Skip to main content
Log in

A robust anomaly detection method using a constant false alarm rate approach

Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

With the rapid growth of information and communication technologies, the number of security threats in computer networks is substantially increasing; thus, the development of more proactive security warning measures is required. In this work, we propose a new anomaly detection method that operates by decomposing TCP traffic into control and data planes, which exhibit similar behaviors in the absence of attacks. The proposed method exploits the statistics of the cross-correlation function of the two planes traffic and the constant false alarm rate (CFAR) scheme for detecting anomalies of the underlying network traffic. Both the fixed and adaptive thresholding schemes are implemented. The adaptive thresholding is setup by adjusting the value of the threshold in accordance with the local statistics of the cross-correlation function of the two planes traffic. We evaluate the performance of the proposed method by analyzing the real traffic captured from a deployed network and traffic obtained from other publicly available datasets; we focus on TCP traffic with three different aggregated count features: packet count, IP address count, and port count sequences. Although both the fixed and adaptive thresholding schemes perform well and detect the presence of a distributed denial-of-service efficiently. The adaptive thresholding scheme is more reliable because it detects anomalies as they start.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Agosta J, Diuk-Wasser C, J (2007) An adaptive anomaly detector for worm detection. Proceeding of the 2nd USENIX Workshop Tackling Computer Systems Problem with Machine Learning Techniques 1--6.

  2. AlShaalan R, AsSadhan B, Al-Muhtadi J, Bin-Abbas H, Abd El-Samie F, Alshebeili S (2013) Constant false alarm rate anomaly-based approach for network intrusion detection. In: 2013 High capacity optical networks and emerging/enabling technologies. IEEE, pp 141–145.

  3. AsSadhan B, Hyong K, Moura J, Xiaohui W (2008) Network traffic behavior analysis by decomposition into control and data planes. In: 2008 IEEE international symposium on parallel and distributed processing. IEEE, pp 1–8.

  4. AsSadhan B, Zeb K, Al-Muhtadi J, Alshebeili S (2017) Anomaly detection based on LRD behavior analysis of decomposed control and data Planes network traffic using SOSS and FARIMA models. IEEE Access 5:13501–13519. https://doi.org/10.1109/ACCESS.2017.2689001

    Article  Google Scholar 

  5. AsSadhan B, Bashaiwth A, Al-Muhtadi J, Alshebeili S (2018) Analysis of P2P, IRC and HTTP traffic for botnets detection. Peer-to-Peer Network and Applications 11:848–861. https://doi.org/10.1007/s12083-017-0586-0

    Article  Google Scholar 

  6. Blowers M, Williams J (2014) Machine learning applied to cyber operations. 155–175. https://doi.org/10.1007/978-1-4614-7597-2_10.

  7. Brahmi H, Brahmi I, Ben Yahia S (2012) OMC-IDS: at the cross-roads of OLAP mining and intrusion detection. In: Lecture notes in computer science. Springer, Berlin, pp 13–24

    Google Scholar 

  8. Cannady JD (1998) Artificial neural networks for misuse detection. Proceedings of the 21st National Information Systems Security Conference, 368–381. https://doi.org/citeulike-article-id:9827770.

  9. Chitrakar R, Chuanhe H (2012) Anomaly based intrusion detection using hybrid learning approach of combining k-medoids clustering and naïve bayes classification. In: 2012 international conference on wireless communications, networking and Mobile computing, WiCOM 2012. IEEE, pp 1–5.

  10. Davis JJ, Clark AJ (2011) Data preprocessing for anomaly based network intrusion detection: a review. Computers and Security 30:353–375

    Article  Google Scholar 

  11. Ege E, Uzaslan E, Ursavaş A, Güçlü M, Özkalemkaş F, Tolunay Ş (2006) Primary pulmonary amyloidosis associated with multiple myeloma. Tuberk Toraks 54:65–70. https://doi.org/10.1016/S1201-9712(96)90054-5

    Article  Google Scholar 

  12. Farnia F (2017) Low-rate false alarm anomaly-based intrusion detection system with one-class SVM.

  13. Gan X, Duanmu J, Wang J, Cong W (2013) Anomaly intrusion detection based on PLS feature extraction and core vector machine Knowledge-Based Systems:40. https://doi.org/10.1016/J.KNOSYS.2012.09.004

  14. He D, Leung H (2008) Network intrusion detection using CFAR abrupt-change detectors. IEEE Transactions Instrumentation Measurement 57:490–497. https://doi.org/10.1109/TIM.2007.910108

    Article  Google Scholar 

  15. He D, Leung H (2009) Network intrusion detection using a stochastic resonance CFAR technique. Circuits, Systems, and Signal Processing 28:361–375. https://doi.org/10.1007/s00034-008-9087-y

    Article  MATH  Google Scholar 

  16. Hernández PC (2010) Statistical analysis of network traffic for anomaly detection and quality of service provisioning Soutenue. l’École Nationale Supérieure des Télécommunications de Bretagne.

  17. Hernandez PC, Mazel J, Owezarski P (2012) Unsupervised network intrusion detection systems: detecting the unknown without knowledge. Comput Commun 35:772–783

    Article  Google Scholar 

  18. Javaid A, Niyaz Q, Sun W, Alam M (2016) A deep learning approach for network intrusion detection system. In: proceedings of the 9th EAI international conference on bio-inspired information and communications technologies (formerly BIONETICS).

  19. Jemili F, Zaghdoud M, Ben Mohamed A (2007) A Framework for an Adaptive Intrusion Detection System using Bayesian Network. In: 2007 IEEE intelligence and security informatics. IEEE, pp 66–70

  20. Jiang C-B, Liu I-H, Chung Y-N, Li J-S (2016) Novel intrusion prediction mechanism based on honeypot log similarity. Int J Netw Manag 26:156–175. https://doi.org/10.1002/nem.1923

    Article  Google Scholar 

  21. Kang EW (2008) Radar system analysis, design, and simulation. Artech House.

  22. Kim S, Reddy A (2008) Statistical techniques for detecting traffic anomalies through packet header data. IEEE/ACM Trans Networking 16:562–575. https://doi.org/10.1109/TNET.2007.902685

    Article  Google Scholar 

  23. Kruegel C, Toth T (2003) Using decision trees to improve signature-based intrusion detection. Springer, Berlin, pp 173–191

    Google Scholar 

  24. Lakhina A, Crovella M, Diot C (2004) Characterization of network-wide anomalies in traffic flows. In: proceedings of the 4th ACM SIGCOMM conference on internet measurement - IMC ‘04. P 2019.

  25. Li Y, Xia J, Zhang S, Yan J, Ai X, Dai K (2012) An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Syst Appl 39:424–430. https://doi.org/10.1016/j.eswa.2011.07.032

    Article  Google Scholar 

  26. Liang D, Lu C, Jin H (2019) Soft multimedia anomaly detection based on neural network and optimization driven support vector machine. Multimed ia Tools and Applications 78:4131–4154. https://doi.org/10.1007/s11042-017-5352-z

    Article  Google Scholar 

  27. Lu X, Han J, Ren Q, Dai H, Li J, Ou J (2018) Network threat detection based on correlation analysis of multi-platform multi-source alert data. Multimedia tools and applications. 1–15.

  28. Ma T, Wang F, Cheng J, YuY CX (2016) A hybrid spectral clustering and deep neural network ensemble algorithm for intrusion detection in sensor networks. Sensors (Switzerland) 16. https://doi.org/10.3390/s16101701

  29. Mazel J, Casas P, Fontugne R, Fukuda K, Owezarski P (2015) Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection. Int J Netw Manag 25:283–305. https://doi.org/10.1002/nem.1903

    Article  Google Scholar 

  30. Min E, Long J, Liu Q, Cui J, Chen W (2018) TR-IDS: anomaly-based intrusion detection through text-convolutional neural network and random Forest. Security Communication Networks 2018:1–9. https://doi.org/10.1155/2018/4943509

    Article  Google Scholar 

  31. Mourad B (2005) Signal detection and estimation, 2nd edn Artech House

    Google Scholar 

  32. Omar S, Ngadi A, H. Jebur H (2013) Machine learning techniques for anomaly detection: an overview. International Journal of Computer Application 79:33–41. https://doi.org/10.5120/13715-1478.

  33. Price water house Coopers (PwC) (2013) The global state of information security survey 20146.

  34. Shavlik J, Shavlik M (2004) Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In: KDD-2004 - proceedings of the tenth ACM SIGKDD international conference on knowledge discovery and data mining. Pp 276–285.

  35. Su MY (2011) Using clustering to improve the KNN-based classifiers for online anomaly network traffic identification. J Netw Comput Appl 34:722–730. https://doi.org/10.1016/j.jnca.2010.10.009

    Article  Google Scholar 

  36. Tartakovsky AG, Rozovskii BL, Blazek RB, Hongjoong K (2006) A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Transactions Signal Processing 54:3372–3382. https://doi.org/10.1109/TSP.2006.879308

    Article  MATH  Google Scholar 

  37. Thatte G, Mitra U, Heidemann J (2011) Parametric methods for anomaly detection in aggregate traffic. IEEE/ACM Trans Networking 19:512–525. https://doi.org/10.1109/TNET.2010.2070845

    Article  Google Scholar 

  38. The CAIDA UCSD "DDoS Attack 2007" Dataset. https://www.caida.org/data/passive/ddos-20070804_dataset.xml. Accessed 3 Nov 2018.

  39. Torres P, Catania C, Garcia S, Garino CG (2016) An analysis of Recurrent Neural Networks for Botnet detection behavior. In: 2016 IEEE biennial congress of Argentina, ARGENCON 2016. IEEE, pp 1–6.

  40. Wang H (2015) Anomaly detection of network traffic based on prediction and self-adaptive threshold. International Journal of Future Generation Communication Networking 8:205–214. https://doi.org/10.14257/ijfgcn.2015.8.6.20

    Article  Google Scholar 

  41. Wang W, Guyet T, Quiniou R, Cordier MO, Masseglia F, Zhang X (2014) Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowl-Based Syst 70:103–117. https://doi.org/10.1016/j.knosys.2014.06.018

    Article  Google Scholar 

  42. Wang W, Zhu M, Zeng X, Ye X, Sheng Y (2017) Malware traffic classification using convolutional neural network for representation learning. In: International Conference on Information Networking. pp 712–717.

  43. Wang W, Sheng Y, Wang J, Zeng X, Ye X, Huang Y, Zhu M (2017) HAST-IDS: learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE Access 6:1792–1806. https://doi.org/10.1109/ACCESS.2017.2780250

    Article  Google Scholar 

  44. Whalen TM, Savage GT, Jeong GD (2004) An evaluation of the self-determined probability-weighted moment method for estimating extreme wind speeds. J Wind Eng Ind Aerodyn 92:219–239. https://doi.org/10.1016/j.jweia.2003.09.042

    Article  Google Scholar 

  45. Wireshark (2017) Wireshark Go Deep. https://www.wireshark.org/. Accessed 3 Nov 2018.

  46. Wood P, Nahorney B, Chandrasekar K, Haley K, Wallace S (2016) Internet security threat report.

  47. Yousefi-Azar M, Varadharajan V, Hamey L, Tupakula U (2017) Autoencoder-based feature learning for cyber security applications. In: Proceedings of the International Joint Conference on Neural Networks. IEEE, pp 3854–3861.

  48. Yu M (2013) An adaptive method for source-end detection of pulsing DoS attacks. International Journal of Security its Applications 7:279–288. https://doi.org/10.14257/ijsia.2013.7.5.26

    Article  Google Scholar 

  49. Yu Y, Long J, Cai Z (2017) Network intrusion detection through stacking dilated convolutional autoencoders. Security and Communication Networks 2017:1–10. https://doi.org/10.1155/2017/4184196

    Article  Google Scholar 

  50. Zeb K, AsSadhan B, Al-Muhtadi J, Alshebeili S, Bashaiwth A (2014) Volume based anomaly detection using LRD analysis of decomposed network traffic. In: fourth edition of the international conference on the innovative computing technology (INTECH 2014). IEEE, pp 52–57.

  51. Zhang J, Zulkernine M, Haque A (2008) Random-forests-based network intrusion detection systems. IEEE Transactions on Systems Man Cybernetics Part C Application Reviews 38:649–659. https://doi.org/10.1109/TSMCC.2008.923876

    Article  Google Scholar 

Download references

Acknowledgements

We extend our appreciation to the Research Center at the College of Engineering, King Saud University for funding this work.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Diab M. Diab.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

AsSadhan, B., AlShaalan, R., Diab, D.M. et al. A robust anomaly detection method using a constant false alarm rate approach. Multimed Tools Appl 79, 12727–12750 (2020). https://doi.org/10.1007/s11042-020-08653-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-020-08653-8

Keywords

Navigation