Network Anomaly Detection Using a Commute Distance Based
Recommend Documents
using outlier identification is a successful network anomaly identification technique ... behavior from attack-free training data and represents the profile as a set of ...
With the widespread use of the internet, it has become a key challenge to maintain ... intrusions in network traffic and host intrusion detection system monitors the ...
These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console. The network-based intrusion ...
Jul 6, 2009 - To achieve this approach, a method and its software application to identify IP ... component analysis it i
Jul 6, 2009 - approaches are developed with their software candidates. Either event based ... To achieve this approach,
propose a novel anomaly detection method that uses router connection relationships to detect ... Existing methods use PCA [1] or other techniques [2-5] for ...
Image Processing & Communication, vol. 18,no. 1, pp.15-22. DOI: 10.2478/v10248-012-0071-6. 15. NETWORK ANOMALY DETECTION BASED ON SIGNAL ...
One of the most critical tasks for network administrator is to ensure system uptime ... answer is critical for network administrators to make their choices in ...
performed to check each connection of the test set and finally result has been ... a technique used to monitor network traffic, identifying unauthorized access and.
Dec 15, 2004 - Anomaly detection techniques can be of three types: unsupervised, semi-supervised and supervised. Some published papers in each of these ...
System based on majority voting that can adapt to network changes by steadily exchanging small parts of ... While traditional, signature-based IDS often lag.
Abstract: In this paper, we introduce the Java Anomaly Detection (JAD) library which provides a ... Firestorm NIDS, require extensive knowledge of attack signatures which must be entered ..... der: Tech Law and Policy in the Digital Age, 2011.
significantly different from anomalous outbound traffic. For network operators, outbound traffic is as important as inbound traffic because they can monitor ...
algorithm is proposed for anomaly detection through modifying the Self .... Supervised anomaly detection dataset are taken from the standard bench mark ...
A comprehensive survey on network anomaly detection. Gilberto Fernandes Jr., Joel J. P. C. Rodrigues, Luiz Fernando Carvalho,. Jalal F. Al-Muhtadi, Mario ...
duced and processed by domain experts to yield KDD Cup 99 dataset for ..... whois. 27 pop 2. 37 printer. 47 vmnet 57 netstat. 7 lauth. 18 mtp. 28 sunrpc. 38 efs.
where each pi+1 is directly density-reachable from pi. The relation of ...... capture the flow level network traffic include Nfdump2, NfSen3 and Cisco Netflow V.94.
flow-based; usually rely on network elements to make so-called flow information available for analysis. The second approach is packet-based; which directly ...
There are many commercially available signature-based Intrusion Detection ... face many problems including high rate of false alarm, ability to work in online ... that attacks are becoming more sophisticated while they get more automated, and ...
A Survey on Anomaly Detection in Network Intrusion Detection System. 443. On the basis of data collection mechanisms IDS is categorized into Host-Based.
trade-off, we present in this work how ProM tools can support anomaly detection in ... Despite the automation provided by PAIS, the business process control of competitive ... rapidly to new market strategies or new business models. On the ...
ing a spoofed TCP SYN packet (connection initiation) with the same source and ..... Sourcefire: Snort Network Intrusion Detection System web site (1999) URL.
the proposed system is analyzed using the standard NSL-KDD dataset. The remainder of .... 1 Available on: http://moa.cms.waikato.ac.nz/downloads. 2 Available ...
Currently, most widely-used malware detection software uses signature-based method to recognize threats . Signatures are sequences of bytes in the machine ...
Network Anomaly Detection Using a Commute Distance Based
Anomaly Detection Using Principal. Component Analysis (PCA). PCA: ⢠Data in a high dimensional space is transformed to a lower dimensional subspace.
Network Anomaly Detection Using a Commute Distance Based Approach Authors: Nguyen Lu Dang Khoa and Tahereh Babaie Supervisor: Professor Sanjay Chawla SCHOOL OF IT, FACULTY OF ENGINEERING & INFORMATION TECHNOLOGIES Introduction • Finding unusual and large changes in network traffic. • Anomalies: intentional attacks (e.g. a DDoS attack, a viruses spread), an unusual network traffic (e.g. flash crowds).
Background Intrusion detection system (IDS): • Signature-based method: using a pre-defined set of patterns describing previous anomalous events to identify future anomalies. • Can only find known attacks and new attack patterns need to be updated over time. Network anomaly detection system (NADS): • Try to identify new or previously unknown abnormal traffic behaviours.
Anomaly Detection Using Commute Distance Commute distance: • The commute time: the expected number of steps a random walk starting at i will take to reach j once and go back to i for the first time. • Commute distance between two nodes can capture both the distance between them and their local neighborhood densities. • Can be calculated from the pseudo-inverse of the graph Laplacian matrix
c(i, j ) VG(lii l jj 2lij )
Anomaly detection using commute distance: • Construct the mutual k-nearest neighbor graph from the dataset • Compute the graph Laplacian matrix L and its pseudoinverse L+
c(i, j ) VG(lii l jj 2lij )
• Find top N outliers using commute distance based technique with pruning rule
Anomaly Detection Using Principal Component Analysis (PCA) PCA: • Data in a high dimensional space is transformed to a lower dimensional subspace which captures most of the data variance. • The new subspace has a smaller number of uncorrelated variables called Principle Components (PC). • Typically first few PCs account for most of the variance in the original data. • Computation includes the eigenvalues decomposition of the data covariance matrix. Anomaly detection using PCA: • First few PCs: - Capture most of variance in the dataset - Be strongly related to one or more of the original variables • Last few PCs: - Represent the linear combination of original variables with very small variance - The data tend to result in similar small values in those PCs. - Any observation that largely deviates from this tendency for the last few PCs is likely to be an anomaly. • Subspace approach: based on decomposition of a main space of data into: N A
xi xi xi
-Normal subspace: projection of the data on N T the first few PCs
xi PP xi Cxi
- Anomalous subspace: projection of data on the last few PCs A
xi ( I C ) xi
-Network traffic instances are considered 2 anomalies if xiA is greater than a chosen threshold.
Comparison: • PCA • EDOF: Euclidean distance-based method • LOF: density-based method • CDOF: commute distance based method Results and Analysis: • NICTA dataset: PCA found anomalies but was very sensitive to parameters changes. • Abilene dataset 1:
Conclusion
• Abilene dataset 2: -EDOF, LOF, and CDOF all found only one anomaly if the threshold based on anomaly scores was used while PCA could not find it. - PCA falsely returned 935 time bins as anomalies. An analysis on the data shows that there was a very large and dominating traffic volume appearing in time bin 1350. - The large anomaly skewed the normal subspace forming by the first few PCs and consequently increased the false positives. • Parameters sensitivity: THIS RESEARCH IS SP
- Varied parameters in all the methods. - PCA was very sensitive to changes of parameters used.
• Propose the use of commute distance to discover anomalies in network traffic data. • Address the weaknesses of PCA in detecting anomalies in computer network domain. • The commute distance based approach has a lower false positive and false negative rate in anomaly detection compared to PCA and typical distance-based and density-based approaches.
References 1. Nguyen Lu Dang Khoa and Sanjay Chawla, “Robust outlier detection using commute time and eigenspace embedding,” in Proceedings of PAKDD 2010, pp. 422–434. 2. Nguyen Lu Dang Khoa, Tahereh Babaie, Sanjay Chawla, and Zainab Zaidi, "Network Anomaly Detection Using a Commute Distance Based Approach," in Proceedings of ICDMW 2010 (to appear). THIS RESEARCH IS SPONSORED BY CMCRC
