Stealthy poisoning attacks on PCA-based anomaly detectors

Rubinstein, Benjamin I. P.; Nelson, Brent D.; Huang, Ling; Joseph, Anthony D.; Lau, Shing-hon; Rao, Satish; Taft, Nina; Tygar, J. D.

doi:10.1145/1639562.1639592

Cited by 33 publications

(21 citation statements)

References 5 publications

(8 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Normally there are 3 methods that can be applied to assess the performance of network anomaly detection algorithm: network traffic simulation experiment [10,[14][15][16], testbed experiment [19], and real network data analysis [9,10,20,32,34]. There are pros and cons regarding each method.…”

Section: Discussionmentioning

confidence: 99%

“…References [14,15] took further steps to study poisoning attacks on anomaly detectors and evaluated poisoning techniques and developed defense. The authors of [16] listed 3 mechanisms of poisoning attacks and proposed defense based on robust PCA with projection pursuit.…”

Section: Related Workmentioning

confidence: 99%

“…This method employs network traffic of many Origin-Destination (OD) flows to establish a model of normal behavior and detects anomalies by measuring deviations from that model. With the concept of network-wide detection, researches are conducted in space-time expansibility [10][11][12][13], robustness [14][15][16], realtime processing [17,18], and anomaly measure [19,20], which enrich network-wide anomaly detection. This kind of methods uses whole-network traffic data, which has huge performance advantages over single point, single path, and single link.…”

Section: Introductionmentioning

confidence: 99%

“…Network-wide anomaly detection improves detection performance by introducing wider and multidimensional network information, but it also faces some real problems when implemented in large scale and high speed backbone network. Firstly, because of its wider collection area, more collection equipment, and faster network speed, it might not be applicable if collected data were lost during collection or transfer process [21]; secondly, traffic flows in backbone network continue to grow in volume and complexity, and hidden noise like anomalous traffic could degrade performance of the anomaly detection algorithms [22], while some of the attacks might even pollute the detectors [14][15][16]; thirdly, the above anomaly detection methods can only find when anomalies happen, but they still have some defects on locating those anomalies [22].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Network-Wide Traffic Anomaly Detection and Localization Based on Robust Multivariate Probabilistic Calibration Model

Luo

Qian

et al. 2015

Mathematical Problems in Engineering

View full text Add to dashboard Cite

Network anomaly detection and localization are of great significance to network security. Compared with the traditional methods of host computer, single link and single path, the network-wide anomaly detection approaches have distinctive advantages with respect to detection precision and range. However, when facing the actual problems of noise interference or data loss, the network-wide anomaly detection approaches also suffer significant performance reduction or may even become unavailable. Besides, researches on anomaly localization are rare. In order to solve the mentioned problems, this paper presents a robust multivariate probabilistic calibration model for network-wide anomaly detection and localization. It applies the latent variable probability theory with multivariate t-distribution to establish the normal traffic model. Not only does the algorithm implement network anomaly detection by judging whether the sample's Mahalanobis distance exceeds the threshold, but also it locates anomalies by contribution analysis. Both theoretical analysis and experimental results demonstrate its robustness and wider use. The algorithm is applicable when dealing with both data integrity and loss. It also has a stronger resistance over noise interference and lower sensitivity to the change of parameters, all of which indicate its performance stability.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Network-Wide Traffic Anomaly Detection and Localization Based on Robust Multivariate Probabilistic Calibration Model

Luo

Qian

et al. 2015

Mathematical Problems in Engineering

View full text Add to dashboard Cite

show abstract

“…Currently, there is no wellknown method to determine the parameters in the PCAbased detection methods [2]. Furthermore, large-volume traffic anomalies and the stealthy poisoning attacks can contaminate normal traffic patterns [3]. Last, PCA requires a singular value decomposition (SVD) of a n × m matrix.…”

Section: Introductionmentioning

confidence: 99%

Sketch-Based Streaming PCA Algorithm for Network-Wide Traffic Anomaly Detection

Liu

Zhang

Guan

2010

2010 IEEE 30th International Conference on Distributed Computing Systems

View full text Add to dashboard Cite

Internet has become an essential part of the daily life for billions of users worldwide, who are using a large variety of network services and applications everyday. However, there have been serious security problems and network failures that are hard to resolve, for example, botnet attacks, polymorphic worm/virus spreading, DDoS, and flash crowds. To address many of these problems, we need to have a network-wide view of the traffic dynamics, and more importantly, be able to detect traffic anomalies in a timely manner. Spatial analysis methods have been proved to be effective in detecting network-wide traffic anomalies that are not detectable at a single monitor. To our knowledge, Principle Component Analysis (PCA) is the best-known spatial detection method for the coordinated low-profile traffic anomalies. However, existing PCA-based solutions have scalability problems in that they require linear running time and space to analyze the traffic measurements within a sliding window, which makes it often infeasible to be deployed for monitoring large-scale high-speed networks. We propose a sketch-based streaming PCA algorithm for the network-wide traffic anomaly detection in a distributed fashion. Our algorithm only requires logarithmic running time and space at both local monitors and Network Operation Centers (NOCs), and can detect both high-profile and coordinated lowprofile traffic anomalies with bounded errors.

show abstract

Advanced persistent threat organization identification based on software gene of malware

Chen¹,

Helu²,

Jin³

et al. 2020

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Since the concept of IoT (Internet of Things) was proposed, it has digitized the real world and has a wide range of applications. However, with tremendous evolution in data acquisition and transfer, a new type of attack represented by advanced persistent threat (APT) has attracted wide attention. APT organization identification for malware is a method to detect APT attacks. However, most of malware is tailored to the goal, it is complex and changeable, or can be updated very quickly. The traditional analysis method is difficult to obtain the source information of APT organization from the malware in the IoT. To this end, we propose a software genes method to solve this problem. Software gene is binary fragment of specific function or information in the software body. In this paper, different from traditional data flow and instruction flow, a new gene model is proposed which combine with knowledge graph of malware behavior. We fill the processed malware information into the gene model to obtain the APT organization gene pool. Of course, the gene pool should be optimized to include the genetic characteristics of APT. In theory, there genetic characteristics can help us identify malware and APT accurately in the IoT. However, biological genetic similarity algorithms cannot be used directly. A genetic similarity algorithm for APT organization identification of malware will be designed instead. Simulations on real-world dataset corroborate theoretical analysis and reveal the possibility of using genes for malware traceability.

show abstract

Stealthy poisoning attacks on PCA-based anomaly detectors

Cited by 33 publications

References 5 publications

Network-Wide Traffic Anomaly Detection and Localization Based on Robust Multivariate Probabilistic Calibration Model

Network-Wide Traffic Anomaly Detection and Localization Based on Robust Multivariate Probabilistic Calibration Model

Sketch-Based Streaming PCA Algorithm for Network-Wide Traffic Anomaly Detection

Advanced persistent threat organization identification based on software gene of malware

Contact Info

Product

Resources

About