Evading Anomaly Detection through Variance Injection Attacks on PCA

Rubinstein, Benjamin I. P.; Nelson, Brent D.; Huang, Ling; Joseph, Anthony D.; Lau, Shing-hon; Taft, Nina; Tygar, J. D.

doi:10.1007/978-3-540-87403-4_23

Cited by 8 publications

(4 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this study, we used oil pump frequency data to exclude false anomalies in the pressure data. Since variance can reflect the degree of data deviation from the mean value, the variance of the oil pump frequency value in the time period when abnormal events occur is used as the basis for determining false anomalies [50,51]. When the variance is 0, the abnormality has nothing to do with the adjustment of the oil pump frequency; when the variance is not 0, the anomaly is a false anomaly caused by the adjustment of the oil pump frequency.…”

Section: Joint Analysis Anomaly Identification Methodmentioning

confidence: 99%

Research on an Oil Pipeline Anomaly Identification Method for Distinguishing True and False Anomalies

Chen

Wang

et al. 2022

Mobile Information Systems

View full text Add to dashboard Cite

Anomaly identification is important to ensure the safe and stable operation of oil pipelines and prevent leaks. Leak identification is performed to divide abnormal samples from normal oil transfer samples in monitoring data, and it is a dichotomous problem. However, the traditional machine learning binary classification method is no longer suitable for identifying leak anomalies in complex production environments. The main problem is that leaks in production environments are very rare, and traditional methods cannot directly identify the leaking pattern with their generalizability. The recognized normal pattern lacks the ability to adapt to dynamic environmental changes and an artificial adjustment of the pump frequency, instrument calibration, and other monitoring data mutations. These are known as false anomalies, and they are difficult to distinguish from true anomalies. This results in a lower recall rate for leak anomaly identification and a higher rate of false positives. To solve this problem, this study proposes a leak anomaly recognition method based on the distinction between true and false anomalies. A one-class SVM is used to learn the normal working mode of oil pipelines, and the model is used to screen out suspected pipeline anomalies, namely, true and false anomalies. It increases the morphological difference between true and false anomaly curves by superimposing multisource data and uses similarity clustering to discover anomaly patterns that indicate leak events. The results show that the leakage anomaly recall rate is 100%, and the false anomaly exclusion rate is 83.49%. This method achieves real-time and efficient monitoring of pipeline leaking events in complex production environments, and it is practical for the application of machine learning methods in production environments.

show abstract

Section: Joint Analysis Anomaly Identification Methodmentioning

confidence: 99%

Research on an Oil Pipeline Anomaly Identification Method for Distinguishing True and False Anomalies

Chen

Wang

et al. 2022

Mobile Information Systems

View full text Add to dashboard Cite

show abstract

“…We decided to use a trust-based approach for evaluating the aggregation agents, because it not only eliminates the noise in the background traffic and randomness of the challenge selection process, but accounts for the fact that attackers might try to manipulate the system by inserting misleading traffic flows. An attacker could insert fabricated flows [13] hoping they would cause the system to select an aggregation agent that is less sensitive to the threat the attacker actually intends to realize. When using trust, one tries to avoid this manipulation by dynamically adapting to more recent actions of an attacker.…”

Section: Dynamic Aggregation Agent Selectionmentioning

confidence: 99%

“…detection performance) values close to the optimum, and has to operate in a manner which would evade any of these profiles. This unpredictability, together with the additional robustness achieved by the use of multiple algorithms, makes the IDS evasion a much more difficult task than simply avoiding a single intrusion detection method [13].…”

Section: Ids Monitoring Architecturementioning

confidence: 99%

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems

Řehák

Staab

Fusenig

et al. 2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Our work proposes a generic architecture for runtime monitoring and optimization of IDS based on the challenge insertion. The challenges, known instances of malicious or legitimate behavior, are inserted into the network traffic represented by NetFlow records, processed with the current traffic and the system's response to the challenges is used to determine its effectiveness and to fine-tune its parameters. The insertion of challenges is based on the threat models expressed as attack trees with attached risk/loss values. The use of threat model allows the system to measure the expected undetected loss and to improve its performance with respect to the relevant threats, as we have verified in the experiments performed on live network traffic.

show abstract

“…Consequently, anomaly detection has received a lot of attention in the last decade, and numerous detectors have been proposed. Operators, however, often disregard the alarms reported by anomaly detectors because of several drawbacks discrediting them [10,21,23,24]. The key task for improving anomaly detectors is to thoroughly evaluate their output.…”

Section: Introductionmentioning

confidence: 99%

Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

Mazel¹,

Esaki

Fontugne

et al. 2012

Proceedings of the Asian Internet Engineeering Conference on - AINTEC '12

View full text Add to dashboard Cite

Network anomaly detection is a crucial task in traffic monitoring. Tools targeting this particular problematic need to be thoroughly evaluated to assess their efficiency. Such evaluation needs reliable ground truth data to be effective. The goal of the present article is to assist researchers in the evaluation of detectors by providing them with labelled anomaly traffic traces. One of the promising strategies to provide reliable ground truth data is to combine the output of the multiple anomaly detectors with different theoretical background. In this paper, we provide an in-depth analysis of the Singular Value Decomposition (SVD) based combination strategy that has been recently applied to anomaly detectors (MAWILab). This analysis highlights the key drawback of the method to efficiently discriminate the anomalous traffic from the harmless one. We then propose several techniques to overcome this drawback and improve the discrimination power of the combination strategy. Our evaluation using four anomaly detectors and four years of real backbone traffic traces (MAWI) emphasizes the accuracy gain of the proposed techniques over the original study.

show abstract

Evading Anomaly Detection through Variance Injection Attacks on PCA

Cited by 8 publications

References 2 publications

Research on an Oil Pipeline Anomaly Identification Method for Distinguishing True and False Anomalies

Research on an Oil Pipeline Anomaly Identification Method for Distinguishing True and False Anomalies

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems

Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

Contact Info

Product

Resources

About