Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Online Adaptive Anomaly Detection for Augmented Network Flows

Online Adaptive Anomaly Detection for Augmented Network Flows Online Adaptive Anomaly Detection for Augmented Network Flows DENNIS IPPOLITI, University of Colorado, Colorado Springs CHANGJUN JIANG and ZHIJUN DING, Tongji University, China XIAOBO ZHOU, University of Colorado, Colorado Springs Traditional network anomaly detection involves developing models that rely on packet inspection. However, increasing network speeds and use of encrypted protocols make per-packet inspection unsuited for today's networks. One method of overcoming this obstacle is aggregating packet header information and performing flow-based analysis where data flow patterns are examined rather than deep packet inspection. Many existing approaches are special purpose limited to detecting specific behavior. Also, the data reduction inherent in identifying anomalous flows hinders alert correlation. In this article, we propose and develop a dynamic anomaly detection approach for augmented network flows. We sketch network state during flow creation, enabling general-purpose threat detection. We describe an efficient flow augmentation approach based on the count-min sketch that provides per-flow-, per-node-, and per-network-level statistics parallel to flow record generation. We design and develop a support vector machine-based adaptive anomaly detection and correlation mechanism, which is capable of aggregating alerts without a priori alert classification and evolving models online. We further develop a lightweight evolving alert aggregation method and combine http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png ACM Transactions on Autonomous and Adaptive Systems (TAAS) Association for Computing Machinery

Online Adaptive Anomaly Detection for Augmented Network Flows

Loading next page...
 
/lp/association-for-computing-machinery/online-adaptive-anomaly-detection-for-augmented-network-flows-1RQfpi45pz
Publisher
Association for Computing Machinery
Copyright
Copyright © 2016 by ACM Inc.
ISSN
1556-4665
DOI
10.1145/2934686
Publisher site
See Article on Publisher Site

Abstract

Online Adaptive Anomaly Detection for Augmented Network Flows DENNIS IPPOLITI, University of Colorado, Colorado Springs CHANGJUN JIANG and ZHIJUN DING, Tongji University, China XIAOBO ZHOU, University of Colorado, Colorado Springs Traditional network anomaly detection involves developing models that rely on packet inspection. However, increasing network speeds and use of encrypted protocols make per-packet inspection unsuited for today's networks. One method of overcoming this obstacle is aggregating packet header information and performing flow-based analysis where data flow patterns are examined rather than deep packet inspection. Many existing approaches are special purpose limited to detecting specific behavior. Also, the data reduction inherent in identifying anomalous flows hinders alert correlation. In this article, we propose and develop a dynamic anomaly detection approach for augmented network flows. We sketch network state during flow creation, enabling general-purpose threat detection. We describe an efficient flow augmentation approach based on the count-min sketch that provides per-flow-, per-node-, and per-network-level statistics parallel to flow record generation. We design and develop a support vector machine-based adaptive anomaly detection and correlation mechanism, which is capable of aggregating alerts without a priori alert classification and evolving models online. We further develop a lightweight evolving alert aggregation method and combine

Journal

ACM Transactions on Autonomous and Adaptive Systems (TAAS)Association for Computing Machinery

Published: Sep 20, 2016

There are no references for this article.