Unsupervised ensemble anomaly detection through time-periodical packet sampling

Shuichi Nawata, Masato Uchida, Yu Gu, Masato Tsuru, Yuji Oie

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)

Abstract

We propose an anomaly detection method that trains a baseline model describing the normal behavior of network traffic without using manually labeled traffic data. The trained baseline model is used as the basis for comparison with the audit network traffic. The proposed method can be carried out in an unsupervised manner through the use of time-periodical packet sampling for a different purpose from which it was intended. That is, we take advantage of the lossy nature of packet sampling for the purpose of extracting normal packets from the unlabeled original traffic data. By using real traffic traces, we show that the proposed method is comparable in terms of false positive and false negative rates on detecting anomalies regarding TCP SYN packets to the conventional method that requires manually labeled traffic data to train the baseline model. In addition, in order to mitigate the possible performance variation due to probabilistic nature of sampled traffic data, we devise an ensemble anomaly detection method that exploits multiple baseline models in parallel. Experimental results show that the proposed ensemble anomaly detection performs well and is not affected by the variability of time-periodical packet sampling.

Original languageEnglish
Title of host publicationINFOCOM 2010 - IEEE Conference on Computer Communications Workshops
DOIs
Publication statusPublished - 2010
Externally publishedYes
EventIEEE Conference on Computer Communications Workshops, INFOCOM 2010 - San Diego, CA, United States
Duration: 2010 Mar 152010 Mar 19

Other

OtherIEEE Conference on Computer Communications Workshops, INFOCOM 2010
CountryUnited States
CitySan Diego, CA
Period10/3/1510/3/19

Fingerprint

Sampling

ASJC Scopus subject areas

  • Computer Science(all)
  • Electrical and Electronic Engineering

Cite this

Nawata, S., Uchida, M., Gu, Y., Tsuru, M., & Oie, Y. (2010). Unsupervised ensemble anomaly detection through time-periodical packet sampling. In INFOCOM 2010 - IEEE Conference on Computer Communications Workshops [5466662] https://doi.org/10.1109/INFCOMW.2010.5466662

Unsupervised ensemble anomaly detection through time-periodical packet sampling. / Nawata, Shuichi; Uchida, Masato; Gu, Yu; Tsuru, Masato; Oie, Yuji.

INFOCOM 2010 - IEEE Conference on Computer Communications Workshops. 2010. 5466662.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Nawata, S, Uchida, M, Gu, Y, Tsuru, M & Oie, Y 2010, Unsupervised ensemble anomaly detection through time-periodical packet sampling. in INFOCOM 2010 - IEEE Conference on Computer Communications Workshops., 5466662, IEEE Conference on Computer Communications Workshops, INFOCOM 2010, San Diego, CA, United States, 10/3/15. https://doi.org/10.1109/INFCOMW.2010.5466662
Nawata S, Uchida M, Gu Y, Tsuru M, Oie Y. Unsupervised ensemble anomaly detection through time-periodical packet sampling. In INFOCOM 2010 - IEEE Conference on Computer Communications Workshops. 2010. 5466662 https://doi.org/10.1109/INFCOMW.2010.5466662
Nawata, Shuichi ; Uchida, Masato ; Gu, Yu ; Tsuru, Masato ; Oie, Yuji. / Unsupervised ensemble anomaly detection through time-periodical packet sampling. INFOCOM 2010 - IEEE Conference on Computer Communications Workshops. 2010.
@inproceedings{8a7c624c203c4f989e96e3f927d4dfcc,
title = "Unsupervised ensemble anomaly detection through time-periodical packet sampling",
abstract = "We propose an anomaly detection method that trains a baseline model describing the normal behavior of network traffic without using manually labeled traffic data. The trained baseline model is used as the basis for comparison with the audit network traffic. The proposed method can be carried out in an unsupervised manner through the use of time-periodical packet sampling for a different purpose from which it was intended. That is, we take advantage of the lossy nature of packet sampling for the purpose of extracting normal packets from the unlabeled original traffic data. By using real traffic traces, we show that the proposed method is comparable in terms of false positive and false negative rates on detecting anomalies regarding TCP SYN packets to the conventional method that requires manually labeled traffic data to train the baseline model. In addition, in order to mitigate the possible performance variation due to probabilistic nature of sampled traffic data, we devise an ensemble anomaly detection method that exploits multiple baseline models in parallel. Experimental results show that the proposed ensemble anomaly detection performs well and is not affected by the variability of time-periodical packet sampling.",
author = "Shuichi Nawata and Masato Uchida and Yu Gu and Masato Tsuru and Yuji Oie",
year = "2010",
doi = "10.1109/INFCOMW.2010.5466662",
language = "English",
isbn = "9781424467396",
booktitle = "INFOCOM 2010 - IEEE Conference on Computer Communications Workshops",

}

TY - GEN

T1 - Unsupervised ensemble anomaly detection through time-periodical packet sampling

AU - Nawata, Shuichi

AU - Uchida, Masato

AU - Gu, Yu

AU - Tsuru, Masato

AU - Oie, Yuji

PY - 2010

Y1 - 2010

N2 - We propose an anomaly detection method that trains a baseline model describing the normal behavior of network traffic without using manually labeled traffic data. The trained baseline model is used as the basis for comparison with the audit network traffic. The proposed method can be carried out in an unsupervised manner through the use of time-periodical packet sampling for a different purpose from which it was intended. That is, we take advantage of the lossy nature of packet sampling for the purpose of extracting normal packets from the unlabeled original traffic data. By using real traffic traces, we show that the proposed method is comparable in terms of false positive and false negative rates on detecting anomalies regarding TCP SYN packets to the conventional method that requires manually labeled traffic data to train the baseline model. In addition, in order to mitigate the possible performance variation due to probabilistic nature of sampled traffic data, we devise an ensemble anomaly detection method that exploits multiple baseline models in parallel. Experimental results show that the proposed ensemble anomaly detection performs well and is not affected by the variability of time-periodical packet sampling.

AB - We propose an anomaly detection method that trains a baseline model describing the normal behavior of network traffic without using manually labeled traffic data. The trained baseline model is used as the basis for comparison with the audit network traffic. The proposed method can be carried out in an unsupervised manner through the use of time-periodical packet sampling for a different purpose from which it was intended. That is, we take advantage of the lossy nature of packet sampling for the purpose of extracting normal packets from the unlabeled original traffic data. By using real traffic traces, we show that the proposed method is comparable in terms of false positive and false negative rates on detecting anomalies regarding TCP SYN packets to the conventional method that requires manually labeled traffic data to train the baseline model. In addition, in order to mitigate the possible performance variation due to probabilistic nature of sampled traffic data, we devise an ensemble anomaly detection method that exploits multiple baseline models in parallel. Experimental results show that the proposed ensemble anomaly detection performs well and is not affected by the variability of time-periodical packet sampling.

UR - http://www.scopus.com/inward/record.url?scp=77953880481&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77953880481&partnerID=8YFLogxK

U2 - 10.1109/INFCOMW.2010.5466662

DO - 10.1109/INFCOMW.2010.5466662

M3 - Conference contribution

SN - 9781424467396

BT - INFOCOM 2010 - IEEE Conference on Computer Communications Workshops

ER -