Abstract
With the rapid growth of information and communication technologies, the number of security threats in computer networks is substantially increasing; thus, the development of more proactive security warning measures is required. In this work, we propose a new anomaly detection method that operates by decomposing TCP traffic into control and data planes, which exhibit similar behaviors in the absence of attacks. The proposed method exploits the statistics of the cross-correlation function of the two planes traffic and the constant false alarm rate (CFAR) scheme for detecting anomalies of the underlying network traffic. Both the fixed and adaptive thresholding schemes are implemented. The adaptive thresholding is setup by adjusting the value of the threshold in accordance with the local statistics of the cross-correlation function of the two planes traffic. We evaluate the performance of the proposed method by analyzing the real traffic captured from a deployed network and traffic obtained from other publicly available datasets; we focus on TCP traffic with three different aggregated count features: packet count, IP address count, and port count sequences. Although both the fixed and adaptive thresholding schemes perform well and detect the presence of a distributed denial-of-service efficiently. The adaptive thresholding scheme is more reliable because it detects anomalies as they start.
Similar content being viewed by others
References
Agosta J, Diuk-Wasser C, J (2007) An adaptive anomaly detector for worm detection. Proceeding of the 2nd USENIX Workshop Tackling Computer Systems Problem with Machine Learning Techniques 1--6.
AlShaalan R, AsSadhan B, Al-Muhtadi J, Bin-Abbas H, Abd El-Samie F, Alshebeili S (2013) Constant false alarm rate anomaly-based approach for network intrusion detection. In: 2013 High capacity optical networks and emerging/enabling technologies. IEEE, pp 141–145.
AsSadhan B, Hyong K, Moura J, Xiaohui W (2008) Network traffic behavior analysis by decomposition into control and data planes. In: 2008 IEEE international symposium on parallel and distributed processing. IEEE, pp 1–8.
AsSadhan B, Zeb K, Al-Muhtadi J, Alshebeili S (2017) Anomaly detection based on LRD behavior analysis of decomposed control and data Planes network traffic using SOSS and FARIMA models. IEEE Access 5:13501–13519. https://doi.org/10.1109/ACCESS.2017.2689001
AsSadhan B, Bashaiwth A, Al-Muhtadi J, Alshebeili S (2018) Analysis of P2P, IRC and HTTP traffic for botnets detection. Peer-to-Peer Network and Applications 11:848–861. https://doi.org/10.1007/s12083-017-0586-0
Blowers M, Williams J (2014) Machine learning applied to cyber operations. 155–175. https://doi.org/10.1007/978-1-4614-7597-2_10.
Brahmi H, Brahmi I, Ben Yahia S (2012) OMC-IDS: at the cross-roads of OLAP mining and intrusion detection. In: Lecture notes in computer science. Springer, Berlin, pp 13–24
Cannady JD (1998) Artificial neural networks for misuse detection. Proceedings of the 21st National Information Systems Security Conference, 368–381. https://doi.org/citeulike-article-id:9827770.
Chitrakar R, Chuanhe H (2012) Anomaly based intrusion detection using hybrid learning approach of combining k-medoids clustering and naïve bayes classification. In: 2012 international conference on wireless communications, networking and Mobile computing, WiCOM 2012. IEEE, pp 1–5.
Davis JJ, Clark AJ (2011) Data preprocessing for anomaly based network intrusion detection: a review. Computers and Security 30:353–375
Ege E, Uzaslan E, Ursavaş A, Güçlü M, Özkalemkaş F, Tolunay Ş (2006) Primary pulmonary amyloidosis associated with multiple myeloma. Tuberk Toraks 54:65–70. https://doi.org/10.1016/S1201-9712(96)90054-5
Farnia F (2017) Low-rate false alarm anomaly-based intrusion detection system with one-class SVM.
Gan X, Duanmu J, Wang J, Cong W (2013) Anomaly intrusion detection based on PLS feature extraction and core vector machine Knowledge-Based Systems:40. https://doi.org/10.1016/J.KNOSYS.2012.09.004
He D, Leung H (2008) Network intrusion detection using CFAR abrupt-change detectors. IEEE Transactions Instrumentation Measurement 57:490–497. https://doi.org/10.1109/TIM.2007.910108
He D, Leung H (2009) Network intrusion detection using a stochastic resonance CFAR technique. Circuits, Systems, and Signal Processing 28:361–375. https://doi.org/10.1007/s00034-008-9087-y
Hernández PC (2010) Statistical analysis of network traffic for anomaly detection and quality of service provisioning Soutenue. l’École Nationale Supérieure des Télécommunications de Bretagne.
Hernandez PC, Mazel J, Owezarski P (2012) Unsupervised network intrusion detection systems: detecting the unknown without knowledge. Comput Commun 35:772–783
Javaid A, Niyaz Q, Sun W, Alam M (2016) A deep learning approach for network intrusion detection system. In: proceedings of the 9th EAI international conference on bio-inspired information and communications technologies (formerly BIONETICS).
Jemili F, Zaghdoud M, Ben Mohamed A (2007) A Framework for an Adaptive Intrusion Detection System using Bayesian Network. In: 2007 IEEE intelligence and security informatics. IEEE, pp 66–70
Jiang C-B, Liu I-H, Chung Y-N, Li J-S (2016) Novel intrusion prediction mechanism based on honeypot log similarity. Int J Netw Manag 26:156–175. https://doi.org/10.1002/nem.1923
Kang EW (2008) Radar system analysis, design, and simulation. Artech House.
Kim S, Reddy A (2008) Statistical techniques for detecting traffic anomalies through packet header data. IEEE/ACM Trans Networking 16:562–575. https://doi.org/10.1109/TNET.2007.902685
Kruegel C, Toth T (2003) Using decision trees to improve signature-based intrusion detection. Springer, Berlin, pp 173–191
Lakhina A, Crovella M, Diot C (2004) Characterization of network-wide anomalies in traffic flows. In: proceedings of the 4th ACM SIGCOMM conference on internet measurement - IMC ‘04. P 2019.
Li Y, Xia J, Zhang S, Yan J, Ai X, Dai K (2012) An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Syst Appl 39:424–430. https://doi.org/10.1016/j.eswa.2011.07.032
Liang D, Lu C, Jin H (2019) Soft multimedia anomaly detection based on neural network and optimization driven support vector machine. Multimed ia Tools and Applications 78:4131–4154. https://doi.org/10.1007/s11042-017-5352-z
Lu X, Han J, Ren Q, Dai H, Li J, Ou J (2018) Network threat detection based on correlation analysis of multi-platform multi-source alert data. Multimedia tools and applications. 1–15.
Ma T, Wang F, Cheng J, YuY CX (2016) A hybrid spectral clustering and deep neural network ensemble algorithm for intrusion detection in sensor networks. Sensors (Switzerland) 16. https://doi.org/10.3390/s16101701
Mazel J, Casas P, Fontugne R, Fukuda K, Owezarski P (2015) Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection. Int J Netw Manag 25:283–305. https://doi.org/10.1002/nem.1903
Min E, Long J, Liu Q, Cui J, Chen W (2018) TR-IDS: anomaly-based intrusion detection through text-convolutional neural network and random Forest. Security Communication Networks 2018:1–9. https://doi.org/10.1155/2018/4943509
Mourad B (2005) Signal detection and estimation, 2nd edn Artech House
Omar S, Ngadi A, H. Jebur H (2013) Machine learning techniques for anomaly detection: an overview. International Journal of Computer Application 79:33–41. https://doi.org/10.5120/13715-1478.
Price water house Coopers (PwC) (2013) The global state of information security survey 20146.
Shavlik J, Shavlik M (2004) Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In: KDD-2004 - proceedings of the tenth ACM SIGKDD international conference on knowledge discovery and data mining. Pp 276–285.
Su MY (2011) Using clustering to improve the KNN-based classifiers for online anomaly network traffic identification. J Netw Comput Appl 34:722–730. https://doi.org/10.1016/j.jnca.2010.10.009
Tartakovsky AG, Rozovskii BL, Blazek RB, Hongjoong K (2006) A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Transactions Signal Processing 54:3372–3382. https://doi.org/10.1109/TSP.2006.879308
Thatte G, Mitra U, Heidemann J (2011) Parametric methods for anomaly detection in aggregate traffic. IEEE/ACM Trans Networking 19:512–525. https://doi.org/10.1109/TNET.2010.2070845
The CAIDA UCSD "DDoS Attack 2007" Dataset. https://www.caida.org/data/passive/ddos-20070804_dataset.xml. Accessed 3 Nov 2018.
Torres P, Catania C, Garcia S, Garino CG (2016) An analysis of Recurrent Neural Networks for Botnet detection behavior. In: 2016 IEEE biennial congress of Argentina, ARGENCON 2016. IEEE, pp 1–6.
Wang H (2015) Anomaly detection of network traffic based on prediction and self-adaptive threshold. International Journal of Future Generation Communication Networking 8:205–214. https://doi.org/10.14257/ijfgcn.2015.8.6.20
Wang W, Guyet T, Quiniou R, Cordier MO, Masseglia F, Zhang X (2014) Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowl-Based Syst 70:103–117. https://doi.org/10.1016/j.knosys.2014.06.018
Wang W, Zhu M, Zeng X, Ye X, Sheng Y (2017) Malware traffic classification using convolutional neural network for representation learning. In: International Conference on Information Networking. pp 712–717.
Wang W, Sheng Y, Wang J, Zeng X, Ye X, Huang Y, Zhu M (2017) HAST-IDS: learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE Access 6:1792–1806. https://doi.org/10.1109/ACCESS.2017.2780250
Whalen TM, Savage GT, Jeong GD (2004) An evaluation of the self-determined probability-weighted moment method for estimating extreme wind speeds. J Wind Eng Ind Aerodyn 92:219–239. https://doi.org/10.1016/j.jweia.2003.09.042
Wireshark (2017) Wireshark Go Deep. https://www.wireshark.org/. Accessed 3 Nov 2018.
Wood P, Nahorney B, Chandrasekar K, Haley K, Wallace S (2016) Internet security threat report.
Yousefi-Azar M, Varadharajan V, Hamey L, Tupakula U (2017) Autoencoder-based feature learning for cyber security applications. In: Proceedings of the International Joint Conference on Neural Networks. IEEE, pp 3854–3861.
Yu M (2013) An adaptive method for source-end detection of pulsing DoS attacks. International Journal of Security its Applications 7:279–288. https://doi.org/10.14257/ijsia.2013.7.5.26
Yu Y, Long J, Cai Z (2017) Network intrusion detection through stacking dilated convolutional autoencoders. Security and Communication Networks 2017:1–10. https://doi.org/10.1155/2017/4184196
Zeb K, AsSadhan B, Al-Muhtadi J, Alshebeili S, Bashaiwth A (2014) Volume based anomaly detection using LRD analysis of decomposed network traffic. In: fourth edition of the international conference on the innovative computing technology (INTECH 2014). IEEE, pp 52–57.
Zhang J, Zulkernine M, Haque A (2008) Random-forests-based network intrusion detection systems. IEEE Transactions on Systems Man Cybernetics Part C Application Reviews 38:649–659. https://doi.org/10.1109/TSMCC.2008.923876
Acknowledgements
We extend our appreciation to the Research Center at the College of Engineering, King Saud University for funding this work.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
AsSadhan, B., AlShaalan, R., Diab, D.M. et al. A robust anomaly detection method using a constant false alarm rate approach. Multimed Tools Appl 79, 12727–12750 (2020). https://doi.org/10.1007/s11042-020-08653-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-020-08653-8