Anomalous Network Packet Detection Using Data Stream Mining

Miller, Zachary; Deitrick, William; Hu, Wei

doi:10.4236/jis.2011.24016

Cited by 12 publications

(7 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For all days except for Thursday, the StreamPreDeCon clustering algorithm achieved the highest detection rates with the least false positive rates for the Shell-code attacks averaging 94 percent with the Because the CLET attacks are meant to fool the anomaly-based IDS through polymorphic techniques, these attacks cause the lowest acceptable detection rates. Despite the slightly poor detection of CLET attacks, the StreamPreDeCon IDS on average had mostly higher sensitivity values with substantially lower false positive rates than the results of [10].…”

Section:   mentioning

confidence: 80%

“…Tested on a dataset comprised of normal packets from the first week of the DARPA '99 intrusion detection evaluation dataset and various types of malicious traffic from [1], the IDS based on StreamPreDeCon out-performed previous stream-based IDS [10] using the same dataset in all days except for one day. For these days, the anomalous packet detection of the StreamPreDeCon IDS improved the sensitivity rate of the DenStream based IDS from 30% -90% to 60% -94% and reduced the false positive rates from a high of 20% to between 1% and 10%.…”

Section: Discussionmentioning

confidence: 99%

“…In 2011 we created two anomaly-based IDSs based on stream mining algorithms, and tested the IDSs on network packets represented by 2-gram features [10]. The first IDS used a modification of the density-based stream clustering algorithm DenStream [11].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Data Stream Subspace Clustering for Anomalous Network Packet Detection

Miller¹,

Hu²

2012

JIS

Self Cite

View full text Add to dashboard Cite

As the Internet offers increased connectivity between human beings, it has fallen prey to malicious users who exploit its resources to gain illegal access to critical information. In an effort to protect computer networks from external attacks, two common types of Intrusion Detection Systems (IDSs) are often deployed. The first type is signature-based IDSs which can detect intrusions efficiently by scanning network packets and comparing them with human-generated signatures describing previously-observed attacks. The second type is anomaly-based IDSs able to detect new attacks through modeling normal network traffic without the need for a human expert. Despite this advantage, anomaly-based IDSs are limited by a high false-alarm rate and difficulty detecting network attacks attempting to blend in with normal traffic. In this study, we propose a StreamPreDeCon anomaly-based IDS. StreamPreDeCon is an extension of the preference subspace clustering algorithm PreDeCon designed to resolve some of the challenges associated with anomalous packet detection. Using network packets extracted from the first week of the DARPA '99 intrusion detection evaluation dataset combined with Generic Http, Shellcode and CLET attacks, our IDS achieved 94.4% sensitivity and 0.726% false positives in a best case scenario. To measure the overall effectiveness of the IDS, the average sensitivity and false positive rates were calculated for both the maximum sensitivity and the minimum false positive rate. With the maximum sensitivity, the IDS had 80% sensitivity and 9% false positives on average. The IDS also averaged 63% sensitivity with a 0.4% false positive rate when the minimal number of false positives is needed. These rates are an improvement on results found in a previous study as the sensitivity rate in general increased while the false positive rate decreased

show abstract

Section:   mentioning

confidence: 80%

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Data Stream Subspace Clustering for Anomalous Network Packet Detection

Miller¹,

Hu²

2012

JIS

Self Cite

View full text Add to dashboard Cite

show abstract

“…The first process was traffic features selection, which selects proper features for system input. In the second process, we construct a homogeneous group by adopting the micro-clustering approach in Denstream [12]. The stream traffic was grouped according to the minimal distance to existing group profile and processed further when the group size is adequate for group-based classification input.…”

Section: B Research Designmentioning

confidence: 99%

“…Aggregate traffic features are commonly proposed to detect traffic anomaly, such as [6,7,8,9]. By the used of machine learning such as clustering method, the system can determine clusters of traffic such in [10,11,12], but the output has no concern about the types of an anomaly of the formed groups. The classification has better used in security system such in [13,14,15], a system can single out the specific anomalous packet or connection and determine the known types of anomaly.…”

Section: Introductionmentioning

confidence: 99%

Minimal Triangle Area Mahalanobis Distance for Stream Homogeneous Group-based DDoS Classification

Purwanto¹,

Kuspriyanto²,

Hendrawan³

et al. 2018

IJEEI

View full text Add to dashboard Cite

An Intrusion Detection System (IDS) which implement a group-based classification algorithm, theoretically has the benefit of higher accuracy. Unfortunately, higher accuracy only achieved if the observed group is homogeneous from a certain distribution. Recently, a distributed denial of service (DDoS) attack consists of multiple botnets which produce multi types of traffic in one attack session. It makes the IDS suffers from decreasing accuracy as the increasing heterogeneity within the observed group. To address the problem, we propose homogeneous grouping algorithm based on triangle area Mahalanobis distance to support IDS which implement group-based data analysis. First, the Mahalanobis distance measurement was used to construct homogeneous groups. Then, the covariance matrix of each homogeneous group was classified using a decision tree classifier. Classification performance was evaluated using known KDDCup 99 dataset. The results pointed out that the used of homogeneous grouping algorithm improve the classification performance for natural and mixed random DDoS traffic.

show abstract

Anomalous Network Packet Detection: A Review of Attacks, Datasets and Techniques

Kohli,

Chhabra

2024

Proceedings of the NIELIT's International Conference on Communication, Electronics and Digital Technology

View full text Add to dashboard Cite

Anomalous Network Packet Detection Using Data Stream Mining

Cited by 12 publications

References 4 publications

Data Stream Subspace Clustering for Anomalous Network Packet Detection

Data Stream Subspace Clustering for Anomalous Network Packet Detection

Minimal Triangle Area Mahalanobis Distance for Stream Homogeneous Group-based DDoS Classification

Anomalous Network Packet Detection: A Review of Attacks, Datasets and Techniques

Contact Info

Product

Resources

About