A holistic review of Network Anomaly Detection Systems: A comprehensive survey

Moustafa, Nour; Hu, Jiankun; Slay, Jill

doi:10.1016/j.jnca.2018.12.006

Cited by 234 publications

(127 citation statements)

References 64 publications

Supporting

Mentioning

126

Contrasting

Order By: Relevance

“…As a part of future work, it will be interesting to employ different intrusion detection datasets, subsequently gauge the performance of various classifiers. Experts have always urged the research community to experiment with different datasets and introduce novel techniques for network intrusion detection [33,34]. Another avenue which can be explored in future can possibly include the deployment of predictive models as scalable web services thereby leveraging the capabilities of MAMLS.…”

Section: Conclusion and Prospectsmentioning

confidence: 99%

Performance analysis of binary and multiclass models using azure machine learning

Rajagopal

Hareesha

Kundapur

2020

IJECE

View full text Add to dashboard Cite

Network data is expanding and that too at an alarming rate. Besides, the sophisticated attack tools used by hackers lead to capricious cyber threat landscape. Traditional models proposed in the field of network intrusion detection using machine learning algorithms emphasize more on improving attack detection rate and reducing false alarms but time efficiency is often overlooked. Therefore, in order to address this limitation, a modern solution has been presented using Machine Learning-as-a-Service platform. The proposed work analyses the performance of eight two-class and three multiclass algorithms using UNSW NB-15, a modern intrusion detection dataset. 82,332 testing samples were considered to evaluate the performance of algorithms. The proposed two class decision forest model exhibited 99.2% accuracy and took 6 seconds to learn 1,75,341 network instances. Multiclass classification task was also undertaken wherein attack types like generic, exploits, shellcode and worms were classified with a recall percentage of 99%, 94.49%, 91.79% and 90.9% respectively by the multiclass decision forest model that also leapfrogged others in terms of training and execution time.

show abstract

Section: Conclusion and Prospectsmentioning

confidence: 99%

Performance analysis of binary and multiclass models using azure machine learning

Rajagopal

Hareesha

Kundapur

2020

IJECE

View full text Add to dashboard Cite

show abstract

“…In the distributed deployment architecture, the NIDS is placed on each network node where nodes monitor each other's network transactions. The hybrid deployment employs both centralized and distributed architectures to leverage the benefits and reduce the shortcomings of the deployment strategies [4].…”

Section: Intrusion Detection System (Ids)mentioning

confidence: 99%

“…A botnet comprises a large number of hijacked nodes or systems in a network that are controlled by malicious users remotely. These nodes or systems are used to execute several types of attacks [4]. A botnet attack is usually characterized by three features, which are similarity of attack sources, divergence between normal and attack network traffic flow, and automation of attack execution [5].…”

Section: Introductionmentioning

confidence: 99%

An Anomaly Mitigation Framework for IoT Using Fog Computing

2020

View full text Add to dashboard Cite

The advancement in IoT has prompted its application in areas such as smart homes, smart cities, etc., and this has aided its exponential growth. However, alongside this development, IoT networks are experiencing a rise in security challenges such as botnet attacks, which often appear as network anomalies. Similarly, providing security solutions has been challenging due to the low resources that characterize the devices in IoT networks. To overcome these challenges, the fog computing paradigm has provided an enabling environment that offers additional resources for deploying security solutions such as anomaly mitigation schemes. In this paper, we propose a hybrid anomaly mitigation framework for IoT using fog computing to ensure faster and accurate anomaly detection. The framework employs signature- and anomaly-based detection methodologies for its two modules, respectively. The signature-based module utilizes a database of attack sources (blacklisted IP addresses) to ensure faster detection when attacks are executed from the blacklisted IP address, while the anomaly-based module uses an extreme gradient boosting algorithm for accurate classification of network traffic flow into normal or abnormal. We evaluated the performance of both modules using an IoT-based dataset in terms response time for the signature-based module and accuracy in binary and multiclass classification for the anomaly-based module. The results show that the signature-based module achieves a fast attack detection of at least six times faster than the anomaly-based module in each number of instances evaluated. The anomaly-based module using the XGBoost classifier detects attacks with an accuracy of 99% and at least 97% for average recall, average precision, and average F1 score for binary and multiclass classification. Additionally, it recorded 0.05 in terms of false-positive rates.

show abstract

“…The flows in experiments were generated from the packet capture -.PCAP file‖, using the -Argus tool‖ [23]. One of the reasons of using the Argus is the option to generate bidirectional flows.…”

Section: A Netflowsmentioning

confidence: 99%

A Novel Network user Behaviors and Profile Testing based on Anomaly Detection Techniques

Tahir

Xiao

et al. 2019

IJACSA

View full text Add to dashboard Cite

The proliferation of smart devices and computer networks has led to a huge rise in internet traffic and network attacks that necessitate efficient network traffic monitoring. There have been many attempts to address these issues; however, agile detecting solutions are needed. This research work deals with the problem of malware infections or detection is one of the most challenging tasks in modern computer security. In recent years, anomaly detection has been the first detection approach followed by results from other classifiers. Anomaly detection methods are typically designed to new model normal user behaviors and then seek for deviations from this model. However, anomaly detection techniques may suffer from a variety of problems, including missing validations for verification and a large number of false positives. This work proposes and describes a new profile-based method for identifying anomalous changes in network user behaviors. Profiles describe user behaviors from different perspectives using different flags. Each profile is composed of information about what the user has done over a period of time. The symptoms extracted in the profile cover a wide range of user actions and try to analyze different actions. Compared to other symptom anomaly detectors, the profiles offer a higher level of user experience. It is assumed that it is possible to look for anomalies using high-level symptoms while producing less false positives while effectively finding real attacks. Also, the problem of obtaining truly tagged data for training anomaly detection algorithms has been addressed in this work. It has been designed and created datasets that contain real normal user actions while the user is infected with real malware. These datasets were used to train and evaluate anomaly detection algorithms. Among the investigated algorithms for example, local outlier factor (LOF) and one class support vector machine (SVM). The results show that the proposed anomaly-based and profile-based algorithm causes very few false positives and relatively high true positive detection. The two main contributions of this work are a new approaches based on network anomaly detection and datasets containing a combination of genuine malware and actual user traffic. Finally, the future directions will focus on applying the proposed approaches for protecting the internet of things (IOT) devices.

show abstract

A holistic review of Network Anomaly Detection Systems: A comprehensive survey

Cited by 234 publications

References 64 publications

Performance analysis of binary and multiclass models using azure machine learning

Performance analysis of binary and multiclass models using azure machine learning

An Anomaly Mitigation Framework for IoT Using Fog Computing

A Novel Network user Behaviors and Profile Testing based on Anomaly Detection Techniques

Contact Info

Product

Resources

About