Time correlated anomaly detection based on inferences

Olabelurin, Abimbola, Kallos, Georgios, Xiang, Yang, Bloomfield, Robin, Veluru, Suresh and Rajarajan, Muttukrishnan 2013, Time correlated anomaly detection based on inferences, in ECIWS 2013 : Proceedings of the European Conference on Information Warfare and Security, Academic Conference and Publishing International Limited, [Jyvaskyla, Finland], pp. 351-360.

Attached Files
Name Description MIMEType Size Downloads

Title Time correlated anomaly detection based on inferences
Author(s) Olabelurin, Abimbola
Kallos, Georgios
Xiang, Yang
Bloomfield, Robin
Veluru, Suresh
Rajarajan, Muttukrishnan
Conference name Information Warfare and Security. European Conference (12th : 2013 : Jyvaskyla, Finland)
Conference location Jyvaskyla, Finland
Conference dates 11-12 Jul. 2013
Title of proceedings ECIWS 2013 : Proceedings of the European Conference on Information Warfare and Security
Editor(s) Kuusisto, Rauno
Kurkinen, Erkki
Publication date 2013
Conference series European Conference on Information Warfare and Security
Start page 351
End page 360
Total pages 10
Publisher Academic Conference and Publishing International Limited
Place of publication [Jyvaskyla, Finland]
Keyword(s) denial of service attack
exponential weighted moving average
intrusion detection system
time-correlated anomaly detection
time-series analysis
Summary Anomaly detection techniques are used to find the presence of anomalous activities in a network by comparing traffic data activities against a "normal" baseline. Although it has several advantages which include detection of "zero-day" attacks, the question surrounding absolute definition of systems deviations from its "normal" behaviour is important to reduce the number of false positives in the system. This study proposes a novel multi-agent network-based framework known as Statistical model for Correlation and Detection (SCoDe), an anomaly detection framework that looks for timecorrelated anomalies by leveraging statistical properties of a large network, monitoring the rate of events occurrence based on their intensity. SCoDe is an instantaneous learning-based anomaly detector, practically shifting away from the conventional technique of having a training phase prior to detection. It does acquire its training using the improved extension of Exponential Weighted Moving Average (EWMA) which is proposed in this study. SCoDe does not require any previous knowledge of the network traffic, or network administrators chosen reference window as normal but effectively builds upon the statistical properties from different attributes of the network traffic, to correlate undesirable deviations in order to identify abnormal patterns. The approach is generic as it can be easily modified to fit particular types of problems, with a predefined attribute, and it is highly robust because of the proposed statistical approach. The proposed framework was targeted to detect attacks that increase the number of activities on the network server, examples which include Distributed Denial of Service (DDoS) and, flood and flash-crowd events. This paper provides a mathematical foundation for SCoDe, describing the specific implementation and testing of the approach based on a network log file generated from the cyber range simulation experiment of the industrial partner of this project.
ISBN 1909507342
9781909507340
ISSN 2048-8610
2048-8602
Language eng
Field of Research 080503 Networking and Communications
080501 Distributed and Grid Systems
Socio Economic Objective 890103 Mobile Data Networks and Services
HERDC Research category E1 Full written paper - refereed
Copyright notice ©2013, ECIWS
Persistent URL http://hdl.handle.net/10536/DRO/DU:30061635

Document type: Conference Paper
Collection: School of Information Technology
Connect to link resolver
 
Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved.

Versions
Version Filter Type
Access Statistics: 56 Abstract Views, 5 File Downloads  -  Detailed Statistics
Created: Tue, 18 Mar 2014, 08:27:56 EST

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.