A Survey of Anomaly Detection Methods in Networks: Weiyu Zhang, Qingbo Yang, Yushui Geng
A Survey of Anomaly Detection Methods in Networks: Weiyu Zhang, Qingbo Yang, Yushui Geng
Authorized licensed use limited to: UNIVERSIDAD VERACRUZANA. Downloaded on July 01,2021 at 00:20:10 UTC from IEEE Xplore. Restrictions apply.
Typical datasets for intrusion detection are very large and IV. CONCLUSIONS
multidimensional. To tackle the problem of high dimensional Networks are becoming increasingly complex at the same
datasets, researchers have developed a dimensionality time that security concerns do not cease to grow and require
reduction technique known as principal component analysis more and more attention. Hence, there is a strong need for
(PCA). PCA is a technique where n correlated random anomaly detection as a frontline security research area for
variables are transformed into d<n uncorrelated variables. The network security. In order to give a clear vision about the use
uncorrelated variables are linear combinations of the original of this technique, we present in this paper a classified survey of
variables and can be used to express the data in a reduced form. the methods that are used for anomaly detection in networks.
Shyu et al. [11] proposed an anomaly detection scheme, where We believe that a deeper knowledge is required until this
PCA was used as an outlier detection scheme and was applied technology achieves a solid maturity.
to reduce the dimensionality of the audit data and arrive at a
classifier that is a function of the principal components.
REFERENCES
Mahoney et al. [12–14] presented several methods that [1] H. S. Javitz and A. Valdes, The SRI Statistical Anomaly Detector,
address the problem of detecting anomalies in the usage of Proceedings of the 1991 IEEE Symposium on Research in Security and
network protocols by inspecting packet headers. The common Privacy, May 1991.
denominator of all of them is the systematic application of [2] D. E. Denning, An Intrusion Detection Model, IEEE Transactions on
learning techniques to automatically obtain profiles of normal Software Engineering, SE-13, pp. 222-232, 19517.
behavior for protocols at different layers. Packet Header [3] S.E. Smaha, Haystack: An intrusion detection system, in: Proceedings of
Anomaly Detector (PHAD) [12], LEarning Rules for Anomaly the IEEE Fourth Aerospace Computer Security Applications
Detection (LERAD) [13] and Application Layer Anomaly Conference, Orlando, FL, 1988, pp. 37–44.
Detector (ALAD) [14] use time-based models in which the [4] S. Staniford, J.A. Hoagland, J.M. McAlerney, Practica automated
detection of stealthy portscans, Journal of Computer Security 10, 2002,
probability of an event depends on the time. For each attribute, pp. 105–136.
they collect a set of allowed values and flag novel values as [5] H.H. Hosmer, Security is fuzzy!: applying the fuzzy logic paradigm to
anomalous. PHAD, ALAD, and LERAD differ in the attributes the multipolicy paradigm, in: Proceedings of the 1992-1993 Workshop
that they monitor. PHAD monitors 33 attributes from the on New Security Paradigms Little Compton, RI, United States, 1993.
Ethernet, IP and transport layer packet headers. ALAD models [6] J.E. Dickerson, J.A. Dickerson, Fuzzy network profiling for intrusion
incoming server TCP requests: source and destination IP detection, in: Proceedings of the 19th International Conference of the
addresses and ports, opening and closing TCP flags, and the list North American Fuzzy Information Processing Society (NAFIPS),
Atlanta, GA, 2000,pp. 301–306.
of commands in the application payload. Depending on the
attribute, it builds separate models for each target host, port [7] M. Crosbie, G. Spafford, Applying genetic programming to intrusion
detection, in: Working Notes for the AAAI Symposium on Genetic
number (service), or host/port combination. LERAD also Programming, Cambridge, MA, 1995, pp. 1–8.
models TCP connections. The authors break down the [8] D. Heckerman, A Tutorial on Learning With Bayesian Networks,
multivariate problem into a set of univariate problems and sum Microsoft Research, Technical Report MSRTR-95-06, March 1995.
the weighted results from range matching along each [9] A. Valdes, K. Skinner, Adaptive model-based monitoring for cyber
dimension. The advantage of this approach is that it makes the attack detection, in: Recent Advances in Intrusion Detection Toulouse,
technique more computationally efficient and effective at France, 2000, pp. 80–92.
detecting network intrusions. [10] C. Kruegel, D. Mutz, W. Robertson, F. Valeur, Bayesian event
classification for intrusion detection, in: Proceedings of the 19th Annual
Computer Security Applications Conference, Las Vegas, NV, 2003.
D. Anomaly detection using finite state machines
[11] M.-L. Shyu, S.-C. Chen, K. Sarinnapakorn, L. Chang, A novel anomaly
A finite state machine (FSM) is a model of behavior detection scheme based on principal component classifier, in:
composed of states, transitions and actions. In this model, a Proceedings of the IEEE Foundations and New Directions of Data
state stores information about the past, a transition indicates a Mining Workshop, Melbourne, FL, USA, 2003, pp. 172–179.
state change and is described by a condition that would need to [12] M.V. Mahoney, P.K. Chan, PHAD: Packet Header Anomaly Detection
for Identifying Hostile Network Traffic Department of Computer
be fulfilled to enable the transition. An action is a description Sciences, Florida Institute of Technology, Melbourne, FL, USA,
of an activity that is to be performed at a given moment. Technical Report CS-2001-4, April 2001.
The finite state machine has been used to detect attacks on [13] M.V. Mahoney, P.K. Chan, Learning Models of Network Traffic for
Detecting Novel Attacks Computer Science Department, Florida
the DSR protocol in [15]. First, an algorithm for monitor Institute of Technology CS-2002-8, August 2002.
selection for distributed monitoring all nodes in networks was [14] M.V. Mahoney, P.K. Chan, Learning nonstationary models of normal
proposed and then the correct behaviors of the nodes according network traffic for detecting novel attacks, in:Proceedings of the Eighth
to DSR were manually abstracted. Using this method has the ACM SIGKDD International Conference on Knowledge Discovery and
advantage of detecting intrusions without the need of trained Data Mining, Edmonton, Canada, 2002, pp. 376–385.
data or signatures, also unknown intrusions can be detected [15] P. Yi, Y. Jiang, Y. Zhong, and S. Zhang, Distributed Intrusion Detection
with few false alarms. As a result, a distributed network for Mobile Ad hoc Networks, Proceedings of the 2005 Symposium on
Applications and the Internet Workshops (SAINTW'05),pp. 94-97.
monitor architecture which traces data flow on each node by
[16] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, S. Zhou,
means of finite state machine was proposed. In Ref. [16], Sekar Specification-based anomaly detection: a new approach for detecting
et al. present a specification-based model as well as a prototype network intrusions, Proceedings of the Ninth ACM Conference on
with excellent detection performance. The model proposed by Computer and Communications Security, Washington, DC, USA,
authors consists of developing protocol specifications by using November 18–22, 2002, pp. 265–274.
Extended Finite State Automata (EFSA).
Authorized licensed use limited to: UNIVERSIDAD VERACRUZANA. Downloaded on July 01,2021 at 00:20:10 UTC from IEEE Xplore. Restrictions apply.