anomaly Detection Systems (ADS). There is an increase in the volume of sensor data generated by both cyber and physical sensors, so there is a need to apply Big Data technologies for real-time analysis of large data sets. In this paper, we propose a clustering based approach for detecting cyber attacks that cause anomalies in NCI. Various clustering techniques are explored to choose the most suitable for clustering the time-series data features, thus classifying the states and potential cyber attacks to the physical system. The Hadoop implementation of MapReduce paradigm is used to provide a suitable processing environment for large datasets. A case study on a NCI consisting of multiple gas compressor stations is presented. Keywords – cyber-physical security; intrusion detection; anomaly detection; clustering; big data

I.

II.

INTRODUCTION

The widespread use of Information and Communication Technologies (ICT) within Networked Critical Infrastructures (NCI), e.g., power plants, water plants and energy smart grids, dramatically increases the vulnerability of such systems while considering cyber threats. This aspect has been emphasized by many studies on Supervisory Control And Data Acquisition (SCADA) systems [1], [2], [3], i.e., the core infrastructure that provides monitoring and control of physical processes. These highlighted the fact that traditional protection measures applied in the case of NCI are largely ineffective due to a new breed of attacks, called cyber-physical attacks. Cyber-physical attacks have the ability to remain stealthy and by targeting the cyber and physical dimensions of NCI, they can cause severe disruption of normal operation. Stuxnet [4], the first malware specifically designed to attack NCI, together with the more recently reported malware called “Flame” [5], are a clear demonstration of this risk. In addition, a recently appeared report collection [6] emphasizes the new security threats. To address the aforementioned challenges, we present a novel approach to identify dangerous cyber-physical attacks, by applying clustering techniques on the industrial process

978-1-4799-6569-4/14/$31.00 ©2014 IEEE

RELATED WORK

Reflecting the main idea (mining the industrial process data to detect anomalies), the investigated research articles focus on cyber-physical security and anomaly detection techniques. In addition the trends of using big data technologies in security systems are explored. A distributed intrusion detection framework is proposed in [7]. The approach is able to detect new attacks by using network traffic sensors mounted in key network points. The approach is suitable for new as well as existing infrastructures. DoS (Denial of Service) is commonly used by attackers to target critical assets, because it requires minimal knowledge about the target infrastructure. A detailed description of DDoS (Distributed Denial of Service) and DDoS Reflector is given in [8]. The later one is considered extremely powerfull, because the target is flooded with packets indirectly via network servers. The approach developed by the autors uses addaptive traffic processing devices in order to detect anomalies in network traffic. Additionaly, the paper presents a use case that shows how to prevent and react to DDoS attacks. A recent report [9], analyses the performances of data mining and neural network based cyber attack detection techniques. The use of neural networks is proposed for data feature reduction to achieve a better performance in data

275

mining. KDD’99 and DARPA 1999 are used as test data sets. The tested attack scenarious in the article are DoS, “user to root” (the atacker knows the user credentials), “remote to user” (the atacker can send packets to the network), and “probes” (exploring vulnerabilities). These attack models are also discussed in [10], where a solution to implement an anomaly detection engine is proposed by leveraging data mining techniques, i.e., k-means clustering of cyber related data. Similarly, T. Bass [11] presents a method, which uses KDD (Knowledge Discovery and Data Mining) to transform the cyber sensor data into useful knowledge. Subsequently, D. Barbara et al. [12] proposed a testbed for testing the efficiency of data mining in IDS. The results showed that these techniques are very efficient in the case of attacks which modify the analyzed data features. In [13], another data mining technique, i.e., the fuzzy logic, is applied to the network traffic data provided by the TOFINO network security cyber sensors. An online clustering algorithm is used to generate the inference rules of fuzzy logic, the reason why in the learning phase, the cyber system has to be free of any anomalies. The proposed solution was tested for an NCI, consisting of a PLC, a switch, a HMI and an attacker station. Several attack scenarios for NCS (Networked Control System) are investigated in [14]: Ͳ replay attack – record packets in moment k and reply them in k+1 Ͳ zero dynamics – generating an attack signal without modifying the residue of dynamics Ͳ bias injection – adding an offset to the original signal The article presents anomaly detection filters, based on process state-space model, for each aforementioned scenario. The attack models and the knowledge of effects of cyber attacks are key ingredients for choosing the right Anomaly Detection System (ADS). In this sense, the article on EPIC [15], a testbed for cyber-physical security experimentation, investigates the effect of cyber attacks on the normal functioning of NCI. A data fusion based anomaly detection in NCI is presented in [16]. The authors of the article combine knowledge from the cyber and physical dimension of NCI in order to achieve an ADS. The predictive behavior of network traffic in NCI is explored and embodied in SPEAR [17]. SPEAR is a tool-suite aimed at modeling the network topology of NCI and automatically generating detection rules for the well-known detection engine Snort. Rules are generated to whitelist allowed traffic and to generate alarms in case unlisted packet traces are detected. In case of NCI, the above methods can be transformed to take into account the specific features of physical devices (the physical process related information), thus hardening the security of installations: to remain stealthy, in addition to the cyber architecture, the attacker needs to have knowledge about the physical industrial process as well.

The use of Big Data technologies in abnormal behavior detection is introduced in [18]. The article states that detecting cyber attacks requires collecting and analyzing data from various sources (network, host, security equipment), hence abnormal behavior detection using MapReduce is effective in analyzing large-scale host behavior monitoring data. NCI security monitoring based on Big Data technologies is proposed in [19]. The framework leverages the benefits of multiple data sources “to improve protection capabilities of CIs”. The main ideas of the article are multiple data sources, monitoring with different granularity and on-line big data processing. Based on this analysis we underline that the technique proposed in this paper, i.e., applying clustering techniques specifically to determine the physical behavior of the secured system, adds an extra improvement to cyber-physical security of NCI. Therefore, regardless of cyber system of NCI, the developed technique retrieves physical behavior related information from the critical parameters of the industrial process. For this to happen, the processing of large time-series data is needed, the reason why we leverage the advantages of Hadoop framework. From another point of view the proposed approach can be considered as a redundancy measure to the cyber security of NCI. III.

THEORETICAL OVERVIEW

A. Data mining Data mining is the process of extracting useful information (knowledge) from raw data. In case of ICS (Industrial Control Systems), the extracted knowledge can be used in optimal control of processes, or in our case, for cyber security improvement of ICS. One of the most commonly used data mining techniques is clustering. There are a series of clustering algorithms, several of them are described in [20], but the performances and simplicity of k-means are leveraged in this paper. 1) Clustering and k-means Clustering is an unsupervised learning process and has the role of delimiting zones of “similar” objects. In a simplified manner, given two objects, o1 and o2, are integers and the similarity between them is measured by distance between o1 and o2 (|o1-o2|). a) K-means algorithm: Given the number of clusters c, and the set of input data vectors x j , j 1, n , the problem is to find c centroids from the set of input vectors and assign each vector to a centroid in such way to minimize the cost function J. c § c 2· J ¦ J i ¦ ¨ ¦ x k  ci ¸ (1) ¨ ¸ i 1 © k , x G i 1 ¹ J i is the cost function computed for cluster Gi . The steps of the algorithm are as follows: k

i

S1: randomly initialize the cluster centers ci , i 1, c S2: compute the membership matrix U, using (2)

276

uij

­°1, x  c 2 d x  c 2 ,  k z i j i j k ® °¯0, otherwise

Compared to K-means, this approach requires higher computational resources, however provides solution in case of K-means converges to local minimums. 2) Min – max normalization The data features have different value ranges, due to their expression in various units of measurement. Min-max normalization, according to (7) is applied in order to enforce the data values to have the same gravity across the dataset. xi  min{x} xi' ˜ (max{x'}  min{x'})  min{x'} (7) max{x}  min{x} During the experiments all of the process parameters were normalized in domain [0,1].

(2)

S3: compute the cost function by (1) and stop if: ­° J d H or ® °¯ J iter  J iter 1 d H S4: update the cluster centers according to (4) n 1 ci x k , Gi ¦ u ij ¦ Gi k , xk Gi j 1

(3)

(4)

S5: go to S2

Another clustering technique, the subtractive clustering [20] is based on a density measure calculated in a given data point by using the neighbor data points. This technique can be combined with k-means to ensure the optimal initialization of the cluster centers. b) Subtractive clustering algorithm The main principle of the algorithm is choosing the data vectors as candidate cluster centroids. For each candidate centroid a density measure is calculated and the first centroid will be the data vector with higher density measure. The steps of the algorithm are described below. S1: compute the density measure for the neighbor of each vector xi  X § x x 2· i j ¸ ¨ Di ¦ exp¨  2 ¸ ¨ ra / 2 ¸ j 1 ¹ © where ra is the neighbor radius

B. MapReduce, Hadoop and K-means The MapReduce programming model is based on functional programming, e.g. LISP. Every value in MapReduce has associated a key, so a MapReduce job takes as the input a list of key-value pairs and generates at the output a list of key-value pairs. For each key-value pair of the input, an instance of mapper function is executed. The outputs of the mappers are sorted and grouped by the keys (shuffle and sort - every key has a list of values). Finally the reducer function is instantiated for each key and value list pair. The results of the MapReduce job are the key-value pairs returned by the reducer instances. Shortly, Hadoop is a Java implemented framework of Map-Reduce. The k-means algorithm needs some modification in order to be implemented in MapReduce. The MapReduce algorithm of k-means is as follows. In the initialization phase for each data vector there is associated one of the randomly generated centroid vectors, thus forming center-vector pairs. A MapReduce job is launched sequentially for every iteration of the algorithm:

n

(5)

S2: let the data vector with the higher attached Di , be

chosen as the first centroid x c1 . S3: update the density measures of each data vector according to (6). § x x 2· ¨ ¸ i c Di Di  Dc exp¨  (6) 2 ¸  r / 2 ¨ ¸ b © ¹ S4: let the data vector with the higher attached Di , be chosen as the second centroid xc2 . Go to S3, the algorithm

map(center, vector, output){ nearestCenter = claculateNearest(centers, vector); emit(nearestCenter, vector);}

1

reduce(center, vectors, output){ newCenter = mean(vectors); for each vector in vectors emit(newCenter, vector);}

1

As it appears, in the mappers takes place the computation of the nearest center to a data vector. The key-value pairs generated by the mappers are emitted to the shuffle and sort phase before the reducers are instanced. The reducers give place to the computation of the new centers by a mean value calculation. The emitted center-vector pairs will be the inputs of the next MapReduce job corresponding to the next iteration.

stops when the desired number of centroids has been selected. c) Combination of Subtractive clustering with K-means algorithm The method relies on replacing the random initialization phase of K-means algorithm with subtractive clustering, thus achieving a better initialization of cluster centers before applying the K-means method (Fig. 1).

IV. data

centroids

Subtractive

centroids

PROPOSED APPROACH

NCI security is a critical issue of ICS, the reason why more and more effort has to be taken on designing architectures capable of detecting anomalies caused by cyber threats. The proposed approach leverages the hidden information in the time-series data of physical processes and classifies the normal and disturbed cases. To maintain competitiveness with

K-means

membership data matrix Fig. 1 Combination of K-means with subtractive clustering

277

largee datasets acquired in lonng periods off time, a parrallel proccessing platfoorm (Hadoop)) is used in conjunction with VIEW. For com mpatibility reaasons laboratory capabillities of LabV h ICS, MyS SQL Cluster takes the role of stooring with unprrocessed and pprocessed dataa. Different D attaack scenarioss expose diffferent anomaalies, whicch are identifiied in the process parameteers. Dependin ng on indu ustrial processs dynamics, multi-dimenssional vectorss are consstructed by grouping g thee interested parameters. Each vecto or is represennted as a poiint in the hypperspace and is a mem mber of a delim mited cluster. If the param meters are corrrectly grou uped, the clusstering processs will resultt in boundingg the vario ous operationn states andd even the aanomalies off the indu ustrial process. For the ease of graphical presentation p o the of resullts, two-dimennsional vectorrs are used. In I Fig. 2 therre is an illusstration of grrouping two main featu ures of the pphysical systeem (engine sspeed and enngine temp perature) and forming two-dimensional points p presented in a XY X scatter pllot. Applyingg a clusterinng algorithm,, for instaance k-meanss, the anom maly suspecteed areas cann be boun nded. Fig. F 3 is an innstance of deffining areas where w the appeeared data points are suspect of false f data injjection attackks or ormal anotther type of aattacks which cause anomaalies in the no operration.

A As it’s knownn, in networkeed control sysstems not onlly the mitted over thee network, bu ut the proccess parameteers are transm c conttrol signals ass well. If the control signall is corrupted,, then g ontrol signalss with measurred parameters and by grouping of co thuss forming daata vectors to t be clusterred, the propposed apprroach is able to t deal with suuch a situationn. A. A Architecture of o the proposeed system T The proposed system is com mposed of 4 main m parts (Fig g. 4): Ͳ Hadooop – data processing enviroonment Ͳ Java application – interface withh Hadoop Ͳ MySQ QL Cluster – ACID A scalable database Ͳ LabV VIEW applicattion – result prresentation GU UI T The main com mponent is thhe processing unit (MapReeduce algoorithm), wheree the large tim me-series data sets are processed usinng clustering techniques. After A the ideentification of the clussters, the resullts are investig gated using thhe GUI (LabV VIEW appllication) to fiind potential anomalies in physical or cyber c operration of the NCI. In casee of reduced data sets a faster f proccessing can be carried out using local proceessing capaabilities of LabbVIEW.

Fig. 4 The prop posed architecturee

T The architectuure presentedd in Fig. 4 allows a the usser to launnch new data mining experriments and finally f to visu ualize the resulting data and extractt useful inforrmation relateed to cybeer-physical security. T The Hadoop MapReduce jobs j are launnched via the Java appllication (Fig. 5). 5 Fig. 2 Operation and anom maly bounding by clustering DF FS API

M MapRed API

Figg. 5 Java-Hadoop p application interrface

IIn the case of o a new dataa analysis, thee Java appliccation copiies the investiigated data fo orm DB to HDFS and laun nches the data mining job. After coompletion, thee resulting daata is addeed to the DB stored s in MyS SQL Cluster. V.

CASE A STUDY

T The proposedd methods arre applied too the data off gas com mpression unitts. Fig. 6 prresents the architecture a of the exissting and investigated cyberr-physical sysstem, togetherr with the proposed p plattform. The inddustrial equippment consistss of a gas powered inteernal combustion engine, coupled with a two stagge reciprocatin ng gas compreessor.

Fig. 3 False data injection areas

There T are maany possibilitiies for groupping the avaiilable featu ures, for exam mple only a compression c u has abouut 50 unit parameters, hencce in case off a global system s forminng a netw work of com mpressor stattions, multiplle features from multtiple sources have to be combined c to construct c a global know wledge.

278

GC

Control Cabinet

Control Station

Hadoop L Cluster MySQL

Network

Attacker

Fig.. 6 Cyber-physicaal system architeccture

The T role of thhe compressorr is to raise thhe pressure of o the intak ke gas. This iss done in two stages, in the first one the gas g is com mpressed to ann intermediate pressure, which w in the final stagee is raised to the final pressure value. Thhe most impo ortant meassured param meters are gas pressurees, temperattures, inlett/outlet flow, rotor speed, lube oil annd cooling water w presssures/ temperaatures and vib brations. units The T nature off the time-serries data of compression c offerrs the possibility of groupiing the param meters and form ming multti-dimensionall vectors for each sample measurementt. By clusttering the m measurement vectors, v diffeerent clusterss for diffeerent operatiion states (stopped, starting, s load ding, unlo oading, stoppinng, work withh/without loadd, ESD, …) caan be defin ned. The first experiments with w real proccess data guideed us to choose c the k-means k algoorithm, becauuse of its hiigher perfo ormance and rreduced comp plexity.

Fig.. 8 RMSE plot off the evaluating daataset TABLE I.

CLUSTERIN NG ALGORITHM PE ERFORMANCE

Meethod K-m means Subttractive Subtractiv ve – K-means

Execution timee [ms] 51 1050 1011

RMSE 0.108 0.056 0.107

IIn the RMSE E plot the sppikes correspponding to outlier poinnts are clearlyy observed, hence the RMSE E signal preseents a senssibility to the anomalies in n the physical process. Tabble 1 show ws the processing time andd the aggregateed RMSE forr each testeed algorithm. IIn conclusion the best results in the casee of feature daata of the studied real system were achieved by b using k-m means d. So in ordeer to process large datasetts the clusstering method MappReduce versiion of k-means algorithm iss used.

Feature 2

A. Experimental E results In I the followinng we summaarize the achieeved results of o the perfo ormed experriments. Firstt we presennt the testingg of cand didate clusterring algorithm ms, using reaal data. The test cond ditions are: lenngth of time-sseries data Lx=5000, numbber of clustters k=2, trainning data = 80 0% of Lx and test t data = 20 0% of Lx.

1 N (88) ¦ ( xi  y i ) 2 N i1 The T considereed performannce metrics arre execution time and RMS R error, coomputed acco ording to (8). RMSE

Feature 1

J – cost function

Outlet gas flow

( (a)

Cylinnder temp. #2

Fig. 7 Clusteringg of training dataa Iteration

Fig. F 7 plots tthe clustered data points and a illustratess the clustters and centrroids with diffferent colors. In Fig. 8 is shhown the computed c RM MSE for each test t data vectoor. This is don ne by applying equationn (8) for the teest data vectorrs (20% of dattaset) t nearest cluuster centroids. and the

( (b) Figg. 9 Clustering off generated dataseet – proximity cluusters: resulting clusters (a), the evolu ution of cost funcction related to iteeration no. (b)

279

Engine speed

Feature 2

Cylindder #12 temp.

Featture 1

(aa)

Execution time [s]

J – cost function

Fiig. 12 Clustering of experimental dataset with addeed simulated vecttors

Local One node Two nodes

Iterration Featu ure data length

(bb)

Fig. 13 Compparison of local and a distributed coomputing times

Fig. 10 Clustering of generated datasett – distanced clussters: resulting cluusters (a), the evoluution of cost funcction related to iteeration no. (b)

W We considereed importantt to test thee processing time perfformance of the proposeed approach (using Haddoop) regaarding to locaal processing.. Fig. 13 pressents the resuulting com mputing times. F Fig. 14 showss a preview off the experimenntation GUI.

Engine speed

The T testing off the method d for artificiallly generated data vecto ors is shown iin Fig. 9 and Fig. F 10. The clustering c in Fig. F 9 was processed within ’t c 196ms having h a global RMS MSE 0.343 ffor a dataset of length Lx 8000 . Figg. 10 illustrates the situuation when tw wo clusters aree too close to each other and the allgorithm needds more iteration to findd the mal clusters. From the perrspective of anomaly a detection optim this situation cauuses uncertain nty, but is ressolved by lim miting the value v range orr choosing moore significant features. In I Fig. 11 andd Fig. 12 the k-means k clusttering algorithhm is applied to the expperimental daataset. In Fig. 11 the clusteering w launched for two resullting clusters and in Fig. 12 2 the job was data and the addeed simulated vectors v are cllustered formiing 3 ups. grou

Cylinderr #12 temp.

Fig. 14 Experiimentation GUI

Fig. 11 Clustering off experimental daataset

280

VI.

CONCLUSIONS

The presented case study and the results demonstrate that by means of data mining, especially clustering, the cyber attacks targeting physical systems can be efficiently identified. The proposed approach requires that the design engineer of this type of security modules deeply understands the processes of the cyber-physical system. Nevertheless, the clear advantage of this approach is that it effectively hardens the overall security of the installation, since the same requirement applies to the attacker as well. Therefore, an attacker first has to get access to the cyber system and it needs to remain stealthy for a certain period of time in order to learn the specific characteristics of the physical process. This means that the attacker will need to have full access to all process data and therefore to perform a complete compromise of the installation. Although not impossible, in such extreme scenarios an attacker might need to impersonate all sensors in order to avoid detection, which adds another layer of complexity to the attack if we consider large installations with thousands of sensors scattered over several geographic regions. Therefore, in such scenarios the chances of successful attacks become highly unlikely.

[12]

D. Barbara, J. Couto, S. Jajodia and N. Wu, "ADAM: A testbed for exploring the use of data mining in intrusion detection," SIGMOD, vol. 130, no. 4, pp. 15-28, 2001.

[13]

O. Linda, M. Manic, T. Vollmer and J. Wright, "Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor," Computational Intelligence in Cyber Security (CICS), 2011 IEEE Symposium on, pp. 202-209, April 2011.

[14]

A. Teixeira, D. Pérez, H. Sandberg and K. H. Johansson, "Attack Models and Scenarios for Networked Control Systems," High Confidence Networked Systems, pp. 55-64, 2012.

[15]

C. Siaterlis, B. Genge and M. Hohenadel, "EPIC: A Testbed for Scientifically Rigorous Cyber-Physical Security Experimentation," Emerging Topics in Computing, IEEE Transactions on, vol. 1, pp. 319,330, Dec. 2013.

[16]

B. Genge, C. Siaterlis and G. Karopoulos, "Data fusion-base anomaly detection in networked critical infrastructures," Dependable Systems and Networks Workshop (DSN-W), 2013 43rd Annual IEEE/IFIP Conference on, pp. 1-8, June 2013.

[17]

B. Genge, D. Rusu and P. Haller, "A Connection Pattern-based Approach to Detect Network Traffic Anomalies in Critical Infrastructures," 2014 ACM European Workshop on System Security (EuroSec2014), Amsterdam, The Netherlands, pp. 1-6, 2014.

[18]

H. Kim, I. Kim and T.-M. Chung, "Abnormal Behavior Detection Technique Based on Big Data," in Frontier and Innovation in Future Computing and Communications, vol. 301, Springer Netherlands, 2014, pp. 553-563.

[19]

L. Aniello, A. Bondavalli, A. Ceccarelli, C. Ciccotelli, M. Cinque, F. Frattini, A. Guzzo, A. Pecchia, A. Pugliese, L. Querzoni and S. Russo, "Big Data in Critical Infrastructures Security Monitoring: Challenges and Opportunities," in BIG4CIP-2014, May 2014.

[20]

K. Hammouda and F. Karray, "A Comparative Study of Data Clustering Techniques," 2000.

REFERENCES  [1]

I. N. Fovino, A. Carcano, M. Masera and A. Trombetta, "An experimental investigation of malware attacks on SCADA systems," Int. J. Critical Infrastruct. Protection, vol. 2, no. 4, pp. 139-145, 2009.

[2]

B. Genge and C. Siaterlis, "Physical process resilience-aware network design for SCADA systems," Computers & Electrical Engineering, Elsevier, vol. 40, no. 1, pp. 142-157, 2014.

[3]

B. Genge and C. Siaterlis, "Analysis of the Effects of Distributed Denial-of-Service Attacks on MPLS Networks," International Journal of Critical Infrastructure Protection, Elsevier, vol. 6, no. 2, pp. 87-95, 2013.

[4]

T. Chen and S. Abu-Nimeh, "Lessons from Stuxnet," Computer, vol. 44, no. 4, pp. 91-93, Apr. 2011.

[5]

D. McElroy and C. Williams, "Flame: World's Most Complex Computer Virus Exposed," Jul. 2013. [Online]. Available: http://www.telegraph.co.uk/news/worldnews/middleeast/iran/9295938/ Flame-worlds-most-complex-computer-virus-exposed.html.

[6]

R. Tehan, "Cybersecurity: Authoritative Reports and Resources, by Topic," in Congressional Research Service, April 3, 2014.

[7]

S. Batsell, N. Rao and M. Shankar, "Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security," 2007.

[8]

M. Bossardt, T. Dübendorfer and B. Plattner, "Enhanced Internet security by a distributed traffic control service based on traffic ownership," Network and Computer Applications, vol. 30, no. 3, p. 841–857, August 2007.

[9]

B. Dharamkar and R. R. Singh, "A Review of Cyber Attack Classification Technique Based on Data Mining and Neural Network Approach," IJCTT, vol. 7, no. 2, pp. 100-105, 2014.

[10]

V. Richharya, D. J. Rana, D. R. Jain and D. K. K. Pandey, "Design of Trust Model For Efficient Cyber Attack Detection on Fuzzified Large Data using Data Mining techniques," International Journal of Research in Computer and Communication Technology, vol. 2, no. 3, 2013.

[11]

T. Bass, "Intrusion Detection Systems & Multisensor Data Fusion: Creating Cyberspace Situational Awareness," Communications of the ACM, vol. 43, no. 4, pp. 99-105, 2001.

281