Unsupervised methods based on density representation have shown their abilities in anomaly detection,but detection performance still needs to be improved.Specifically,approaches using normalizing flows can accurately ...Unsupervised methods based on density representation have shown their abilities in anomaly detection,but detection performance still needs to be improved.Specifically,approaches using normalizing flows can accurately evaluate sample distributions,mapping normal features to the normal distribution and anomalous features outside it.Consequently,this paper proposes a Normalizing Flow-based Bidirectional Mapping Residual Network(NF-BMR).It utilizes pre-trained Convolutional Neural Networks(CNN)and normalizing flows to construct discriminative source and target domain feature spaces.Additionally,to better learn feature information in both domain spaces,we propose the Bidirectional Mapping Residual Network(BMR),which maps sample features to these two spaces for anomaly detection.The two detection spaces effectively complement each other’s deficiencies and provide a comprehensive feature evaluation from two perspectives,which leads to the improvement of detection performance.Comparative experimental results on the MVTec AD and DAGM datasets against the Bidirectional Pre-trained Feature Mapping Network(B-PFM)and other state-of-the-art methods demonstrate that the proposed approach achieves superior performance.On the MVTec AD dataset,NF-BMR achieves an average AUROC of 98.7%for all 15 categories.Especially,it achieves 100%optimal detection performance in five categories.On the DAGM dataset,the average AUROC across ten categories is 98.7%,which is very close to supervised methods.展开更多
Nowadays,industrial control system(ICS)has begun to integrate with the Internet.While the Internet has brought convenience to ICS,it has also brought severe security concerns.Traditional ICS network traffic anomaly de...Nowadays,industrial control system(ICS)has begun to integrate with the Internet.While the Internet has brought convenience to ICS,it has also brought severe security concerns.Traditional ICS network traffic anomaly detection methods rely on statistical features manually extracted using the experience of network security experts.They are not aimed at the original network data,nor can they capture the potential characteristics of network packets.Therefore,the following improvements were made in this study:(1)A dataset that can be used to evaluate anomaly detection algorithms is produced,which provides raw network data.(2)A request response-based convolutional neural network named RRCNN is proposed,which can be used for anomaly detection of ICS network traffic.Instead of using statistical features manually extracted by security experts,this method uses the byte sequences of the original network packets directly,which can extract potential features of the network packets in greater depth.It regards the request packet and response packet in a session as a Request-Response Pair(RRP).The feature of RRP is extracted using a one-dimensional convolutional neural network,and then the RRP is judged to be normal or abnormal based on the extracted feature.Experimental results demonstrate that this model is better than several other machine learning and neural network models,with F1,accuracy,precision,and recall above 99%.展开更多
VPNs are vital for safeguarding communication routes in the continually changing cybersecurity world.However,increasing network attack complexity and variety require increasingly advanced algorithms to recognize and c...VPNs are vital for safeguarding communication routes in the continually changing cybersecurity world.However,increasing network attack complexity and variety require increasingly advanced algorithms to recognize and categorizeVPNnetwork data.We present a novelVPNnetwork traffic flowclassificationmethod utilizing Artificial Neural Networks(ANN).This paper aims to provide a reliable system that can identify a virtual private network(VPN)traffic fromintrusion attempts,data exfiltration,and denial-of-service assaults.We compile a broad dataset of labeled VPN traffic flows from various apps and usage patterns.Next,we create an ANN architecture that can handle encrypted communication and distinguish benign from dangerous actions.To effectively process and categorize encrypted packets,the neural network model has input,hidden,and output layers.We use advanced feature extraction approaches to improve the ANN’s classification accuracy by leveraging network traffic’s statistical and behavioral properties.We also use cutting-edge optimizationmethods to optimize network characteristics and performance.The suggested ANN-based categorization method is extensively tested and analyzed.Results show the model effectively classifies VPN traffic types.We also show that our ANN-based technique outperforms other approaches in precision,recall,and F1-score with 98.79%accuracy.This study improves VPN security and protects against new cyberthreats.Classifying VPNtraffic flows effectively helps enterprises protect sensitive data,maintain network integrity,and respond quickly to security problems.This study advances network security and lays the groundwork for ANN-based cybersecurity solutions.展开更多
To detect effectively unknown anomalous attack behaviors of network traffic,an Unsupervised Anomaly Detection approach for network flow using Immune Network based K-means clustering(UADINK)is proposed.In UADINK,artifi...To detect effectively unknown anomalous attack behaviors of network traffic,an Unsupervised Anomaly Detection approach for network flow using Immune Network based K-means clustering(UADINK)is proposed.In UADINK,artificial immune network based K-means clustering algorithm(aiNet_KMC)is introduced to cluster network flow,i.e.extracting abstract internal images from network flows and obtaining an optimizing parameter K of K-means by aiNet model,and network flows are clustered by K-means algorithm.The cluster labeling algorithm(clusLA)and the network flow anomaly detection algorithm(NFAD)are introduced to detect anomalous attack behaviors of network flows,where the clusLA algorithm is used for labeling whether each cluster belongs to malicious,and the labeled clusters are regarded as detectors to identify anomaly network flows by NFAD.To evaluate the effectiveness of UADINK,the ISCX 2012 IDS dataset is considered as the simulating experimental dataset.Compared with the NDM based K-means anomaly detection approach,the results show that UADINK is a radical anomaly detection approach in order to detect anomalies of network flows.展开更多
Because of an explosive growth of the intrusions, necessity of anomaly-based Intrusion Detection Systems (IDSs) which are capable of detecting novel attacks, is increasing. Among those systems, flow-based detection sy...Because of an explosive growth of the intrusions, necessity of anomaly-based Intrusion Detection Systems (IDSs) which are capable of detecting novel attacks, is increasing. Among those systems, flow-based detection systems which use a series of packets exchanged between two terminals as a unit of observation, have an advantage of being able to detect anomaly which is included in only some specific sessions. However, in large-scale networks where a large number of communications takes place, analyzing every flow is not practical. On the other hand, a timeslot-based detection systems need not to prepare a number of buffers although it is difficult to specify anomaly communications. In this paper, we propose a multi-stage anomaly detection system which is combination of timeslot-based and flow-based detectors. The proposed system can reduce the number of flows which need to be subjected to flow-based analysis but yet exhibits high detection accuracy. Through experiments using data set, we present the effectiveness of the proposed method.展开更多
Network management and multimedia data mining techniques have a great interest in analyzing and improving the network traffic process.In recent times,the most complex task in Software Defined Network(SDN)is security,w...Network management and multimedia data mining techniques have a great interest in analyzing and improving the network traffic process.In recent times,the most complex task in Software Defined Network(SDN)is security,which is based on a centralized,programmable controller.Therefore,monitoring network traffic is significant for identifying and revealing intrusion abnormalities in the SDN environment.Consequently,this paper provides an extensive analysis and investigation of the NSL-KDD dataset using five different clustering algorithms:K-means,Farthest First,Canopy,Density-based algorithm,and Exception-maximization(EM),using the Waikato Environment for Knowledge Analysis(WEKA)software to compare extensively between these five algorithms.Furthermore,this paper presents an SDN-based intrusion detection system using a deep learning(DL)model with the KDD(Knowledge Discovery in Databases)dataset.First,the utilized dataset is clustered into normal and four major attack categories via the clustering process.Then,a deep learning method is projected for building an efficient SDN-based intrusion detection system.The results provide a comprehensive analysis and a flawless reasonable study of different kinds of attacks incorporated in the KDD dataset.Similarly,the outcomes reveal that the proposed deep learning method provides efficient intrusion detection performance compared to existing techniques.For example,the proposed method achieves a detection accuracy of 94.21%for the examined dataset.展开更多
Active anomaly detection queries labels of sampled instances and uses them to incrementally update the detection model,and has been widely adopted in detecting network attacks.However,existing methods cannot achieve d...Active anomaly detection queries labels of sampled instances and uses them to incrementally update the detection model,and has been widely adopted in detecting network attacks.However,existing methods cannot achieve desirable performance on dynamic network traffic streams because(1)their query strategies cannot sample informative instances to make the detection model adapt to the evolving stream and(2)their model updating relies on limited query instances only and fails to leverage the enormous unlabeled instances on streams.To address these issues,we propose an active tree based model,adaptive and augmented active prior-knowledge forest(A3PF),for anomaly detection on network trafic streams.A prior-knowledge forest is constructed using prior knowledge of network attacks to find feature subspaces that better distinguish network anomalies from normal traffic.On one hand,to make the model adapt to the evolving stream,a novel adaptive query strategy is designed to sample informative instances from two aspects:the changes in dynamic data distribution and the uncertainty of anomalies.On the other hand,based on the similarity of instances in the neighborhood,we devise an augmented update method to generate pseudo labels for the unlabeled neighbors of query instances,which enables usage of the enormous unlabeled instances during model updating.Extensive experiments on two benchmarks,CIC-IDS2017 and UNSW-NB15,demonstrate that A3PF achieves significant improvements over previous active methods in terms of the area under the receiver operating characteristic curve(AUC-ROC)(20.9%and 21.5%)and the area under the precision-recall curve(AUC-PR)(44.6%and 64.1%).展开更多
Network traffic anomalies refer to the traffic changed abnormally and obviously.Local events such as temporary network congestion,Distributed Denial of Service(DDoS)attack and large-scale scan,or global events such as...Network traffic anomalies refer to the traffic changed abnormally and obviously.Local events such as temporary network congestion,Distributed Denial of Service(DDoS)attack and large-scale scan,or global events such as abnormal network routing,can cause network anomalies.Network anomaly detection and analysis are very important to Computer Security Incident Response Teams(CSIRT).But wide-scale traffic anomaly detection requires extracting anomalous modes from large amounts of high-dimensional noise-rich data,and interpreting the modes;so,it is very difficult.This paper proposes a general method based on Principle Component Analysis(PCA)to analyze network anomalies.This method divides the traffic matrix into normal and anomalous subspaces,maps traffic vectors into the normal subspace,gets the distance from detected vector to average normal vector,and detects anomalies based on that distance.展开更多
In the global scenario one of the important goals for sustainable development in industrial field is innovate new technology,and invest in building infrastructure.All the developed and developing countries focus on bu...In the global scenario one of the important goals for sustainable development in industrial field is innovate new technology,and invest in building infrastructure.All the developed and developing countries focus on building resilient infrastructure and promote sustainable developments by fostering innovation.At this juncture the cloud computing has become an important information and communication technologies model influencing sustainable development of the industries in the developing countries.As part of the innovations happening in the industrial sector,a new concept termed as‘smart manufacturing’has emerged,which employs the benefits of emerging technologies like internet of things and cloud computing.Cloud services deliver an on-demand access to computing,storage,and infrastructural platforms for the industrial users through Internet.In the recent era of information technology the number of business and individual users of cloud services have been increased and larger volumes of data is being processed and stored in it.As a consequence,the data breaches in the cloud services are also increasing day by day.Due to various security vulnerabilities in the cloud architecture;as a result the cloud environment has become non-resilient.To restore the normal behavior of the cloud,detect the deviations,and achieve higher resilience,anomaly detection becomes essential.The deep learning architectures-based anomaly detection mechanisms uses various monitoring metrics characterize the normal behavior of cloud services and identify the abnormal events.This paper focuses on designing an intelligent deep learning based approach for detecting cloud anomalies in real time to make it more resilient.The deep learning models are trained using features extracted from the system level and network level performance metrics observed in the Transfer Control Protocol(TCP)traces of the simulation.The experimental results of the proposed approach demonstrate a superior performance in terms of higher detection rate and lower false alarm rate when compared to the Support Vector Machine(SVM).展开更多
基金This work was supported in part by the National Key R&D Program of China 2021YFE0110500in part by the National Natural Science Foundation of China under Grant 62062021in part by the Guiyang Scientific Plan Project[2023]48-11.
文摘Unsupervised methods based on density representation have shown their abilities in anomaly detection,but detection performance still needs to be improved.Specifically,approaches using normalizing flows can accurately evaluate sample distributions,mapping normal features to the normal distribution and anomalous features outside it.Consequently,this paper proposes a Normalizing Flow-based Bidirectional Mapping Residual Network(NF-BMR).It utilizes pre-trained Convolutional Neural Networks(CNN)and normalizing flows to construct discriminative source and target domain feature spaces.Additionally,to better learn feature information in both domain spaces,we propose the Bidirectional Mapping Residual Network(BMR),which maps sample features to these two spaces for anomaly detection.The two detection spaces effectively complement each other’s deficiencies and provide a comprehensive feature evaluation from two perspectives,which leads to the improvement of detection performance.Comparative experimental results on the MVTec AD and DAGM datasets against the Bidirectional Pre-trained Feature Mapping Network(B-PFM)and other state-of-the-art methods demonstrate that the proposed approach achieves superior performance.On the MVTec AD dataset,NF-BMR achieves an average AUROC of 98.7%for all 15 categories.Especially,it achieves 100%optimal detection performance in five categories.On the DAGM dataset,the average AUROC across ten categories is 98.7%,which is very close to supervised methods.
基金supported by the National Natural Science Foundation of China(No.62076042,No.62102049)the Key Research and Development Project of Sichuan Province(No.2021YFSY0012,No.2020YFG0307,No.2021YFG0332)+3 种基金the Science and Technology Innovation Project of Sichuan(No.2020017)the Key Research and Development Project of Chengdu(No.2019-YF05-02028-GX)the Innovation Team of Quantum Security Communication of Sichuan Province(No.17TD0009)the Academic and Technical Leaders Training Funding Support Projects of Sichuan Province(No.2016120080102643).
文摘Nowadays,industrial control system(ICS)has begun to integrate with the Internet.While the Internet has brought convenience to ICS,it has also brought severe security concerns.Traditional ICS network traffic anomaly detection methods rely on statistical features manually extracted using the experience of network security experts.They are not aimed at the original network data,nor can they capture the potential characteristics of network packets.Therefore,the following improvements were made in this study:(1)A dataset that can be used to evaluate anomaly detection algorithms is produced,which provides raw network data.(2)A request response-based convolutional neural network named RRCNN is proposed,which can be used for anomaly detection of ICS network traffic.Instead of using statistical features manually extracted by security experts,this method uses the byte sequences of the original network packets directly,which can extract potential features of the network packets in greater depth.It regards the request packet and response packet in a session as a Request-Response Pair(RRP).The feature of RRP is extracted using a one-dimensional convolutional neural network,and then the RRP is judged to be normal or abnormal based on the extracted feature.Experimental results demonstrate that this model is better than several other machine learning and neural network models,with F1,accuracy,precision,and recall above 99%.
文摘VPNs are vital for safeguarding communication routes in the continually changing cybersecurity world.However,increasing network attack complexity and variety require increasingly advanced algorithms to recognize and categorizeVPNnetwork data.We present a novelVPNnetwork traffic flowclassificationmethod utilizing Artificial Neural Networks(ANN).This paper aims to provide a reliable system that can identify a virtual private network(VPN)traffic fromintrusion attempts,data exfiltration,and denial-of-service assaults.We compile a broad dataset of labeled VPN traffic flows from various apps and usage patterns.Next,we create an ANN architecture that can handle encrypted communication and distinguish benign from dangerous actions.To effectively process and categorize encrypted packets,the neural network model has input,hidden,and output layers.We use advanced feature extraction approaches to improve the ANN’s classification accuracy by leveraging network traffic’s statistical and behavioral properties.We also use cutting-edge optimizationmethods to optimize network characteristics and performance.The suggested ANN-based categorization method is extensively tested and analyzed.Results show the model effectively classifies VPN traffic types.We also show that our ANN-based technique outperforms other approaches in precision,recall,and F1-score with 98.79%accuracy.This study improves VPN security and protects against new cyberthreats.Classifying VPNtraffic flows effectively helps enterprises protect sensitive data,maintain network integrity,and respond quickly to security problems.This study advances network security and lays the groundwork for ANN-based cybersecurity solutions.
文摘To detect effectively unknown anomalous attack behaviors of network traffic,an Unsupervised Anomaly Detection approach for network flow using Immune Network based K-means clustering(UADINK)is proposed.In UADINK,artificial immune network based K-means clustering algorithm(aiNet_KMC)is introduced to cluster network flow,i.e.extracting abstract internal images from network flows and obtaining an optimizing parameter K of K-means by aiNet model,and network flows are clustered by K-means algorithm.The cluster labeling algorithm(clusLA)and the network flow anomaly detection algorithm(NFAD)are introduced to detect anomalous attack behaviors of network flows,where the clusLA algorithm is used for labeling whether each cluster belongs to malicious,and the labeled clusters are regarded as detectors to identify anomaly network flows by NFAD.To evaluate the effectiveness of UADINK,the ISCX 2012 IDS dataset is considered as the simulating experimental dataset.Compared with the NDM based K-means anomaly detection approach,the results show that UADINK is a radical anomaly detection approach in order to detect anomalies of network flows.
文摘Because of an explosive growth of the intrusions, necessity of anomaly-based Intrusion Detection Systems (IDSs) which are capable of detecting novel attacks, is increasing. Among those systems, flow-based detection systems which use a series of packets exchanged between two terminals as a unit of observation, have an advantage of being able to detect anomaly which is included in only some specific sessions. However, in large-scale networks where a large number of communications takes place, analyzing every flow is not practical. On the other hand, a timeslot-based detection systems need not to prepare a number of buffers although it is difficult to specify anomaly communications. In this paper, we propose a multi-stage anomaly detection system which is combination of timeslot-based and flow-based detectors. The proposed system can reduce the number of flows which need to be subjected to flow-based analysis but yet exhibits high detection accuracy. Through experiments using data set, we present the effectiveness of the proposed method.
文摘Network management and multimedia data mining techniques have a great interest in analyzing and improving the network traffic process.In recent times,the most complex task in Software Defined Network(SDN)is security,which is based on a centralized,programmable controller.Therefore,monitoring network traffic is significant for identifying and revealing intrusion abnormalities in the SDN environment.Consequently,this paper provides an extensive analysis and investigation of the NSL-KDD dataset using five different clustering algorithms:K-means,Farthest First,Canopy,Density-based algorithm,and Exception-maximization(EM),using the Waikato Environment for Knowledge Analysis(WEKA)software to compare extensively between these five algorithms.Furthermore,this paper presents an SDN-based intrusion detection system using a deep learning(DL)model with the KDD(Knowledge Discovery in Databases)dataset.First,the utilized dataset is clustered into normal and four major attack categories via the clustering process.Then,a deep learning method is projected for building an efficient SDN-based intrusion detection system.The results provide a comprehensive analysis and a flawless reasonable study of different kinds of attacks incorporated in the KDD dataset.Similarly,the outcomes reveal that the proposed deep learning method provides efficient intrusion detection performance compared to existing techniques.For example,the proposed method achieves a detection accuracy of 94.21%for the examined dataset.
基金Project supported by the National Science and Technology Major Project(No.2022ZD0115302)the National Natural Science Foundation of China(No.61379052)+1 种基金the Science Foundation of Ministry of Education of China(No.2018A02002)the Natural Science Foundation for Distinguished Young Scholars of Hunan Province,China(No.14JJ1026)。
文摘Active anomaly detection queries labels of sampled instances and uses them to incrementally update the detection model,and has been widely adopted in detecting network attacks.However,existing methods cannot achieve desirable performance on dynamic network traffic streams because(1)their query strategies cannot sample informative instances to make the detection model adapt to the evolving stream and(2)their model updating relies on limited query instances only and fails to leverage the enormous unlabeled instances on streams.To address these issues,we propose an active tree based model,adaptive and augmented active prior-knowledge forest(A3PF),for anomaly detection on network trafic streams.A prior-knowledge forest is constructed using prior knowledge of network attacks to find feature subspaces that better distinguish network anomalies from normal traffic.On one hand,to make the model adapt to the evolving stream,a novel adaptive query strategy is designed to sample informative instances from two aspects:the changes in dynamic data distribution and the uncertainty of anomalies.On the other hand,based on the similarity of instances in the neighborhood,we devise an augmented update method to generate pseudo labels for the unlabeled neighbors of query instances,which enables usage of the enormous unlabeled instances during model updating.Extensive experiments on two benchmarks,CIC-IDS2017 and UNSW-NB15,demonstrate that A3PF achieves significant improvements over previous active methods in terms of the area under the receiver operating characteristic curve(AUC-ROC)(20.9%and 21.5%)and the area under the precision-recall curve(AUC-PR)(44.6%and 64.1%).
基金This work was funded by the High-tech Research and Development Program of China (863 Program) under Grant 2006II01Z451.
文摘Network traffic anomalies refer to the traffic changed abnormally and obviously.Local events such as temporary network congestion,Distributed Denial of Service(DDoS)attack and large-scale scan,or global events such as abnormal network routing,can cause network anomalies.Network anomaly detection and analysis are very important to Computer Security Incident Response Teams(CSIRT).But wide-scale traffic anomaly detection requires extracting anomalous modes from large amounts of high-dimensional noise-rich data,and interpreting the modes;so,it is very difficult.This paper proposes a general method based on Principle Component Analysis(PCA)to analyze network anomalies.This method divides the traffic matrix into normal and anomalous subspaces,maps traffic vectors into the normal subspace,gets the distance from detected vector to average normal vector,and detects anomalies based on that distance.
文摘In the global scenario one of the important goals for sustainable development in industrial field is innovate new technology,and invest in building infrastructure.All the developed and developing countries focus on building resilient infrastructure and promote sustainable developments by fostering innovation.At this juncture the cloud computing has become an important information and communication technologies model influencing sustainable development of the industries in the developing countries.As part of the innovations happening in the industrial sector,a new concept termed as‘smart manufacturing’has emerged,which employs the benefits of emerging technologies like internet of things and cloud computing.Cloud services deliver an on-demand access to computing,storage,and infrastructural platforms for the industrial users through Internet.In the recent era of information technology the number of business and individual users of cloud services have been increased and larger volumes of data is being processed and stored in it.As a consequence,the data breaches in the cloud services are also increasing day by day.Due to various security vulnerabilities in the cloud architecture;as a result the cloud environment has become non-resilient.To restore the normal behavior of the cloud,detect the deviations,and achieve higher resilience,anomaly detection becomes essential.The deep learning architectures-based anomaly detection mechanisms uses various monitoring metrics characterize the normal behavior of cloud services and identify the abnormal events.This paper focuses on designing an intelligent deep learning based approach for detecting cloud anomalies in real time to make it more resilient.The deep learning models are trained using features extracted from the system level and network level performance metrics observed in the Transfer Control Protocol(TCP)traces of the simulation.The experimental results of the proposed approach demonstrate a superior performance in terms of higher detection rate and lower false alarm rate when compared to the Support Vector Machine(SVM).
