Online and Scalable Unsupervised Network Anomaly Detection Method
- 9 November 2016
- journal article
- research article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Transactions on Network and Service Management
- Vol. 14 (1), 34-47
- https://doi.org/10.1109/tnsm.2016.2627340
Abstract
Nowadays, network intrusion detectors mainly rely on knowledge databases to detect suspicious traffic. These databases have to be continuously updated which requires important human resources and time. Unsupervised network anomaly detectors overcome this issue by using “intelligent” techniques to identify anomalies without any prior knowledge. However, these systems are often very complex as they need to explore the network traffic to identify flows patterns. Therefore, they are often unable to meet real-time requirements. In this paper, we present a new online and real-time unsupervised network anomaly detection algorithm (ORUNADA). Our solution relies on a discrete time-sliding window to update continuously the feature space and an incremental grid clustering to detect rapidly the anomalies. The evaluations showed that ORUNADA can process online large network traffic while ensuring a low detection delay and good detection performance. The experiments performed on the traffic of a core network of a Spanish intermediate Internet service provider demonstrated that ORUNADA detects in less than half a second an anomaly after its occurrence. Furthermore, the results highlight that our solution outperforms in terms of true positive rate and false positive rate existing techniques reported in the literature.Keywords
Funding Information
- European Union Seventh Framework Programme (619633)
This publication has 17 references indexed in Scilit:
- Online Adaptive Anomaly Detection for Augmented Network FlowsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2014
- Finding a "Kneedle" in a Haystack: Detecting Knee Points in System BehaviorPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2011
- MAWILabPublished by Association for Computing Machinery (ACM) ,2010
- Histogram-based traffic anomaly detectionIEEE Transactions on Network and Service Management, 2009
- Anomaly Intrusion Detection System Using Gaussian Mixture ModelPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2008
- Impact of packet sampling on anomaly detection metricsPublished by Association for Computing Machinery (ACM) ,2006
- Mining anomalies using traffic feature distributionsACM SIGCOMM Computer Communication Review, 2005
- Anomaly detection in IP networksIEEE Transactions on Signal Processing, 2003
- The R*-tree: an efficient and robust access method for points and rectanglesACM SIGMOD Record, 1990
- The Proof and Measurement of Association between Two ThingsThe American Journal of Psychology, 1904