Anomaly detection based on a dynamic Markov model

Ren, Hongliang; Ye, Zhixing; Li, Zhiwu

doi:10.1016/j.ins.2017.05.021

Cited by 73 publications

(32 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The Markov dictionaries were created by training the normal data including both the periodic packets peculiar to ICSs and the packets irregularly transmitted between OSs. In particular, we modelled the second order Markov-chain because it has been claimed that high order Markov-chain would cause a decrease in the accuracy [11].…”

Section: Modellingmentioning

confidence: 99%

Improvement of Anomaly Detection Performance Using Packet Flow Regularity in Industrial Control Networks

Tamura

Matsuura

2019

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

Since cyber attacks such as cyberterrorism against Industrial Control Systems (ICSs) and cyber espionage against companies managing them have increased, the techniques to detect anomalies in early stages are required. To achieve the purpose, several studies have developed anomaly detection methods for ICSs. In particular, some techniques using packet flow regularity in industrial control networks have achieved high-accuracy detection of attacks disrupting the regularity, i.e. normal behaviour, of ICSs. However, these methods cannot identify scanning attacks employed in cyber espionage because the probing packets assimilate into a number of normal ones. For example, the malware called Havex is customised to clandestinely acquire information from targeting ICSs using general request packets. The techniques to detect such scanning attacks using widespread packets await further investigation. Therefore, the goal of this study was to examine high performance methods to identify anomalies even if elaborate packets to avoid alert systems were employed for attacks against industrial control networks. In this paper, a novel detection model for anomalous packets concealing behind normal traffic in industrial control networks was proposed. For the proposal of the sophisticated detection method, we took particular note of packet flow regularity and employed the Markov-chain model to detect anomalies. Moreover, we regarded not only original packets but similar ones to them as normal packets to reduce false alerts because it was indicated that an anomaly detection model using the Markov-chain suffers from the ample false positives affected by a number of normal, irregular packets, namely noise. To calculate the similarity between packets based on the packet flow regularity, a vector representation tool called word2vec was employed. Whilst word2vec is utilised for the culculation of word similarity in natural language processing tasks, we applied the technique to packets in ICSs to calculate packet similarity. As a result, the Markov-chain with word2vec model identified scanning packets assimulating into normal packets in higher performance than the conventional Markov-chain model. In conclusion, employing both packet flow regularity and packet similarity in industrial control networks contributes to improving the performance of anomaly detection in ICSs.

show abstract

Section: Modellingmentioning

confidence: 99%

Improvement of Anomaly Detection Performance Using Packet Flow Regularity in Industrial Control Networks

Tamura

Matsuura

2019

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

show abstract

“…One of the essential keys to develop anomaly detection models to detect the KPIs anomalies efficiently is time-series feature mining technique, which may affect the superior limit of the models. In previous studies, sliding window-based strategy was widely used for time series analysis, see for example [13][14][15][16] and the references therein. However, the prediction performance of this method relies on the description of similarity metrics between two sub-sequences.…”

Section: Continuous Fluctuation Seriesmentioning

confidence: 99%

Anomaly Detection Based on Mining Six Local Data Features and BP Neural Network

Zhang

Zhu

et al. 2019

Symmetry

View full text Add to dashboard Cite

Key performance indicators (KPIs) are time series with the format of (timestamp, value). The accuracy of KPIs anomaly detection is far beyond our initial expectations sometimes. The reasons include the unbalanced distribution between the normal data and the anomalies as well as the existence of many different types of the KPIs data curves. In this paper, we propose a new anomaly detection model based on mining six local data features as the input of back-propagation (BP) neural network. By means of vectorization description on a normalized dataset innovatively, the local geometric characteristics of one time series curve could be well described in a precise mathematical way. Differing from some traditional statistics data characteristics describing the entire variation situation of one sequence, the six mined local data features give a subtle insight of local dynamics by describing the local monotonicity, the local convexity/concavity, the local inflection property and peaks distribution of one KPI time series. In order to demonstrate the validity of the proposed model, we applied our method on 14 classical KPIs time series datasets. Numerical results show that the new given scheme achieves an average F1-score over 90%. Comparison results show that the proposed model detects the anomaly more precisely.

show abstract

“…The enhanced versions of HMMs published in other papers [16][17][18][19][20][21][22][23] usually use some sort of prior knowledge to initialize the transition and emission matrices, which enables the adopted parameters' distribution comply with the real data distribution to be evaluated. As a result, we could not distinguish if the improvement in performance was due to the skewed initial model or the enhancement mechanisms created by us.…”

Section: Balanced Initial Modelmentioning

confidence: 99%

“…The efficiency problem might be resolved by quantum computers in the future [15], but deep-learning should not be considered the best choice for NIDS in terms of efficiency based on the current circumstances. (4) There are many enhanced models [16][17][18][19][20][21][22][23] classified as hybrid-type, which perform better by either combining the existing approaches in other domains (e.g., fuzzy logic) or creating novel mechanisms (e.g., feedback variables) specifically for NIDS (i.e., our AA-HMM), based on a specific shallow algorithm (e.g., decision tree) [14]. The temporary disadvantage of hybrid classifiers is that they need to be tested on various data sets to verify their stability.…”

Section: Introductionmentioning

confidence: 99%

AA-HMM: An Anti-Adversarial Hidden Markov Model for Network-Based Intrusion Detection

2018

View full text Add to dashboard Cite

In the field of network intrusion, malware usually evades anomaly detection by disguising malicious behavior as legitimate access. Therefore, detecting these attacks from network traffic has become a challenge in this an adversarial setting. In this paper, an enhanced Hidden Markov Model, called the Anti-Adversarial Hidden Markov Model (AA-HMM), is proposed to effectively detect evasion pattern, using the Dynamic Window and Threshold techniques to achieve adaptive, anti-adversarial, and online-learning abilities. In addition, a concept called Pattern Entropy is defined and acts as the foundation of AA-HMM. We evaluate the effectiveness of our approach employing two well-known benchmark data sets, NSL-KDD and CTU-13, in terms of the common performance metrics and the algorithm’s adaptation and anti-adversary abilities.

show abstract

Anomaly detection based on a dynamic Markov model

Cited by 73 publications

References 41 publications

Improvement of Anomaly Detection Performance Using Packet Flow Regularity in Industrial Control Networks

Improvement of Anomaly Detection Performance Using Packet Flow Regularity in Industrial Control Networks

Anomaly Detection Based on Mining Six Local Data Features and BP Neural Network

AA-HMM: An Anti-Adversarial Hidden Markov Model for Network-Based Intrusion Detection

Contact Info

Product

Resources

About