A distributed approach to network anomaly detection based on independent component analysis

Network anomalies, circumstances in which the network behavior deviates from its normal operational baseline, can be due to various factors such as network overload conditions, malicious/hostile activities, denial of service attacks, and network intrusions. New detection schemes based on machine learning principles are therefore desirable as they can learn the nature of normal traffic behavior and autonomously adapt to variations in the structure of ‘normality’ as well as recognize the significant deviations as suspicious or anomalous events. The main advantages of these techniques are that, in principle, they are not restricted to any specific environment and that they can provide a way of detecting unknown attacks. Detection performance is directly correlated with the traffic model quality, in terms of ability of representing the traffic behavior from its most characterizing internal dynamics. Starting from these ideas, we developed a two‐stage anomaly detection strategy based on multiple distributed sensors located throughout the network. By using Independent Component Analysis, the first step, modeled as a Blind Source Separation problem, extracts the fundamental traffic components (the ‘source’ signals), corresponding to the independent traffic dynamics, from the multidimensional time series incoming from the sensors, corresponding to the perceived ‘mixed/aggregate’ effect of traffic on their interfaces. These components will be used to build the baseline traffic profiles needed in the second supervised phase, based on a binary classification scheme (detection is casted into an anomalous/normal classification problem) driven by machine learning‐inferred decision trees. Copyright © 2013 John Wiley & Sons, Ltd.

[1]  V. N. Dao,et al.  A Performance Comparison of Different Back Propagation Neural Networks Methods in Computer Network Intrusion Detection , 2002 .

[2]  Alfredo De Santis,et al.  Network anomaly detection with the restricted Boltzmann machine , 2013, Neurocomputing.

[3]  Erkki Oja,et al.  Independent component analysis: algorithms and applications , 2000, Neural Networks.

[4]  Robert C. Holte,et al.  Very Simple Classification Rules Perform Well on Most Commonly Used Datasets , 1993, Machine Learning.

[5]  Ian Witten,et al.  Data Mining , 2000 .

[6]  Anup K. Ghosh,et al.  A Study in Using Neural Networks for Anomaly and Misuse Detection , 1999, USENIX Security Symposium.

[7]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[8]  Zhang Yi,et al.  A hierarchical intrusion detection model based on the PCA neural networks , 2007, Neurocomputing.

[9]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[10]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[11]  Yang Xiang,et al.  An automatic application signature construction system for unknown traffic , 2010 .

[12]  Tao Qin,et al.  Monitoring abnormal network traffic based on blind source separation approach , 2011, J. Netw. Comput. Appl..

[13]  Artur Ziviani,et al.  Network anomaly detection using nonextensive entropy , 2007, IEEE Communications Letters.

[14]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[15]  F. Cuppens,et al.  Efficient Intrusion Detection Using Principal Component Analysis , 2003 .

[16]  Christian Jutten,et al.  Blind separation of sources, part I: An adaptive algorithm based on neuromimetic architecture , 1991, Signal Process..

[17]  Wanlei Zhou,et al.  A microscopic competition model and its dynamics analysis on network attacks , 2010, Concurr. Comput. Pract. Exp..

[18]  Francesco Palmieri,et al.  Network anomaly detection through nonlinear analysis , 2010, Comput. Secur..

[19]  Salvatore J. Stolfo,et al.  Adaptive Intrusion Detection: A Data Mining Approach , 2000, Artificial Intelligence Review.

[20]  Francesco Palmieri,et al.  On the detection of card-sharing traffic through wavelet analysis and Support Vector Machines , 2013, Appl. Soft Comput..

[21]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[22]  Carla E. Brodley,et al.  FRaC: a feature-modeling approach for semi-supervised and unsupervised anomaly detection , 2012, Data Mining and Knowledge Discovery.

[23]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[24]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[25]  Salvatore J. Stolfo,et al.  A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions , 2000, Recent Advances in Intrusion Detection.

[26]  Alexander G. Tartakovsky,et al.  A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[27]  I. Jolliffe Principal Component Analysis , 2002 .

[28]  Richard G. Baraniuk,et al.  Connection-level analysis and modeling of network traffic , 2001, IMW '01.

[29]  Mansour Sheikhan,et al.  Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network , 2012, Neural Computing and Applications.

[30]  Roberto Battiti,et al.  Identifying intrusions in computer networks with principal component analysis , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[31]  D. Chakrabarti,et al.  A fast fixed - point algorithm for independent component analysis , 1997 .

[32]  Nir Friedman,et al.  Bayesian Network Classifiers , 1997, Machine Learning.

[33]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[34]  Francesco Palmieri,et al.  A nonlinear, recurrence-based approach to traffic classification , 2009, Comput. Networks.

[35]  Jake D. Brutlag,et al.  Aberrant Behavior Detection in Time Series for Network Monitoring , 2000, LISA.

[36]  Terran Lane,et al.  An Application of Machine Learning to Anomaly Detection , 1999 .

[37]  kc claffy,et al.  The architecture of CoralReef: an Internet traffic monitoring software suite , 2001 .

[38]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).