Anomaly-Based Intrusion Detection From Network Flow Features Using Variational Autoencoder

Zavrak, Sultan; İskefiyeli, Murat

doi:10.1109/access.2020.3001350

Cited by 209 publications

(86 citation statements)

References 56 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In ROC the sensitivity (true positive) starts from 0,0 to 1.0 (if sensitivity = 1.0 thin true positive = 99.8% and false-positive = 0.2%). Figure 8 describes ROC [39]- [40]- [42]- [43]- [44].…”

Section: Evaluation Metricsmentioning

confidence: 99%

SBI Model for the Detection of Advanced Persistent Threat Based on Strange Behavior of Using Credential Dumping Technique

Mohamed

Belaton

2021

IEEE Access

View full text Add to dashboard Cite

This study investigated the shift from the manual approach of processing data to the digitized method making organizational data prone to attack by cybercriminals. The latest threat Advanced Persistent Threats (APT) was originated by the United States Air Force in 2006 by Colonel Greg Rattray. APT is constantly ravaging industries and governments, which causes severe damages including data loss, espionage, sabotage, leak, or forceful pay of ransom money to the attackers. This study introduces a new model built on Adversarial Tactics Techniques and Common Knowledge (ATT&CK) matrix for detecting APT attack. This is to identify the APT on the first potential victim when the attackers use credential dumping technique. Strange Behavior Inspection Model incorporating several models investigates and monitors APT behavioral features in the CPU, RAM, windows registry, and file systems proposed to detect APT Attack at the first potential victim machine. The Strange Behavior Inspection (SBI) Model proposed in this paper is designed to detect the attack before being developed to more advanced phases. The results of this study are presented at four levels:1-random access memory, 2-central processing unit, 3-windows registry, and 4-file systems. This study proposes a unique model as evidence to detect APT attacks before any other techniques are used. The proposed model reduces the detection time from nine-months to 2.7 minutes.

show abstract

Section: Evaluation Metricsmentioning

confidence: 99%

SBI Model for the Detection of Advanced Persistent Threat Based on Strange Behavior of Using Credential Dumping Technique

Mohamed

Belaton

2021

IEEE Access

View full text Add to dashboard Cite

show abstract

“…The accuracy achieved is 97.66% with false alarm rate of 0.62%. Authors employed unsupervised deep learning methods AE and Variational AE (VAE) along with One Class SVM (OCSVM) for detection of both known and unknown attacks [37]. The proposed AE and VAE have 2 encoding and 2 decoding layers with bottleneck layer having 64 neurons.…”

Section: Related Workmentioning

confidence: 99%

Hyperband Tuned Deep Neural Network With Well Posed Stacked Sparse AutoEncoder for Detection of DDoS Attacks in Cloud

2020

View full text Add to dashboard Cite

Cloud computing has very attractive features like elastic, on demand and fully managed computer system resources and services. However, due to its distributed and dynamic nature as well as vulnerabilities in virtualization implementation, the cloud environment is prone to various cyber-attacks and security issues related to cloud model. Some of them are inability to access data coming to and from cloud service, theft and misuse of data hosted, no control over sensitive data access, advance threats like malware injection attack, wrapping attacks, virtual machine escape, distributed denial of service attack (DDoS) etc. DDoS is one of the notorious attack. Despite a number of available potential solutions for the detection of DDoS attacks, the increasing frequency and potency of recent attacks and the constantly evolving attack vectors, necessitate the development of improved detection approaches. This paper proposes a novel architecture that combines a well posed stacked sparse AutoEncoder (AE) for feature learning with a Deep Neural Network (DNN) for classification of network traffic into benign traffic and DDoS attack traffic. AE and DNN are optimized for detection of DDoS attacks by tuning the parameters using appropriately designed techniques. The improvements suggested in this paper lead to low reconstruction error, prevent exploding and vanishing gradients, and lead to smaller network which avoids overfitting. A comparative analysis of the proposed approach with ten state-of-the-art approaches using performance metrics-detection accuracy, precision, recall and F1-Score, has been conducted. Experiments have been performed on CICIDS2017 and NSL-KDD standard datasets for validation. Proposed approach outperforms existing approaches over the NSL-KDD dataset and yields competitive results over the CICIDS2017 dataset.

show abstract

“…2. Model stability analysis The receiver operating characteristic (ROC) curve is applied in this paper to measure the detection performance of the model [31], [32]. The ROC curve is created by plotting the true positive rate (TPR) against the false positive rate (FPR), providing tools to select possibly optimal models and to discard suboptimal ones.…”

Section: Anomaly Monitoring Indexmentioning

confidence: 99%

A Multimode Anomaly Detection Method Based on OC-ELM for Aircraft Engine System

Chen

Wen

et al. 2021

IEEE Access

View full text Add to dashboard Cite

The practical industrial processes possess the characteristics of multimode, unbalanced data distribution, and complex types of abnormalities, which are challenging to the anomaly detection task of complex industrial systems. In this paper, a novel anomaly detection framework based on one-class extreme learning machine (OC-ELM) for the multimode system is presented. To tackle the multiple operation modes, a clustering algorithm is first applied to distinguish the operation modes of the system. The corresponding detection models are built under different operation modes resulting in the multiple models operated in parallel. In addition, the proposed method constructs the reasonable boundary of the complex data distribution, reflecting the equipment running in the healthy or the normal state. The anomaly detection index is obtained according to the deviation degree between the testing sample and the normal model. As a result, a global monitoring index reflecting the degradation state is obtained by combining the anomaly monitoring indices of the equipment under multiple operation modes. The proposed method is verified on a public dataset of aircraft engines, and the advantages are demonstrated by comparing with the implemented detection model without handling the information of operation modes, and the multiple principal component analysis method.

show abstract

Anomaly-Based Intrusion Detection From Network Flow Features Using Variational Autoencoder

Cited by 209 publications

References 56 publications

SBI Model for the Detection of Advanced Persistent Threat Based on Strange Behavior of Using Credential Dumping Technique

SBI Model for the Detection of Advanced Persistent Threat Based on Strange Behavior of Using Credential Dumping Technique

Hyperband Tuned Deep Neural Network With Well Posed Stacked Sparse AutoEncoder for Detection of DDoS Attacks in Cloud

A Multimode Anomaly Detection Method Based on OC-ELM for Aircraft Engine System

Contact Info

Product

Resources

About