A Labeled Data Set for Flow-Based Intrusion Detection

Sperotto, Anna; Sadre, Ramin; Vliet, Frank van; Pras, Aiko

doi:10.1007/978-3-642-04968-2_4

Cited by 114 publications

(85 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Unfortunately, as this dataset has appeared recentlym, we had no chance to use it in our studies. Interesting flow-based traffic dataset has been recently made publicly available by Sperotto et al [115]. This set is based on data collected from a real honeypot (monitored trap) featuring HTTP, SSH and FTP services.…”

Section: Origin Of the Ideamentioning

confidence: 99%

An Entropy-Based Network Anomaly Detection Method

Bereziński

Jasiul

Szpyrka

2015

Entropy

157

View full text Add to dashboard Cite

Data mining is an interdisciplinary subfield of computer science involving methods at the intersection of artificial intelligence, machine learning and statistics. One of the data mining tasks is anomaly detection which is the analysis of large quantities of data to identify items, events or observations which do not conform to an expected pattern. Anomaly detection is applicable in a variety of domains, e.g., fraud detection, fault detection, system health monitoring but this article focuses on application of anomaly detection in the field of network intrusion detection.The main goal of the article is to prove that an entropy-based approach is suitable to detect modern botnet-like malware based on anomalous patterns in network. This aim is achieved by realization of the following points: (i) preparation of a concept of original entropy-based network anomaly detection method, (ii) implementation of the method, (iii) preparation of original dataset, (iv) evaluation of the method.

show abstract

Section: Origin Of the Ideamentioning

confidence: 99%

An Entropy-Based Network Anomaly Detection Method

Bereziński

Jasiul

Szpyrka

2015

Entropy

157

View full text Add to dashboard Cite

show abstract

“…Although the attack is very common, it is still potentially dangerous. Our studies [4] showed that newly set up vulnerable hosts can be compromised within few days and be used as platform for the same attacks. We also showed that SSH attacks are visible at flow level as peaks in the SSH flow time series [20].…”

Section: Related Workmentioning

confidence: 82%

“…In most cases, a ground truth is missing. Attack-labeled flow data sets are rare and their creation is a lengthy and time consuming process [4]. To overcome this problem, approaches based on the superposition of real non-malicious traffic with synthetic attack traffic have been introduced [5,6].…”

Section: Introductionmentioning

confidence: 99%

Hidden Markov Model Modeling of SSH Brute-Force Attacks

Sperotto

Sadre

Boer

et al. 2009

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Nowadays, network load is constantly increasing and high-speed infrastructures (1-10Gbps) are becoming increasingly common. In this context, flow-based intrusion detection has recently become a promising security mechanism. However, since flows do not provide any information on the content of a communication, it also became more difficult to establish a ground truth for flowbased techniques benchmarking. A possible approach to overcome this problem is the usage of synthetic traffic traces where the generation of malicious traffic is driven by models. In this paper, we propose a flow time series model of SSH brute-force attacks based on Hidden Markov Models. Our results show that the model successfully emulates an attacker behavior, generating meaningful flow time series.

show abstract

“…The first one is the KDD Cup 99 dataset [4], and the other one is a data set taken from [5,6], which is the `University of Twente in September 2008' dataset.…”

Section: Resultsmentioning

confidence: 99%

K-Nearest-Neighbours with a novel similarity measure for intrusion detection

Kabán

2013

2013 13th UK Workshop on Computational Intelligence (UKCI)

View full text Add to dashboard Cite

Abstract-K-Nearest-Neighbours is one of the simplest yet effective classification methods. The core computation behind it is to calculate the distance from a query point to all of its neighbours and to choose the closest one. The Euclidean distance is the most frequent choice, although other distances are sometimes required. This paper explores a simple yet effective similarity definition within Nearest Neighbours for intrusion detection applications. This novel similarity rule is fast to compute and achieves a very satisfactory performance on the intrusion detection benchmark data sets tested.

show abstract

A Labeled Data Set for Flow-Based Intrusion Detection

Cited by 114 publications

References 13 publications

An Entropy-Based Network Anomaly Detection Method

An Entropy-Based Network Anomaly Detection Method

Hidden Markov Model Modeling of SSH Brute-Force Attacks

K-Nearest-Neighbours with a novel similarity measure for intrusion detection

Contact Info

Product

Resources

About