Toward Supervised Anomaly Detection

Görnitz, Nico; Kloft, Marius; Rieck, Konrad; Brefeld, Ulf

doi:10.1613/jair.3623

Cited by 292 publications

(200 citation statements)

References 53 publications

(49 reference statements)

Supporting

Mentioning

184

Contrasting

Unclassified

Order By: Relevance

“…For Fraction of all connections of all clients that specified HTTP header field Content-Type as any text variant the detection of SQL-injection, cross-site-scripting (XSS), and PHP file-inclusion (L/RFI), traffic can be modeled based on HTTP header and query string information using HMMs (Ariu et al 2011), n-gram models (Wressnegger et al 2013), general kernels (Düssel et al 2008), or other models (Robertson and Maggi 2010). Anomaly-detection mechanisms were investigated, from centroid anomaly-detection models (Kloft and Laskov 2012) to setting hard thresholds on the likelihood of new HTTP requests given the model, to unsupervised learning of support-vector data description (SVDD) models (Düssel et al 2008, Görnitz et al 2013.…”

Section: Discussion and Related Workmentioning

confidence: 99%

“…A binary SVM trained on labeled data has been observed to consistently outperform a one-class SVM using n-gram features (Wressnegger et al 2013). Similarly, augmenting SVDDs with labeled data has been observed to greatly improve detection accuracy (Görnitz et al 2013). Other work has studied SVMs (Khan et al 2007;Li et al 2012) and other classification methods (Koc et al 2012;Peddabachigari et al 2007;Gharibian and Ghorbani 2007).…”

Section: Discussion and Related Workmentioning

confidence: 99%

“…A great variety of heuristic and principled approaches is used. In our study, we represent this family of approaches by SVDD which has been used successfully for several related computer-security problems (Düssel et al 2008;Görnitz et al 2013). Prior work generally uses smaller feature sets.…”

Section: Reference Methodsmentioning

confidence: 99%

See 2 more Smart Citations

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Dick

Scheffer

2016

Mach Learn

View full text Add to dashboard Cite

We focus on the problem of detecting clients that attempt to exhaust server resources by flooding a service with protocol-compliant HTTP requests. Attacks are usually coordinated by an entity that controls many clients. Modeling the application as a structuredprediction problem allows the prediction model to jointly classify a multitude of clients based on their cohesion of otherwise inconspicuous features. Since the resulting output space is too vast to search exhaustively, we employ greedy search and techniques in which a parametric controller guides the search. We apply a known method that sequentially learns the controller and the structured-prediction model. We then derive an online policy-gradient method that finds the parameters of the controller and of the structured-prediction model in a joint optimization problem; we obtain a convergence guarantee for the latter method. We evaluate and compare the various methods based on a large collection of traffic data of a web-hosting service.

show abstract

Section: Discussion and Related Workmentioning

confidence: 99%

Section: Discussion and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Dick

Scheffer

2016

Mach Learn

View full text Add to dashboard Cite

show abstract

“…We use a probabilistic anomaly detection method that can benefit from anomalous examples for the authorship verification process based on a multivariate Gaussian modelling. Given the fact that unsupervised anomaly detection approaches often fail to match the required detection rates in many tasks and there exists a need for labelled data to guide the model generation [7], our proposed methods is weakly supervised in the sense that it takes into consideration a small amount of representative anomalous data for the model generation.…”

Section: Proposed Methodsmentioning

confidence: 99%

Probabilistic Anomaly Detection Method for Authorship Verification

Boukhaled

Ganascia

2014

Statistical Language and Speech Processing

View full text Add to dashboard Cite

“…Some examples of these methods are Support Vector Machines (SVMs) and Neural Networks (Erfani, Baktashmotlagh, Rajasegarar, Karunasekera, & Leckie, 2015). Semi-supervised methods require labelled instances of the normal class only, in order to train their detection models, e.g., one-class classifiers (Görnitz, Kloft, Rieck, & Brefeld, 2013). Compared to supervised methods and semi-supervised methods, unsupervised methods, which do not require labelled instances, are more widely used in industry, because obtaining accurate labelled data for anomaly detection often has a very high cost (Chandola et al, 2009).…”

Section: Related Workmentioning

confidence: 99%

ZERO++: Harnessing the Power of Zero Appearances to Detect Anomalies in Large-Scale Data Sets

Pang¹,

Ting²,

Albrecht³

et al. 2016

jair

View full text Add to dashboard Cite

This paper introduces a new unsupervised anomaly detector called ZERO++ which employs the number of zero appearances in subspaces to detect anomalies in categorical data. It is unique in that it works in regions of subspaces that are not occupied by data; whereas existing methods work in regions occupied by data. ZERO++ examines only a small number of low dimensional subspaces to successfully identify anomalies. Unlike existing frequencybased algorithms, ZERO++ does not involve subspace pattern searching. We show that ZERO++ is better than or comparable with the state-of-the-art anomaly detection methods over a wide range of real-world categorical and numeric data sets; and it is efficient with linear time complexity and constant space complexity which make it a suitable candidate for large-scale data sets.

show abstract

Toward Supervised Anomaly Detection

Cited by 292 publications

References 53 publications

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Probabilistic Anomaly Detection Method for Authorship Verification

ZERO++: Harnessing the Power of Zero Appearances to Detect Anomalies in Large-Scale Data Sets

Contact Info

Product

Resources

About