Detecting anomalous packets in network transfers: investigations using PCA, autoencoder and isolation forest in TCP

Kiran, Mariam; Papadimitriou, George; Mandal, Anirban; Deelman, Ewa

doi:10.1007/s10994-020-05870-y

Cited by 10 publications

(5 citation statements)

References 34 publications

(34 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2009), network anomaly (Kiran et al . 2020), and others. PCA algorithm has been modified to deal with robustness issue as well (refer to Tarr, Müller & Weber 2016 and related references).…”

Section: Introductionmentioning

confidence: 93%

“…These PCs are then arranged in order of decreasing importance based on their variability and only those which contribute significantly to the representation of the dataset are retained. The PCA technique has found applications in areas such as script recognition (Naser et al 2010), missing data (Cardot & Degras 2018), face recognition (Dryden et al 2009), network anomaly (Kiran et al 2020), and others. PCA algorithm has been modified to deal with robustness issue as well (refer to Tarr, Muller & Weber 2016 and related references).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Minimum cost‐compression risk in principal component analysis

Chattopadhyay

Banerjee

2022

Aus NZ J of Statistics

View full text Add to dashboard Cite

Summary Principal Component Analysis (PCA) is a popular multivariate analytic tool which can be used for dimension reduction without losing much information. Data vectors containing a large number of features arriving sequentially may be correlated with each other. An effective algorithm for such situations is online PCA. Existing Online PCA research works revolve around proposing efficient scalable updating algorithms focusing on compression loss only. They do not take into account the size of the dataset at which further arrival of data vectors can be terminated and dimension reduction can be applied. It is well known that the dataset size contributes to reducing the compression loss – the smaller the dataset size, the larger the compression loss while larger the dataset size, the lesser the compression loss. However, the reduction in compression loss by increasing dataset size will increase the total data collection cost. In this paper, we move beyond the scalability and updation problems related to Online PCA and focus on optimising a cost‐compression loss which considers the compression loss and data collection cost. We minimise the corresponding risk using a two‐stage PCA algorithm. The resulting two‐stage algorithm is a fast and an efficient alternative to Online PCA and is shown to exhibit attractive convergence properties with no assumption on specific data distributions. Experimental studies demonstrate similar results and further illustrations are provided using real data. As an extension, a multi‐stage PCA algorithm is discussed as well. Given the time complexity, the two‐stage PCA algorithm is emphasised over the multi‐stage PCA algorithm for online data.

show abstract

Section: Introductionmentioning

confidence: 93%

Section: Introductionmentioning

confidence: 99%

Minimum cost‐compression risk in principal component analysis

Chattopadhyay

Banerjee

2022

Aus NZ J of Statistics

View full text Add to dashboard Cite

show abstract

“…Several wide-range anomaly detection techniques that are often used in network IDSs are listed as follows: Statistical Profiling with Histograms [3], [4], Parametric and Non-parametric Statistical Modeling [5], [6], (Deep or Shallow) Artificial Neural Networks and Autoencoders [7]- [10], (One-Class) Support Vector Machines [11], [12], Reconstruction methods [13]- [15], Clustering methods [16], [17]. However, generally most of these learning systems detect abnormal data flows or packets based on their features and characteristics.…”

Section: A Related Workmentioning

confidence: 99%

Unsupervised Abnormal Traffic Detection through Topological Flow Analysis

Irofti¹,

Pătraşcu²,

Hîji³

2022

Preprint

View full text Add to dashboard Cite

Cyberthreats are a permanent concern in our modern technological world. In the recent years, sophisticated traffic analysis techniques and anomaly detection (AD) algorithms have been employed to face the more and more subversive adversarial attacks. A malicious intrusion, defined as an invasive action intending to illegally exploit private resources, manifests through unusual data traffic and/or abnormal connectivity pattern. Despite the plethora of statistical or signaturebased detectors currently provided in the literature, the topological connectivity component of a malicious flow is less exploited. Furthermore, a great proportion of the existing statistical intrusion detectors are based on supervised learning, that relies on labeled data. By viewing network flows as weighted directed interactions between a pair of nodes, in this paper we present a simple method that facilitate the use of connectivity graph features in unsupervised anomaly detection algorithms. We test our methodology on real network traffic datasets and observe several improvements over standard AD.

show abstract

“…We choose to use CART for its explainability and efficiency, as discussed in [20,59,34]. RF was used in the previous study for this same problem for its advantages of performance [60]. However, we will show later in this paper that RF without optimization is not enough.…”

Section: B Data Minersmentioning

confidence: 99%

Mining Workflows for Anomalous Data Transfers

Papadimitriou

Kiran

et al. 2021

2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR)

Self Cite

View full text Add to dashboard Cite

Modern scientific workflows are data-driven and are often executed on distributed, heterogeneous, high-performance computing infrastructures. Anomalies and failures in the workflow execution cause loss of scientific productivity and inefficient use of the infrastructure. Hence, detecting, diagnosing, and mitigating these anomalies are immensely important for reliable and performant scientific workflows. Since these workflows rely heavily on high-performance network transfers that require strict QoS constraints, accurately detecting anomalous network performance is crucial to ensure reliable and efficient workflow execution. To address this challenge, we have developed X-FLASH, a network anomaly detection tool for faulty TCP workflow transfers. X-FLASH incorporates novel hyperparameter tuning and data mining approaches for improving the performance of the machine learning algorithms to accurately classify the anomalous TCP packets. X-FLASH leverages XGBoost as an ensemble model and couples XGBoost with a sequential optimizer, FLASH, borrowed from search-based Software Engineering to learn the optimal model parameters. X-FLASH found configurations that outperformed the existing approach up to 28%, 29%, and 40% relatively for F-measure, G-score, and recall in less than 30 evaluations. From (1) large improvement and (2) simple tuning, we recommend future research to have additional tuning study as a new standard, at least in the area of scientific workflow anomaly detection.

show abstract

Detecting anomalous packets in network transfers: investigations using PCA, autoencoder and isolation forest in TCP

Cited by 10 publications

References 34 publications

Minimum cost‐compression risk in principal component analysis

Minimum cost‐compression risk in principal component analysis

Unsupervised Abnormal Traffic Detection through Topological Flow Analysis

Mining Workflows for Anomalous Data Transfers

Contact Info

Product

Resources

About