Skip to main content
SpringerLink
Log in

Network Traffic Anomaly Detection Techniques and Systems

  • Chapter
  • First Online:
Network Traffic Anomaly Detection and Prevention

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

To develop a network traffic anomaly detection technique and system, it is indeed necessary to know the basic properties of network-wide traffic. This chapter starts with a discussion of the basic properties of network-wide traffic with an example. This chapter is organized into six major sections to describe different network anomaly detection techniques and systems. They are statistical techniques and systems, classification-based techniques and systems, clustering and outlier-based techniques and systems, soft computing-based techniques and systems, knowledge-based techniques and systems, and techniques and systems based on combination learners. Finally, it presents the strengths and weaknesses of each category of detection techniques and systems with a detailed comparison.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 89.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abbes, T., Bouhoula, A., Rusinowitch, M.: Efficient decision tree for protocol analysis in intrusion detection. Int. J. Secur. Netw. 5(4), 220–235 (2010)

    Article  Google Scholar 

  2. Adetunmbi, A.O., Falaki, S.O., Adewale, O.S., Alese, B.K.: Network intrusion detection based on rough set and k-nearest neighbour. Int. J. Comput. ICT Res. 2(1), 60–66 (2008)

    Google Scholar 

  3. Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Proceedings of the 20th International Conference on Very Large Data Bases, pp. 487–499. Morgan Kaufmann, San Francisco (1994)

    Google Scholar 

  4. Amini, M., Jalili, R., Shahriari, H.R.: RT-UNNID: a practical solution to real-time network-based intrusion detection using unsupervised neural networks. Comput. Secur. 25(6), 459–468 (2006)

    Article  Google Scholar 

  5. Amiri, F., Yousefi, M.M.R., Lucas, C., Shakery, A., Yazdani, N.: Mutual information-based feature selection for intrusion detection systems. J. Netw. Comput. Appl. 34(4), 1184–1199 (2011)

    Article  Google Scholar 

  6. Anderson, D., Lunt, T.F., Javitz, H., Tamaru, A., Valdes, A.: Detecting Unusual Program Behaviour Using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES). Tech. Rep. SRIO-CSL-95-06, Computer Science Laboratory, SRI International (1995)

    Google Scholar 

  7. Anscombe, F.J., Guttman, I.: Rejection of outliers. Technometrics 2(2), 123–147 (1960)

    Article  MathSciNet  MATH  Google Scholar 

  8. Ariu, D., Tronci, R., Giacinto, G.: HMMPayl: an intrusion detection system based on hidden Markov models. Comput. Secur. 30(4), 221–241 (2011)

    Article  Google Scholar 

  9. Arumugam, M., Thangaraj, P., Sivakumar, P., Pradeepkumar, P.: Implementation of two class classifiers for hybrid intrusion detection. In: Proceedings of the International Conference on Communication and Computational Intelligence, pp. 486–490 (2010)

    Google Scholar 

  10. Aydin, M.A., Zaim, A.H., Ceylan, K.G.: A hybrid intrusion detection system design for computer network security. Comput. Electr. Eng. 35(3), 517–526 (2009)

    Article  MATH  Google Scholar 

  11. Balajinath, B., Raghavan, S.V.: Intrusion detection through learning behavior model. Comput. Commun. 24(12), 1202–1212 (2001)

    Article  Google Scholar 

  12. Bezdek, J.C., Ehrlich, R., Full, W.: FCM: the Fuzzy C-means clustering algorithm. Comput. Geosci. 10(2-3), 191–203 (1984). doi:10.1016/0098-3004(84)90020-7

    Article  Google Scholar 

  13. Bhuyan, M.H., Bhattacharyya, D., Kalita, J.: A multi-step outlier-based anomaly detection approach to network-wide traffic. Inf. Sci. 348, 243–271 (2016)

    Article  Google Scholar 

  14. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: NADO: network anomaly detection using outlier approach. In: Proceedings of the International Conference on Communication, Computing and Security, pp. 531–536. ACM, Odisha (2011)

    Google Scholar 

  15. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: RODD: an effective reference-based outlier detection technique for large datasets. In: Advanced Computing, vol. 133, pp. 76–84. Springer, Berlin (2011)

    Google Scholar 

  16. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Surveying port scans and their detection methodologies. Comp. J. 54(10), 1565–1581 (2011)

    Article  Google Scholar 

  17. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: An effective unsupervised network anomaly detection method. In: Proceedings of the International Conference on Advances in Computing, Communications and Informatics, pp. 533–539. ACM, New York (2012)

    Google Scholar 

  18. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: AOCD: an adaptive outlier based coordinated scan detection approach. Int. J. Netw. Secur. 14(6), 339–351 (2012)

    Google Scholar 

  19. Bolzoni, D., Etalle, S., Hartel, P.H., Zambon, E.: POSEIDON: a 2-tier anomaly-based network intrusion detection system. In: Proceedings of the 4th IEEE International Workshop on Information Assurance, pp. 144–156 (2006)

    Google Scholar 

  20. Borji, A.: Combining heterogeneous classifiers for network intrusion detection. In: Proceedings of the 12th Asian Computing Science Conference on Advances in Computer Science: Computer and Network Security, pp. 254–260. Springer (2007)

    Google Scholar 

  21. Braynov, S., Jadliwala, M.: Detecting malicious groups of agents. In: Proceedings of the 1st IEEE Symposium on Multi-Agent Security and Survivability, pp. 90–99. IEEE CS (2004)

    Google Scholar 

  22. Breiman, L., Friedman, J., Olshen, R., Stone, C.: Classification and regression trees. Wadsworth and Brooks, Monterey (1984)

    MATH  Google Scholar 

  23. Cai, Z., Guan, X., Shao, P., Peng, Q., Sun, G.: A rough set theory based method for anomaly intrusion detection in computer network systems. Expert Syst. 20(5), 251–259 (2003)

    Article  Google Scholar 

  24. Cannady, J.: Applying CMAC-based on-line learning to intrusion detection. In: Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks, vol. 5, pp. 405–410 (2000)

    Google Scholar 

  25. Carpenter, G., Grossberg, S.: Adaptive resonance theory. In: The Handbook of Brain Theory and Neural Networks, pp. 87–90. MIT Press, Cambridge (2003)

    Google Scholar 

  26. Casas, P., Mazel, J., Owezarski, P.: Unsupervised network intrusion detection systems: detecting the unknown without knowledge. Comput. Commun. 35(7), 772–783 (2012)

    Article  Google Scholar 

  27. Chan, P.K., Mahoney, M.V., Arshad, M.H.: A Machine Learning Approach to Anomaly Detection. Tech. Rep. CS-2003-06, Department of Computer Science, Florida Institute of Technology (2003)

    Google Scholar 

  28. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 15:1–15:58 (2009)

    Google Scholar 

  29. Chatzigiannakis, V., Androulidakis, G., Pelechrinis, K., Papavassiliou, S., Maglaris, V.: Data fusion algorithms for network anomaly detection: classification and evaluation. In: Proceedings of the 3rd International Conference on Networking and Services, pp. 50–57. IEEE CS (2007)

    Google Scholar 

  30. Chebrolu, S., Abraham, A., Thomas, J.P.: Feature deduction and ensemble design of intrusion detection systems. Comput. Secur. 24(4), 295–307 (2005)

    Article  Google Scholar 

  31. Chen, R.C., Cheng, K.F., Chen, Y.H., Hsieh, C.F.: Using rough set and support vector machine for network intrusion detection system. In: Proceedings of the 1st Asian Conference on Intelligent Information and Database Systems, pp. 465–470. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  32. Chen, Z., Chen, C.: A closed-form expression for static worm-scanning strategies. In: Proceedings of the IEEE International Conference on Communications, pp. 1573–1577. IEEE CS, Beijing (2008)

    Google Scholar 

  33. Chhabra, P., Scott, C., Kolaczyk, E.D., Crovella, M.: Distributed spatial anomaly detection. In: Proceedings of the 27th IEEE International Conference on Computer Communications, pp. 1705–1713 (2008)

    Google Scholar 

  34. Chimphlee, W., Abdullah, A.H., Noor, M.S.M., Srinoy, S., Chimphlee, S.: Anomaly-based intrusion detection using fuzzy rough clustering. In: Proceedings of the International Conference on Hybrid Information Technology, vol. 1, pp. 329–334. IEEE Computer Society, Washington, DC (2006)

    Google Scholar 

  35. Choo, K.K.R.: the cyber threat landscape: challenges and future research directions. Comput. Secur. 30(8), 719–731 (2011)

    Google Scholar 

  36. Daniel, B., Julia, C., Sushil, J., Ningning, W.: ADAM: a testbed for exploring the use of data mining in intrusion detection. ACM SIGMOD Rec. 30(4), 15–24 (2001)

    Article  Google Scholar 

  37. Das, K., Schneider, J., Neill, D.B.: Anomaly pattern detection in categorical datasets. In: Proceedings of the 14th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 169–176. ACM (2008). doi:10.1145/1401890.1401915

  38. Davies, D.L., Bouldin, D.W.: A cluster separation measure. IEEE Trans. Pattern Anal. Mach. Intell. 1(2), 224–227 (1979)

    Article  Google Scholar 

  39. De Vivo, M., Carrasco, E., Isern, G., de Vivo, G.O.: A review of port scanning techniques. SIGCOMM Comput. Commun. Rev. 29(2), 41–48 (1999)

    Article  Google Scholar 

  40. Denning, D.E., Neumann, P.G.: Requirements and Model for IDES – A Real-time Intrusion Detection System. Tech. Rep. 83F83-01-00, Computer Science Laboratory, SRI International (1985)

    Google Scholar 

  41. Desforges, M.J., Jacob, P.J., Cooper, J.E.: Applications of probability density estimation to the detection of abnormal conditions in engineering. In: Proceedings of Institute of Mechanical Engineers, vol. 212, pp. 687–703 (1998)

    Google Scholar 

  42. Dickerson, J.E.: Fuzzy network profiling for intrusion detection. In: Proceedings of the 19th International Conference of the North American Fuzzy Information Processing Society, pp. 301–306. Atlanta (2000)

    Google Scholar 

  43. Dorigo, M., Maniezzo, V., Colorni, A.: Ant system: optimization by a colony of cooperating agents. IEEE Trans. Syst. Man Cybern. B Cybern. 26(1), 29–41 (1996)

    Article  Google Scholar 

  44. Duffield, N.G., Haffner, P., Krishnamurthy, B., Ringberg, H.: Rule-based anomaly detection on IP flows. In: Proceedings of the 28th IEEE International Conference on Computer Communications, Joint Conference of the IEEE Computer and Communications Societies, pp. 424–432. IEEE press, Rio de Janeiro (2009)

    Google Scholar 

  45. Dunn, J.C.: Well separated clusters and optimal fuzzy partitions. J. Cybern. 4(1), 95–104 (1974)

    Article  MathSciNet  MATH  Google Scholar 

  46. Edwards, G., Kang, B., Preston, P., Compton, P.: Prudent expert systems with credentials: managing the expertise of decision support systems. Int. J. Biomed. Comput. 40(2), 125–132 (1995)

    Article  Google Scholar 

  47. Ensafi, R., Park, J.C., Kapur, D., Crandall, J.R.: Idle port scanning and non-interference analysis of network protocol stacks using model checking. In: Proceedings of the 19th USENIX Security Symposium (2010)

    Google Scholar 

  48. Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Kumar, V., Srivastava, J.: Chapter 3: MINDS – Minnesota intrusion detection system. In: Next Generation Data Mining, pp. 1–21. CRC press (2004)

    Google Scholar 

  49. Eskin, E.: Anomaly detection over noisy data using learned probability distributions. In: Proceedings of the 7th International Conference on Machine Learning, pp. 255–262. Morgan Kaufmann Publishers Inc. (2000)

    Google Scholar 

  50. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Applications of Data Mining in Computer Security. Kluwer Academic, Boston (2002)

    Book  Google Scholar 

  51. Estevez-Tapiador, J.M., Garcya-Teodoro, P., Dyaz-Verdejo, J.E.: Stochastic protocol modeling for anomaly-based network intrusion detection. In: Proceedings of the 1st International Workshop on Information Assurance, pp. 3–12. IEEE CS (2003)

    Google Scholar 

  52. Falletta, V., Ricciato, F.: Detecting scanners: empirical assessment on 3G network. Int. J. Netw. Secur. 9(2), 143–155 (2009)

    Google Scholar 

  53. Folino, G., Pizzuti, C., Spezzano, G.: An ensemble-based evolutionary framework for coping with distributed intrusion detection. Genet. Program. Evolvable Mach. 11(2), 131–146 (2010)

    Article  Google Scholar 

  54. Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classifiers. Mach. Learn. 29(2–3), 131–163 (1997)

    Article  MATH  Google Scholar 

  55. Gaddam, S.R., Phoha, V.V., Balagani, K.S.: K-Means+ID3: a novel method for supervised anomaly detection by cascading k-means clustering and id3 decision tree learning methods. IEEE Trans. Knowl. Data Eng. 19(3), 345–354 (2007)

    Article  Google Scholar 

  56. Gadge, J., Patil, A.A.: Port scan detection. In: Proceedings of 16th IEEE International Conference on Networks, pp. 1–6. IEEE Computer Society, Habitat World, IHC, New Delhi (2008)

    Google Scholar 

  57. Gao, H.H., Yang, H.H., Wang, X.Y.: Ant colony optimization based network intrusion feature selection and detection. In: Proceedings of the International Conference on Machine Learning and Cybernetics, vol. 6, pp. 3871–3875 (2005). doi:10.1109/ICMLC.2005.1527615

    Google Scholar 

  58. Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(1-2), 18–28 (2009)

    Article  Google Scholar 

  59. Gates, C., McNutt, J.J., Kadane, J.B., Kellner, M.: Scan detection on very large networks using logistic regression modeling. In: Proceedings of the 11th IEEE Symposium on Computers and Communications, pp. 402–408. IEEE Computer Society, Pula-Cagliari, Sardinia (2006)

    Google Scholar 

  60. Geramiraz, F., Memaripour, A.S., Abbaspour, M.: Adaptive anomaly-based intrusion detection system using fuzzy controller. Int. J. Netw. Secur. 14(6), 352–361 (2012)

    Google Scholar 

  61. Giacinto, G., Perdisci, R., Rio, M.D., Roli, F.: Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Inf. Fusion 9(1), 69–82 (2008)

    Article  Google Scholar 

  62. Giacinto, G., Roli, F., Didaci, L.: Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recogn. Lett. 24(12), 1795–1803 (2003)

    Article  MATH  Google Scholar 

  63. Gogoi, P., Bhattacharyya, D.K., Borah, B., Kalita, J.K.: A survey of outlier detection methods in network anomaly identification. Comput. J. 54(4), 570–588 (2011)

    Article  Google Scholar 

  64. Gong, W., Fu, W., Cai, L.: A neural network based intrusion detection data fusion model. In: Proceedings of the 3rd International Joint Conference on Computational Science and Optimization, vol. 2, pp. 410–414. IEEE CS (2010)

    Google Scholar 

  65. Gyorgy, S.U., Gyorgy, J.S., Hui, X.: Scan detection: a data mining approach. In: Proceedings of the Sixth SIAM International Conference on Data Mining, pp. 118–129. SIAM, Sutton Place Hotel, Newport Beach (2005)

    Google Scholar 

  66. Haykin, S.: Neural Networks. Prentice Hall, New Jersey (1999)

    MATH  Google Scholar 

  67. Heberlein, T., Dias, G., Levitt, K., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 296–304. IEEE Computer Society, Oakland (1990)

    Google Scholar 

  68. Herrero, A., Navarro, M., Corchado, E., Julian, V.: RT-MOVICAB-IDS: addressing real-time intrusion detection. Futur. Gener. Comput. Syst. 29(1), 250–261 (2011)

    Article  Google Scholar 

  69. Hubert, L., Schultz, J.: Quadratic assignment as a general data analysis strategy. Br. J. Math. Stat. Psychol. 29(2), 190–241 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  70. Hung, S.S., Liu, D.S.M.: A user-oriented ontology-based approach for network intrusion detection. Comput. Stand. Interfaces 30(1-2), 78–88 (2008)

    Article  Google Scholar 

  71. hybrid@hotmail.com: Distributed information gathering. Phrack Mag. Article 9 9(55) (1999)

    Google Scholar 

  72. Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: a rule-based intrusion detection approach. IEEE Trans. Softw. Eng. 21(3), 181–199 (1995)

    Article  Google Scholar 

  73. Jiang, S., Song, X., Wang, H., Han, J.J., Li, Q.H.: A clustering-based method for unsupervised intrusion detections. Pattern Recogn. Lett. 27(7), 802–810 (2006)

    Article  Google Scholar 

  74. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 211–225. IEEE Computer Society, Oakland (2004)

    Google Scholar 

  75. Kang, I., Jeong, M.K., Kong, D.: A differentiated one-class classification method with applications to intrusion detection. Expert Syst. Appl. 39(4), 3899–3905 (2012)

    Article  Google Scholar 

  76. Khan, L., Awad, M., Thuraisingham, B.: A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J. 16(4), 507–521 (2007)

    Article  Google Scholar 

  77. Khan, M.S.A.: Rule based network intrusion detection using genetic algorithm. Int. J. Comput. Appl. 18(8), 26–29 (2011)

    Google Scholar 

  78. Khreich, W., Granger, E., Miri, A., Sabourin, R.: Adaptive ROC-based ensembles of HMMs applied to anomaly detection. Pattern Recogn. 45(1), 208–230 (2012)

    Article  MATH  Google Scholar 

  79. Kim, H., Kim, S., Kouritzin, M.A., Sun, W.: Detecting network portscans through anomaly detection. In: Proceedings of SPIE on Detecting Network Portscans Through Anomaly Detection, vol. 5429, pp. 254–263. SPIE, Orlando (2004)

    Google Scholar 

  80. Kohonen, T.: The self-organizing map. Proc. IEEE 78(9), 1464–1480 (1990)

    Article  Google Scholar 

  81. Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: Proceedings of the 19th Annual Computer Security Applications Conference (2003)

    Google Scholar 

  82. Kuang, L.V.: DNIDS: a dependable network intrusion detection system using the CSI-KNN algorithm. Master’s thesis, Queen’s University Kingston, Ontario (2007)

    Google Scholar 

  83. Labib, K., Vemuri, R.: NSOM: A Tool to Detect Denial of Service Attacks Using Self-Organizing Maps. Tech. Rep., Department of Applied Science University of California, Davis (2002)

    Google Scholar 

  84. Leckie, C., Kotagiri, R.: A probabilistic approach to detecting network scans. In: Proceedings of the IEEE Network Operations and Management Symposium, pp. 359–372. IEEE Computer Society, Florence (2002)

    Google Scholar 

  85. Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive intrusion detection: a data mining approach. Artif. Intell. Rev. 14(6), 533–567 (2000)

    Article  MATH  Google Scholar 

  86. Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 130–143. IEEE Computer Society, Washington, DC (2001)

    Google Scholar 

  87. Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the 28th Australasian conference on Computer Science, vol. 38, pp. 333–342. Australian Computer Society, Inc., Darlinghurst (2005)

    Google Scholar 

  88. Li, Y., Luo, X., Qian, Y., Zhao, X.: Network-wide traffic anomaly detection and localization based on robust multivariate probabilistic calibration model. Math. Probl. Eng. 2015 (2015)

    Google Scholar 

  89. Liu, G., Yi, Z., Yang, S.: A hierarchical intrusion detection model based on the PCA neural networks. Neurocomputing 70(7-9), 1561–1568 (2007)

    Article  Google Scholar 

  90. Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J.: FLIPS: hybrid adaptive intrusion prevention. In: Recent Advances in Intrusion Detection, pp. 82–101 (2005)

    Google Scholar 

  91. Lu, W., Ghorbani, A.A.: Network anomaly detection based on wavelet analysis. EURASIP J. Adv. Signal Process. 2009(837601) (2009)

    Google Scholar 

  92. Lu, W., Tong, H.: Detecting network anomalies using CUSUM and EM clustering. In: Proceedings of the 4th International Symposium on Advances in Computation and Intelligence, pp. 297–308. Springer (2009). doi:http://dx.doi.org/10.1007/978-3-642-04843-2_32

  93. Mabu, S., Chen, C., Lu, N., Shimada, K., Hirasawa, K.: An intrusion-detection model based on fuzzy class-association-rule mining using genetic network programming. IEEE Trans. Syst. Man Cybern. C Appl. Rev. 41(1), 130–139 (2011)

    Article  Google Scholar 

  94. Mafra, P.M., Moll, V., Fraga, J.D.S., Santin, A.O.: Octopus-IIDS: an anomaly-based intelligent intrusion detection system. In: Proceedings of the IEEE Symposium on Computers and Communications, pp. 405–410. IEEE CS (2010)

    Google Scholar 

  95. Mahoney, M.V., Chan, P.K.: PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic. Tech. Rep. cs-2001-04, Dept. of Computer Science, Florida Tech (2001)

    Google Scholar 

  96. Mahoney, M.V., Chan, P.K.: Learning rules for anomaly detection of hostile network traffic. In: Proceedings of the 3rd IEEE International Conference on Data Mining. IEEE CS, Washington (2003)

    Google Scholar 

  97. Manikopoulos, C., Papavassiliou, S.: Network intrusion and fault detection: a statistical anomaly approach. IEEE Commun. Mag. 40(10), 76–82 (2002)

    Article  Google Scholar 

  98. Markou, M., Singh, S.: Novelty detection: a review—part 1: statistical approaches. Signal Process. 83(12), 2481–2497 (2003). doi:10.1016/j.sigpro.2003.07.018

    Article  MATH  Google Scholar 

  99. Mateti, P.: Lecture Notes on Internet Security. Wright State University, Dayton, US (2010)

    Google Scholar 

  100. Mishra, B.K., Ansari, G.M.: Differential epidemic model of virus and worms in computer network. Int. J. Netw. Secur. 14(3), 149–155 (2012)

    Google Scholar 

  101. Mohajerani, M., Moeini, A., Kianie, M.: NFIDS: a neuro-fuzzy intrusion detection system. In: Proceedings of the 10th IEEE International Conference on Electronics, Circuits and Systems, vol. 1, pp. 348–351 (2003)

    Google Scholar 

  102. Muda, Z., Yassin, W., Sulaiman, M.N., Udzir, N.I.: A K-means and Naive-bayes learning approach for better intrusion detection. Inf. Technol. J. 10(3), 648–655 (2011)

    Article  Google Scholar 

  103. Naldurg, P., Sen, K., Thati, P.: A temporal logic based framework for intrusion detection. In: Proceedings of the 24th IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems, pp. 359–376 (2004)

    Google Scholar 

  104. Neumann, B.: Knowledge management and assistance systems. http://kogs-www.informatik.uni-hamburg.de/~neumann/ (2007)

  105. Nguyen, H.H., Harbi, N., Darmont, J.: An efficient local region and clustering-based ensemble system for intrusion detection. In: Proceedings of the 15th Symposium on International Database Engineering & Applications, pp. 185–191. ACM (2011)

    Google Scholar 

  106. Noel, S., Wijesekera, D., Youman, C.: Modern intrusion detection, data mining, and degrees of attack guilt. In: Proceedings of the International Conference on Applications of Data Mining in Computer Security. Springer (2002)

    Book  Google Scholar 

  107. Noto, K., Brodley, C., Slonim, D.: Anomaly detection using an ensemble of feature models. In: Proceedings of the IEEE International Conference on Data Mining, pp. 953–958. IEEE CS (2010)

    Google Scholar 

  108. Otey, M.E., Ghoting, A., Parthasarathy, S.: Fast distributed outlier detection in mixed-attribute data sets. Data Min. Knowl. Disc. 12(2-3), 203–228 (2006)

    Article  MathSciNet  Google Scholar 

  109. Panda, M., Abraham, A., Patra, M.R.: Hybrid intelligent systems for detecting network intrusions. Secur. Commun. Netw. 8(16), 2741–2749 (2015). http://dx.doi.org/10.1002/sec.592

    Article  Google Scholar 

  110. Parikh, D., Chen, T.: Data fusion and cost minimization for intrusion detection. IEEE Trans. Inf. Forensics Secur. 3(3), 381–389 (2008)

    Article  Google Scholar 

  111. Parlos, A., Chong, K., Atiya, A.: Application of the recurrent multilayer perceptron in modeling complex process dynamics. IEEE Trans. Neural Netw. 5(2), 255–266 (1994)

    Article  Google Scholar 

  112. Patcha, A., Park, J.M.: An overview of anomaly detection techniques: existing solutions and latest technological trends. Comput. Netw. 51(12), 3448–3470 (2007)

    Article  Google Scholar 

  113. Pawlak, Z.: Rough sets. Int. J. Parallel Prog. 11(5), 341–356 (1982)

    MATH  Google Scholar 

  114. Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of the the 7th USENIX Security Symposium, pp. 2435–2463. Usenix Association, San Antonio (1998)

    Google Scholar 

  115. Peddabachigari, S., Abraham, A., Grosan, C., Thomas, J.: Modeling intrusion detection system using hybrid intelligent systems. J. Netw. Comput. Appl. 30(1), 114–132 (2007)

    Article  Google Scholar 

  116. Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. 53(6), 864–881 (2009)

    Article  MATH  Google Scholar 

  117. Perdisci, R., Gu, G., Lee, W.: Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems. In: Proceedings of the 6th International Conference on Data Mining, pp. 488–498. IEEE CS (2006)

    Google Scholar 

  118. Polikar, R.: Ensemble based systems in decision making. IEEE Circuits Syst. Mag. 6(3), 21–45 (2006)

    Article  Google Scholar 

  119. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of the ACM CSS Workshop on on Data Mining Applied to Security, pp. 5–8. Philadelphia (2001)

    Google Scholar 

  120. Prayote, A.: Knowledge based anomaly detection. Ph.D. thesis, School of Computer Science and Egineering, The University of New South Wales, Australia (2007)

    Google Scholar 

  121. Prayote, A., Compton, P.: Detecting Anomalies and Intruders. Adv. Artif. Intell. AI 2006 1084–1088 (2006)

    Google Scholar 

  122. Qadeer, M.A., Iqbal, A., Zahid, M., Siddiqui, M.R.: Network traffic analysis and intrusion detection using packet sniffer. In: Proceedings of the 2nd International Conference on Communication Software and Networks, pp. 313–317. IEEE Computer Society, Washington, DC (2010)

    Google Scholar 

  123. Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986)

    Google Scholar 

  124. Rehak, M., Pechoucek, M., Celeda, P., Novotny, J., Minarik, P.: CAMNEP: agent-based network intrusion detection system. In: Proceedings of the 7th International Joint Conference on Autonomous Agents and Multiagent Systems: Industrial Track, pp. 133–136. IFAAMS, Richland (2008)

    Google Scholar 

  125. Roesch, M.: Snort – lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, pp. 229–238. Usenix Association, Seattle (1999)

    Google Scholar 

  126. Rokach, L.: Ensemble-based classifiers. Artif. Intell. Rev. 33(1–2), 1–39 (2010)

    Article  Google Scholar 

  127. Romig, S.: The OSU flow-tools package and CISCO NetFlow logs. In: Proceedings of the 14th USENIX conference on System Administration, pp. 291–304. USENIX Association, Berklay (2000)

    Google Scholar 

  128. Rousseeuw, P.J.: Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. J. Comput. Appl. Math. 20(1), 53–65 (1987)

    Article  MATH  Google Scholar 

  129. SchAolkopf, B., Platt, J.C., Shawe-Taylor, J.C., Smola, A.J., Williamson, R.C.: Estimating the support of a high-dimensional distribution. Neural Comput. 13(7), 1443–1471 (2001)

    Article  MATH  Google Scholar 

  130. Schapire, R.E.: A brief introduction to boosting. In: Proceedings of the 16th International Joint Conference on Artificial Intelligence, pp. 1401–1406. Morgan Kaufmann (1999)

    Google Scholar 

  131. Scheirer, W., Chuah, M.C.: Syntax vs. semantics: competing approaches to dynamic network intrusion detection. Int. J. Secur. Netw. 3(1), 24–35 (2008)

    Google Scholar 

  132. Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd edn. Wiley, New York (1995)

    MATH  Google Scholar 

  133. Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A., Yang, H., et al.: Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 265–274 (2002)

    Google Scholar 

  134. Selim, S., Hashem, M., Nazmy, T.M.: Hybrid multi-level intrusion detection system. Int. J. Comput. Sci. Inf. Secur. 9(5), 23–29 (2011)

    Google Scholar 

  135. Sequeira, K., Zaki, M.: ADMIT: anomaly-based data mining for intrusions. In: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 386–395. ACM, New York (2002)

    Google Scholar 

  136. Shabtai, A., Kanonov, U., Elovici, Y.: Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method. J. Syst. Softw. 83(8), 1524–1537 (2010)

    Article  Google Scholar 

  137. Shifflet, J.: A technique independent fusion model for network intrusion detection. In: Proceedings of the Midstates Conference on Undergraduate Research in Computer Science and Mathematics, vol. 3, pp. 13–19 (2005)

    Google Scholar 

  138. Song, S., Ling, L., Manikopoulo, C.: Flow-based statistical aggregation schemes for network anomaly detection. In: Proceedings of the IEEE International Conference on Networking, Sensing and Control, pp. 786–791. IEEE, Ft. Lauderdale (2006)

    Google Scholar 

  139. Song, X., Wu, M., Jermaine, C., Ranka, S.: Conditional anomaly detection. IEEE Trans. Knowl. Data Eng. 19(5), 631–645 (2007)

    Article  Google Scholar 

  140. Sridharan, A., Ye, T., Bhattacharyya, S.: Connectionless port scan detection on the backbone. In: Proceedings of the 25th IEEE International Conference on Performance, Computing, and Communications, pp. 567–576. IEEE Computer Society, Phoenix (2006)

    Google Scholar 

  141. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS: a graph based intrusion detection system for large networks. In: Proceedings of the 19th National Information Systems Security Conference, pp. 361–370. NIST, CSRC, Baltimore (1996)

    Google Scholar 

  142. Su, M.Y., Yu, G.J., Lin, C.Y.: A real-time network intrusion detection system for large-scale attacks based on an incremental mining approach. Comput. Secur. 28(5), 301–309 (2009)

    Article  Google Scholar 

  143. Subramoniam, N., Pawar, P.S., Bhatnagar, M., Khedekar, N.S., Guntupalli, S., Satyanarayana, N., Vijayakumar, V.A., Ampatt, P.K., Ranjan, R., Pandit, P.S.: Development of a comprehensive intrusion detection system – challenges and approaches. In: Proceedings of the 1st International Conference on Information Systems Security, pp. 332–335. Kolkata (2005)

    Google Scholar 

  144. Sun, J., Yang, H., Tian, J., Wu, F.: Intrusion detection method based on wavelet neural network. In: Proceedings of the 2nd International Workshop on Knowledge Discovery and Data Mining, pp. 851–854. IEEE CS (2009)

    Google Scholar 

  145. Tajbakhsh, A., Rahmati, M., Mirzaei, A.: Intrusion detection using fuzzy association rules. Appl. Soft Comput. 9(2), 462–469 (2009)

    Article  Google Scholar 

  146. Tong, H., Li, C., He, J., Chen, J., Tran, Q.A., Duan, H.X., Li, X.: Anomaly internet network traffic detection by kernel principle component classifier. In: Proceedings of the 2nd International Symposium on Neural Networks, LNCS, vol. 3498, pp. 476–481 (2005)

    MATH  Google Scholar 

  147. Tong, X., Wang, Z., Yu, H.: A research using hybrid RBF/Elman neural networks for intrusion detection system secure model. Comput. Phys. Commun. 180(10), 1795–1801 (2009)

    Article  Google Scholar 

  148. Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Trans. Netw. 19(5), 1396–1404 (2011)

    Article  Google Scholar 

  149. Tsai, C.F., Hsu, Y.F., Lin, C.Y., Lin, W.Y.: Intrusion detection by machine learning: a review. Expert Syst. Appl. 36(10), 11,994–12,000 (2009)

    Article  Google Scholar 

  150. Udhayan, J., Prabu, M.M., Krishnan, V.A., Anitha, R.: Reconnaissance scan detection heuristics to disrupt the pre-attack information gathering. In: Proceedings of the International Conference on Network and Service Security, pp. 1–5. IEEE Computer Society, ESIEA-9, 75005 Paris (2009)

    Google Scholar 

  151. Visconti, A., Tahayori, H.: Artificial immune system based on interval type-2 fuzzy set paradigm. Appl. Soft Comput. 11(6), 4055–4063 (2011)

    Article  Google Scholar 

  152. Wagner, C., François, J., State, R., Engel, T.: Machine learning approach for IP-flow record anomaly detection. In: Proceedings of the 10th International IFIP TC 6 conference on Networking – Volume Part I, pp. 28–39 (2011)

    Google Scholar 

  153. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Proceedings of the Recent Advances in Intrusion Detection, pp. 203–222. Springer (2004)

    Google Scholar 

  154. Wattenberg, F.S., Perez, J.I.A., Higuera, P.C., Fernandez, M.M., Dimitriadis, I.A.: Anomaly detection in network traffic based on statistical inference and α-stable modeling. IEEE Trans. Dependable Secure Comput. 8(4), 494–509 (2011)

    Article  Google Scholar 

  155. Xian, J.Q., Lang, F.H., Tang, X.L.: A novel intrusion detection method based on clonal selection clustering algorithm. In: Proceedings of the International Conference on Machine Learning and Cybernetics, vol. 6. IEEE Press (2005)

    Google Scholar 

  156. Xie, X.L., Beni, G.: A validity measure for fuzzy clustering. IEEE Trans. Pattern Anal. Mach. Intell. 13(4), 841–847 (1991)

    Article  Google Scholar 

  157. Xu, X.: Sequential anomaly detection based on temporal difference learning: principles, models and case studies. Appl. Soft Comput. 10(3), 859–867 (2010)

    Article  Google Scholar 

  158. Yan, R., Shao, C.: Hierarchical method for anomaly detection and attack identification in high-speed network. Inf. Technol. J. 11(9), 1243–1250 (2012)

    Article  Google Scholar 

  159. Yong, H., Feng, Z.X.: Expert system based intrusion detection system. In: Proceedings of the International Conference on Information Management, Innovation Management and Industrial Engineering, vol. 4, pp. 404–407 (2010)

    Google Scholar 

  160. Yu, H., Kim, S.: SVM tutorial – classification, regression and ranking. In: Handbook of Natural Computing. Springer, Berlin/Heidelberg (2003)

    Google Scholar 

  161. Yu, M.: A Nonparametric adaptive CUSUM method and its application in network anomaly detection. Int. J. Adv. Comput. Technol. 4(1), 280–288 (2012)

    Google Scholar 

  162. Yu, X.: A new model of intelligent hybrid network intrusion detection system. In: Proceedings of the International Conference on Bioinformatics and Biomedical Technology, pp. 386–389. IEEE CS (2010)

    Google Scholar 

  163. Zhang, C., Zhang, G., Sun, S.: A mixed unsupervised clustering-based intrusion detection model. In: Proceedings of the 3rd International Conference on Genetic and Evolutionary Computing, pp. 426–428. IEEE CS (2009)

    Google Scholar 

  164. Zhang, H.L.: Agent-based open connectivity for decision support systems. Ph.D. thesis, School of Computer Science and Mathematics, Victoria University (2007)

    Google Scholar 

  165. Zhang, J., Zulkernine, M.: A hybrid network intrusion detection technique using random forests. In: Proceedings of the 1st International Conference on Availability, Reliability and Security, pp. 262–269. IEEE CS (2006). doi:10.1109/ARES.2006.7

  166. Zhang, J., Zulkernine, M., Haque, A.: Random-forests-based network intrusion detection systems. IEEE Trans. Syst. Man Cybern. C 38(5), 649–659 (2008)

    Article  Google Scholar 

  167. Zhang, Y., Fang, B.: A novel approach to scan detection on the backbone. In: Proceedings of the Sixth International Conference on Information Technology: New Generations, pp. 16–21. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  168. Zhang, Y.F., Xiong, Z.Y., Wang, X.Q.: Distributed intrusion detection based on clustering. In: Proceedings of the International Conference on Machine Learning and Cybernetics, vol. 4, pp. 2379–2383 (2005)

    Google Scholar 

  169. Zhang, Z., Li, J., Manikopoulos, C.N., Jorgenson, J., Ucles, J.: HIDE: a hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In: Proceedings of IEEE Man Systems and Cybernetics Information Assurance Workshop (2001)

    Google Scholar 

  170. Zhi-dong, L., Wu, Y., Wei, W., Da-peng, M.: Decision-level fusion model of multi-source intrusion detection alerts. J. Commun. 32(5), 121–128 (2011)

    Google Scholar 

  171. Zhuang, Z., Li, Y., Chen, Z.: Enhancing intrusion detection system with proximity information. Int. J. Secur. Netw. 5(4), 207–219 (2010)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Kaziranga University, Jorhat, India

    Monowar H. Bhuyan

  2. Tezpur University, Napaam, India

    Dhruba K. Bhattacharyya

  3. University of Colorado, Colorado Springs, Colorado, USA

    Jugal K. Kalita

Authors
  1. Monowar H. Bhuyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dhruba K. Bhattacharyya
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jugal K. Kalita
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K. (2017). Network Traffic Anomaly Detection Techniques and Systems. In: Network Traffic Anomaly Detection and Prevention. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-65188-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-65188-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-65186-6

  • Online ISBN: 978-3-319-65188-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation