Online and Scalable Unsupervised Network Anomaly Detection Method

IEEE Transactions on Network and Service Management

Volumn 14, Issue 1, 2017, Pages 34-47

  Dromard, Juliette ^a   Roudière, Gilles ^a   Owezarski, Philippe ^a  

^a LAAS CNRS   (France)

Author keywords

clustering algorithms; Intrusion detection; unsupervised learning

Indexed keywords

CLUSTERING ALGORITHMS; MERCURY (METAL); UNSUPERVISED LEARNING;

DETECTION DELAYS; DETECTION PERFORMANCE; FALSE POSITIVE RATES; KNOWLEDGE DATABASE; NETWORK INTRUSIONS; REAL TIME REQUIREMENT; TRUE POSITIVE RATES; UNSUPERVISED NETWORK;

INTRUSION DETECTION;

EID: 85015676957     PISSN: 19324537     EISSN: None     Source Type: Journal    
DOI: 10.1109/TNSM.2016.2627340     Document Type: Article

References (32)

1. Online Network Traffic Characterization. (2014). Accessed on Feb. 18, 2016. [Online]. Available: http://ict-ontic.eu/
2. Y. Bengio, O. Delalleau, and N. Le Roux, "The curse of highly variable functions for local kernel machines," in Proc. 18th Int. Conf. Neural Inf. Process. Syst., Vancouver, BC, Canada, 2005, pp. 107-114.
3. D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, and A. Lakhina, "Impact of packet sampling on anomaly detection metrics," in Proc. ACM SIGCOMM Conf. Internet Meas., Rio de Janeiro, Brazil, 2006, pp. 159-164.
4. P. Casas, J. Mazel, and P. Owezarski, "UNADA: Unsupervised network anomaly detection using sub-space outliers ranking," in Proc. NETWORKING 10th Int. IFIP TC 6 Netw. Conf., Valencia, Spain, 2011, pp. 40-51.
5. P. Casas, J. Mazel, and P. Owezarski, "Unsupervised network intrusion detection systems: Detecting the unknown without knowledge," Comput. Commun., vol. 35, no. 7, pp. 772-783, 2012.
6. M. Celenk, T. Conley, J. Willis, and J. Graham, "Predictive network anomaly detection and visualization," IEEE Trans. Inf. Forensics Security, vol. 5, no. 2, pp. 288-299, Jun. 2010.
7. J. Chen, R. Fontugne, A. Kato, and K. Fukuda, "Clustering spam campaigns with fuzzy hashing," in Proc. AINTEC Asian Internet Eng. Conf., Chiang Mai, Thailand, Nov. 2014, p. 66.
8. N. Chen, A. Chen, and L.-X. Zhou, "An incremental grid density-based clustering algorithm," J. Softw., vol. 13, no. 1, pp. 1-7, Aug. 2002.
9. J. Dromard, G. Roudière, and P. Owezarski, "Unsupervised network anomaly detection in real-time on big data," in New Trends in Databases and Information Systems, vol. 539. Cham, Switzerland: Springer, 2015, pp. 197-206.
10. L. Ertoz et al., "The MINDS-Minnesota intrusion detection system," in Next Generation Data Mining. Cambridge, MA, USA: MIT Press, 2004.
11. M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, "A density-based algorithm for discovering clusters in large spatial databases with noise," in Proc. 2nd Int. Conf. Knowl. Disc. Data Min., Portland, OR, USA, 1996, pp. 226-231.
12. P. F. Evangelista, M. J. Embrechts, and B. K. Szymanski, Taming the Curse of Dimensionality in Kernels and Novelty Detection. Heidelberg, Germany: Springer, 2006, pp. 425-438.
13. R. Fontugne, P. Borgnat, P. Abry, and K. Fukuda, "MAWILab: Combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking," in Proc. ACM CoNEXT, Philadelphia, PA, USA, 2010, p. 8.
14. D. Ippoliti and X. Zhou, "Online adaptive anomaly detection for augmented network flows," in Proc. IEEE 22nd Int. Symp. Model. Anal. Simulat. Comput. Telecommun. Syst., Paris, France, Sep. 2014, pp. 433-442.
15. M. Bahrololum and M. Khaleghi, "Anomaly intrusion detection system using Gaussian mixture model," in Proc. Int. Conf. Converg. Inf. Technol., vol. 1. Busan, South Korea, pp. 1162-1167, 2008.
16. A. Kind, M. Stoecklin, and X. Dimitropoulos, "Histogram-based traffic anomaly detection," IEEE Trans. Netw. Service Manag., vol. 6, no. 2, pp. 110-121, Jun. 2009.
17. N. Beckmann, H.-P. Kriegel, R. Schneider, and B. Seeger, "The R∗-tree: An efficient and robust access method for points and rectangles," SIGMOD Rec., vol. 19, no. 2, pp. 322-331, 1990.
18. LAAS-CNRS. Metrology for Security and Quality of Service. Accessed on Feb. 18, 2016. [Online]. Available: http://projects.laas.fr/METROSEC/
19. A. Lakhina, M. Crovella, and C. Diot, "Mining anomalies using traffic feature distributions," ACM SIGCOMM Comput. Commun. Rev., vol. 35, no. 4, pp. 217-228, 2005.
20. A. Lakhina, M. Crovella, and C. Diot, "Diagnosing network-wide traffic anomalies," in Proc. Conf. Appl. Technol. Archit. Protocols Comput. Commun., Portland, OR, USA, 2004, pp. 219-230.
21. K. Leung and C. Leckie, "Unsupervised anomaly detection in network intrusion detection using clusters," in Proc. 28th Aust. Comput. Sci. Conf. (ACSC), Newcastle, NSW, Australia, 2005, pp. 333-342.
22. J. Mazel, "Unsupervised network anomaly detection," Ph.D. dissertation, Lab. Anal. Archit. Syst., Inst. Nat. des Sci. Appliquées de Toulouse, Toulouse, France, Dec. 2011.
23. A. P. Muniyandi, R. Rajeswari, and R. Rajaram, "Network anomaly detection by cascading K-means clustering and C4.5 decision tree algorithm," Proc. Eng., vol. 30, pp. 174-182, Mar. 2012.
24. J. Ndong and K. Salamatian, "Signal processing-based anomaly detection techniques: A comparative analysis," in Proc. INTERNET, 2011, pp. 32-39.
25. A. Patcha and J.-M. Park, "An overview of anomaly detection techniques: Existing solutions and latest technological trends," Comput. Netw., vol. 51, no. 12, pp. 3448-3470, Aug. 2007.
26. L. Portnoy, E. Eskin, and S. Stolfo, "Intrusion detection with unlabeled data using clustering," in Proc. ACM CSS Workshop Data Min. Appl. Security (DMSA), Philadelphia, PA, USA, 2001, pp. 5-8.
27. V. Satopaa, J. R. Albrecht, D. E. Irwin, and B. Raghavan, "Finding a "Kneedle" in a haystack: Detecting knee points in system behavior," in Proc. Int. Conf. Distrib. Comput. Syst. Workshops, Minneapolis, MN, USA, 2011, pp. 166-171.
28. B. Schölkopf, J. Platt, and T. Hoffman, In-Network PCA and Anomaly Detection. Cambridge, MA, USA: MIT Press, 2007, pp. 617-624.
29. M.-L. Shyu, S.-C. Chen, K. Sarinnapakorn, and L. Chang, "A novel anomaly detection scheme based on principal component classifier," in Proc. IEEE Found. New Directions Data Min. Workshop, Melbourne, FL, USA, 2003, pp. 172-179.
30. C. Spearman, "The proof and measurement of association between two things," Amer. J. Psychol., vol. 15, no. 1, pp. 72-101, 1904.
31. T. M. Thang and J. Kim, "The anomaly detection by using DBSCAN clustering with multiple parameters," in Proc. Inf. Sci. Appl. (ICISA), Apr. 2011, pp. 1-5.
32. M. Thottan and C. Ji, "Anomaly detection in IP networks," IEEE Trans. Signal Process., vol. 51, no. 8, pp. 2191-2204, Aug. 2003.