• Article
  • | |
  • Metrics
  • |
  • Reference [19]
  • |
  • Related
  • |
  • Cited by
  • | |
  • Comments
    Abstract:

    Network anomaly detection has been an active and difficult research topic in the field of intrusion detection for many years. Up to now,high false alarm rate,requirement of high quality data for modeling the normal patterns and the deterioration of detection rate because of some "noisy" data in the training set still make it not perform as well as expected in practice. This paper presents a novel network anomaly detection method based on improved TCM-KNN (transductive confidence machines for K-nearest neighbors) machine learning algorithm,which can effectively detect anomalies using normal data for training. A series of experiments on well known KDD Cup 1999 dataset demonstrate that it has lower false positive rate,especially higher confidence under the condition of ensuring high detection rate than the traditional anomaly detection methods. In addition,even provided with training dataset contaminated by "noisy" data,the proposed method still holds good detection performance. Furthermore,it can be optimized without obvious loss of detection performance by adopting small dataset for training and employing feature selection aiming at avoiding the "curse of dimensionality".

    Reference
    [1]Bykova M,Ostermann S,Tjaden B.Detecting network intrusions via a statistical analysis of network packet characteristics.In:Proc.of the 33rd Southeastern Symp.on System Theory.2001.309-314.http://masaka.cs.ohiou.edu/papers/ssst2001.pdf
    [2]Denning DE.An intrusion-detection model.IEEE Trans.on Software Engineering,1987,13(2):222-232.
    [3]Lee W,Stolfo SJ.A framework for constructing features and models for intrusion detection systems.ACM Trans.on Information and System Security,2000,3(4):227-261.
    [4]Valdes A,Skinner K.Adaptive,model-based monitoring for cyber attack detection.In:Debar H,Mé L,Wu SF,eds.Proc.of the 3rd Int'l Workshop on the Recent Advances in Intrusion Detection (RAID 2000).LNCS 1907,Heidelberg:Springer-Verlag,2000.80-93.
    [5]Aickelin U,Greensmith J,Twycross J.Immune system approaches to intrusion detection-A review.In:Nicosia G,et al.,eds.Proc.of the 3rd Int'l Conf.on Artificial Immune Systems.LNCS 3239,Heidelberg:Springer-Verlag,2004.316-329.
    [6]Lee W,Stolfo SJ.A Data mining framework for building intrusion detection models.In:Gong L,Reiter MK,eds.Proc.of the '99 IEEE Symp.on Security and Privacy.Oakland:IEEE Computer Society Press,1999.120-132.
    [7]Eskin E,Arnold A,Prerau M,Portnoy L,Stolfo SJ.A geometric framework for unsupervised anomaly detection:detecting intrusions in unlabeled data.In:Barbarà D,Jajodia S,eds.Applications of Data Mining in Computer Security.Boston:Kluwer Academic Publishers,2002.78-99.
    [8]Proedru K,Nouretdinov I,Vovk V,Gammerman A.Transductive confidence machine for pattern recognition.In:Elomaa T,et al.,eds.Proc.of the 13th European Conf.on Machine Learning.LNAI 2430,Heidelberg:Springer-Verlag,2002.381-390.
    [9]Barbarà D,Domeniconi C,Rogers JP.Detecting outliers using transduction and statistical testing.In:Ungar L,Craven M,Gunopulos D,Eliassi-Rad T,eds.Proc.of the 12th ACM SIGKDD Int'l Conf.on Knowledge Discovery and Data Mining.New York:ACM Press,2006.55-64.
    [10]Angiulli F,Pizzuti C.Outlier mining in large high-dimensional data sets.IEEE Trans.on Knowledge and Data Engineering,2005,17(2):203-215.
    [11]Ghosh AK,Schwartzbard A.A study in using neural networks for anomaly and misuse detection.In:Proc.of the 8th USENIX Security Symp.1999.141-151.http://www.usenix.org/events/sec99/full_papers/ghosh/ghosh.ps
    [12]Manikopoulos C,Papavassiliou S.Network intrusion and fault detection:A statistical anomaly approach.IEEE Communications Magazine,2002,40(10):76-82.
    [13]Laskov P,Schafer C,Kotenko I.Intrusion detection in unlabeled data with quarter-sphere support vector machines.In:Proc.of the Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2004).2004.71-82.http://www2.informatik.hu-berlin.de/wm/journalclub/dimva2004.pdf
    [14]Li KL,Huang HK,Tian SF,Liu ZP,Liu ZQ.Fuzzy multi-class support vector machine and application in intrusion detection.Chinese Journal of Computers,2005,28(2):274-280 (in Chinese with English abstract).
    [15]Zhang J,Gong J.An anomaly detection method based on fuzzy judgment.Journal of Computer Research and Development,2003,40(6):776-783 (in Chinese with English abstract).
    [16]Zhuge JW,Wang DW,Chen Y,Ye ZY,Zou W.A network anomaly detector based on the D-S evidence theory.Journal of Software,2006,17(3):463-471 (in Chinese with English abstract).http://www.jos.org.cn/1000-9825/17/463.htm
    [14]李昆仑,黄厚宽,田盛丰,刘振鹏,刘志强.模糊多类支持向量机及其在入侵检测中的应用.计算机学报,2005,28(2):274-280.
    [15]张剑,龚俭.一种基于模糊综合评判的入侵异常检测方法.计算机研究与发展,2003,40(6):776-783.
    [16]诸葛建伟,王大为,陈昱,叶志远,邹维.基于D-S证据理论的网络异常检测方法.软件学报,2006,17(3):463-471.http://www.jos.org.cn/1000-9825/17/463.htm
    Related
    Cited by
Get Citation

李洋,方滨兴,郭莉,陈友.基于直推式方法的网络异常检测方法.软件学报,2007,18(10):2595-2604

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:October 10,2006
  • Revised:January 23,2007
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063