On the Improvement of the Isolation Forest Algorithm for Outlier Detection with Streaming Data

Heigl, Michael; Anand, K.; Urmann, Andreas; Fiala, Dalibor; Schramm, Martin; Hable, Robert

doi:10.3390/electronics10131534

Cited by 18 publications

(7 citation statements)

References 54 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…With respect to sig attr , as of now, we relied on the supervised RF-SHAP-feature importance scoring functionality for better result interpretability. However, in future evaluation, we want to replace RF with an online unsupervised OD algorithm equipped with a feature importance scoring functionality, such as Loda [23] or PCB-iForest [13]. As we showed that the ambitious aim to exploit the outcome of OD algorithms in order to generate an attack pattern generally works, we would also want to investigate the impacts of introducing FPs and FNs on signature comparison.…”

Section: Discussionmentioning

confidence: 99%

“…As already pointed out, in particular, the missing ground truth values in evolving (theoretically infinite) data that demand real or almost near real-time processing, taking the evolution and speed of data into account, require unsupervised OD methods capable of dealing with SD. We consider OD on SD, as is the context in [13]. Widely accepted and popular solutions, such as Hoeffding Trees [14] or Online Random Forests [15], achieve good accuracy and robustness in data streams [16] but are not designed to operate on unlabeled data.…”

Section: Related Work 21 Aspects On Unsupervised Online Outlier Detectionmentioning

confidence: 99%

“…For instance, while Isolation Forest's scoring takes values from [0, 1], Loda yields values from [0, ∞). Referring to the second criterion, to the best of our knowledge, only Loda and the adaption of iForest for SD, PCB-iForest IBFS , proposed in [13], provides by design the functionality to measure the statistic significance of each feature to its contribution to a data instance's scoring result in an unsupervised manner. From a supervised perspective, the Random Forests (RF) [30] algorithm, for which an online variant also exists [15], can provide feature importance scoring functionality using the SHapley Additive exPlanations (SHAP) method [31].…”

Section: Related Work 21 Aspects On Unsupervised Online Outlier Detectionmentioning

confidence: 99%

“…It is noted that the applied OD algorithms must be capable of providing the top-γfeatures. Although only a limited amount of work is able to satisfy this requirement, it is an important functionality for the design of future anomaly-based IDS [13]. The higher the value for γ, the more information must be transmitted with each alert increasing the communication overhead.…”

Section: Generation and Comparison Of Sig Attrmentioning

confidence: 99%

See 3 more Smart Citations

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

et al. 2021

Self Cite

View full text Add to dashboard Cite

Future-oriented networking infrastructures are characterized by highly dynamic Streaming Data (SD) whose volume, speed and number of dimensions increased significantly over the past couple of years, energized by trends such as Software-Defined Networking or Artificial Intelligence. As an essential core component of network security, Intrusion Detection Systems (IDS) help to uncover malicious activity. In particular, consecutively applied alert correlation methods can aid in mining attack patterns based on the alerts generated by IDS. However, most of the existing methods lack the functionality to deal with SD data affected by the phenomenon called concept drift and are mainly designed to operate on the output from signature-based IDS. Although unsupervised Outlier Detection (OD) methods have the ability to detect yet unknown attacks, most of the alert correlation methods cannot handle the outcome of such anomaly-based IDS. In this paper, we introduce a novel framework called Streaming Outlier Analysis and Attack Pattern Recognition, denoted as SOAAPR, which is able to process the output of various online unsupervised OD methods in a streaming fashion to extract information about novel attack patterns. Three different privacy-preserving, fingerprint-like signatures are computed from the clustered set of correlated alerts by SOAAPR, which characterizes and represents the potential attack scenarios with respect to their communication relations, their manifestation in the data's features and their temporal behavior. Beyond the recognition of known attacks, comparing derived signatures, they can be leveraged to find similarities between yet unknown and novel attack patterns. The evaluation, which is split into two parts, takes advantage of attack scenarios from the widely-used and popular CICIDS2017 and CSE‐CIC‐IDS2018 datasets. Firstly, the streaming alert correlation capability is evaluated on CICIDS2017 and compared to a state-of-the-art offline algorithm, called Graph-based Alert Correlation (GAC), which has the potential to deal with the outcome of anomaly-based IDS. Secondly, the three types of signatures are computed from attack scenarios in the datasets and compared to each other. The discussion of results, on the one hand, shows that SOAAPR can compete with GAC in terms of alert correlation capability leveraging four different metrics and outperforms it significantly in terms of processing time by an average factor of 70 in 11 attack scenarios. On the other hand, in most cases, all three types of signatures seem to reliably characterize attack scenarios such that similar ones are grouped together, with up to 99.05\% similarity between the FTP and SSH Patator attack.intrusion detection; alert analysis; alert correlation; outlier detection; attack scenario; streaming data; network security

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Work 21 Aspects On Unsupervised Online Outlier Detectionmentioning

confidence: 99%

Section: Related Work 21 Aspects On Unsupervised Online Outlier Detectionmentioning

confidence: 99%

Section: Generation and Comparison Of Sig Attrmentioning

confidence: 99%

See 2 more Smart Citations

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

et al. 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…Within the scope of our future work is also to apply xStream in the windowed setting and check which mode-sequential or parallel-is in general more effective and why. Since UFSSOD's main purpose is the streaming feature selection for outlier detection, further evaluation should also include the latest online outlier detection methods, e.g., PCB-iForest [70].…”

Section: Discussionmentioning

confidence: 99%

Unsupervised Feature Selection for Outlier Detection on Streaming Data to Enhance Network Security

et al. 2021

Self Cite

View full text Add to dashboard Cite

Over the past couple of years, machine learning methods—especially the outlier detection ones—have anchored in the cybersecurity field to detect network-based anomalies rooted in novel attack patterns. However, the ubiquity of massive continuously generated data streams poses an enormous challenge to efficient detection schemes and demands fast, memory-constrained online algorithms that are capable to deal with concept drifts. Feature selection plays an important role when it comes to improve outlier detection in terms of identifying noisy data that contain irrelevant or redundant features. State-of-the-art work either focuses on unsupervised feature selection for data streams or (offline) outlier detection. Substantial requirements to combine both fields are derived and compared with existing approaches. The comprehensive review reveals a research gap in unsupervised feature selection for the improvement of outlier detection methods in data streams. Thus, a novel algorithm for Unsupervised Feature Selection for Streaming Outlier Detection, denoted as UFSSOD, will be proposed, which is able to perform unsupervised feature selection for the purpose of outlier detection on streaming data. Furthermore, it is able to determine the amount of top-performing features by clustering their score values. A generic concept that shows two application scenarios of UFSSOD in conjunction with off-the-shell online outlier detection algorithms has been derived. Extensive experiments have shown that a promising feature selection mechanism for streaming data is not applicable in the field of outlier detection. Moreover, UFSSOD, as an online capable algorithm, yields comparable results to a state-of-the-art offline method trimmed for outlier detection.

show abstract

Effectively predicting cyber‐attacks through isolation forest learning‐based outlier detection

Ripan

Islam

Alqahtani

et al. 2022

Security and Privacy

View full text Add to dashboard Cite

Due to the popularity of Internet of Things devices, the exponential progress of computer networks, and a plethora of associated applications, cybersecurity has recently attracted much attention in light of today's security problems. As a result, detecting various cyber‐attacks within a network and developing an effective cyber‐attacks prediction model that plays a crucial part in today's defense has become increasingly critical. Modeling cyber‐attacks effectively, on the other hand, is challenging because modern security datasets hold a large number of dimensions of security features and may contain outliers. To accomplish this, we provide an approach for categorizing cyber‐attacks effectively through isolation forest learning‐based outlier detection. Additionally, we apply a variety of popular machine learning approaches to assess the performance of cyber‐attacks prediction models, including logistic regression, support vector machine, AdaBoost classifier, naive Bayes, and K‐nearest neighbor. We evaluated the efficacy of our approach by running tests on three network intrusion datasets (KDD Cup 99, CIC‐IDS2017, and UNSW‐NB15) and computing the precision, recall, and accuracy. Experiments demonstrate that eliminating outliers improves the prediction accuracy of cyber‐attacks for different classifiers. Additionally, we compare the isolation forest learning‐based outlier detection model to other well‐known outlier detection techniques, DBSCAN and k‐means, and measure the effectiveness of our model.

show abstract

On the Improvement of the Isolation Forest Algorithm for Outlier Detection with Streaming Data

Cited by 18 publications

References 54 publications

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Unsupervised Feature Selection for Outlier Detection on Streaming Data to Enhance Network Security

Effectively predicting cyber‐attacks through isolation forest learning‐based outlier detection

Contact Info

Product

Resources

About