Skip to main content
SpringerLink
Log in

Detecting Attacks in Network Traffic Using Normality Models: The Cellwise Estimator

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13291))

Included in the following conference series:

  • 1011 Accesses

Abstract

Although machine learning (ML) for intrusion detection is attracting research, its deployment in practice has proven difficult. Major hindrances are that training a classifier requires training data with attack samples, and that trained models are bound to a specific network.

To overcome these problems, we propose two new methods for anomaly-based intrusion detection. Both are trained on normal-only data, making deployment much easier. The first approach is based on One-class SVMs, while the second leverages our novel Cellwise Estimator algorithm, which is based on multidimensional OLAP cubes. The latter has the additional benefit of explainable output, in contrast to many ML methods like neural networks. The created models capture the normal behavior of a network and are used to find anomalies that point to attacks. We present a thorough evaluation using benchmark data and a comparison to related approaches showing that our approach is competitive.

The GLACIER project has been funded by the German Federal Ministry of Education and Research under grant no. 16KIS0950.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://suricata.io/.

  2. 2.

    https://rules.emergingthreats.net/.

References

  1. Adhi Tama, B., Comuzzi, M., Rhee, K.H.: TSE-IDS: a two-stage classifier ensemble for intelligent anomaly-based intrusion detection system. IEEE Access 7, 1–10 (2019). https://doi.org/10.1109/ACCESS.2019.2928048

  2. Akinrolabu, O., Agrafiotis, I., Erola, A.: The challenge of detecting sophisticated attacks: Insights from SOC analysts. In: Proceedings of the 13th International Conference on Availability, Reliability and Security. ARES 2018, ACM, New York, NY, USA (2018). https://doi.org/10.1145/3230833.3233280

  3. Al-Riyami, S., Coenen, F., Lisitsa, A.: A re-evaluation of intrusion detection accuracy: Alternative evaluation strategy. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 2195–2197. ACM, New York, NY, USA (2018). https://doi.org/10.1145/3243734.3278490

  4. Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tut. 18(2), 1153–1176 (2016). https://doi.org/10.1109/COMST.2015.2494502

  5. Chowdhury, M.N., Ferens, K., Ferens, M.: Network intrusion detection using machine learning. In: Proceedings of International Conference on Security Management (SAM), pp. 1–7 (2016)

    Google Scholar 

  6. Faraj, O., MegĂ­as, D., Ahmad, A.M., Garcia-Alfaro, J.: Taxonomy and challenges in machine learning-based approaches to detect attacks in the internet of things. In: Proceedings of the 15th International Conference on Availability, Reliability and Security. ARES 2020, ACM, New York, NY, USA (2020). https://doi.org/10.1145/3407023.3407048

  7. Gharaee, H., Hosseinvand, H.: A new feature selection IDS based on genetic algorithm and SVM. In: 2016 8th International Symposium on Telecommunications (IST), pp. 139–144 (2016). https://doi.org/10.1109/ISTEL.2016.7881798

  8. Gray, J., et al.: Data cube: a relational aggregation operator generalizing group-by, cross-tab, and sub-totals. Data Mining Knowl. Disc. 1(1), 29–53 (1997). https://link.springer.com/article/10.1023/A:1009726021843

  9. Heine, F.: Outlier detection in data streams using OLAP cubes. In: Kirikova, M., et al. (eds.) ADBIS 2017. CCIS, vol. 767, pp. 29–36. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67162-8_4

    Chapter  Google Scholar 

  10. Heine, F., Laue, T., Kleiner, C.: On the evaluation and deployment of machine learning approaches for intrusion detection. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 4594–4603, December 2020. https://doi.org/10.1109/BigData50022.2020.9378479

  11. Khan, S., Sivaraman, E., Honnavalli, P.B.: Performance evaluation of advanced machine learning algorithms for network intrusion detection system. In: Dutta, M., Krishna, C.R., Kumar, R., Kalra, M. (eds.) Proceedings of International Conference on IoT Inclusive Life (ICIIL 2019), NITTTR Chandigarh, India. LNNS, vol. 116, pp. 51–59. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-3020-3_6

    Chapter  Google Scholar 

  12. Kimball, R., Ross, M.: The Data Warehouse Toolkit: The Complete Guide To Dimensional Modeling. John Wiley & Sons, Hoboken (2011)

    Google Scholar 

  13. Liu, F.T., Ting, K.M., Zhou, Z.H.: Isolation-based anomaly detection. ACM Trans. Knowl. Disc. Data 6(1), 1–39 (2012). https://doi.org/10.1145/2133360.2133363

  14. Mishra, P., Varadharajan, V., Tupakula, U., Pilli, E.S.: A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE Commun. Surv. Tut. 21(1), 686–728 (2019). https://doi.org/10.1109/COMST.2018.2847722

  15. Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems. In: 2015 Military Communications and Information Systems Conference, pp. 1–6, November 2015. https://doi.org/10.1109/MilCIS.2015.7348942

  16. Moustafa, N.: A new distributed architecture for evaluating AI-based security systems at the edge: network TON_IoT datasets. Sustain. Cities Soc. 72, 102994 (2021). https://doi.org/10.1016/j.scs.2021.102994

  17. Nixon, C., Sedky, M., Hassan, M.: Autoencoders: a low cost anomaly detection method for computer network data streams. In: Proceedings of the 2020 4th International Conference on Cloud and Big Data Computing, pp. 58–62, August 2020. https://doi.org/10.1145/3416921.3416937

  18. Schölkopf, B., Platt, J.C., Shawe-Taylor, J.C., Smola, A.J., Williamson, R.C.: Estimating the support of a high-dimensional distribution. Neural Comput. 13(7), 1443–1471 (2001). https://doi.org/10.1162/089976601750264965

  19. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP, pp. 108–116 (2018). https://doi.org/10.5220/0006639801080116

  20. Singh, G., Khare, N.: A survey of intrusion detection from the perspective of intrusion datasets and machine learning techniques. Int. J. Comput. App. 1–11 (2021). https://doi.org/10.1080/1206212X.2021.1885150

  21. Singh Panwar, S., Raiwani, Y.P., Singh Panwar, L.: Evaluation of network intrusion detection with features selection and machine learning algorithms on CICIDS-2017 dataset. In: International Conference on Advances in Engineering Science Management and Technology (ICAESMT) (2019). https://doi.org/10.2139/ssrn.3394103

  22. Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: Mitre attack®: Design and philosophy (2020). https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf

  23. Tufan, E., Tezcan, C., Acarturk, C.: Anomaly-based intrusion detection by machine learning: a case study on probing attacks to an institutional network. IEEE Access. 9, 50078–50092 (2021). https://doi.org/10.1109/ACCESS.2021.3068961

  24. Viganò, L., Magazzeni, D.: Explainable security. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS PW), pp. 293–300 (2020). https://doi.org/10.1109/EuroSPW51379.2020.00045

  25. Xin, D., Han, J., Li, X., Wah, B.W.: Star-cubing: computing iceberg cubes by top-down and bottom-up integration. In: Freytag, J.C., Lockemann, P., Abiteboul, S., Carey, M., Selinger, P., Heuer, A. (eds.) Proceedings 2003 VLDB Conference, pp. 476–487. Morgan Kaufmann, San Francisco, January 2003

    Google Scholar 

  26. Zhang, M., Xu, B., Gong, J.: An anomaly detection model based on one-class SVM to detect network intrusions. In: 2015 11th International Conference on Mobile Ad-hoc and Sensor Networks (MSN), pp. 102–107 (2015). https://doi.org/10.1109/MSN.2015.40

Download references

Author information

Authors and Affiliations

  1. Hannover University of Applied Sciences and Arts, Hannover, Germany

    Felix Heine, Carsten Kleiner, Philip Klostermeyer, Volker Ahlers, Tim Laue & Nils Wellermann

Authors
  1. Felix Heine
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Carsten Kleiner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Philip Klostermeyer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Volker Ahlers
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tim Laue
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Nils Wellermann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Felix Heine .

Editor information

Editors and Affiliations

  1. University of Montreal, Montreal, QC, Canada

    Esma AĂŻmeur

  2. Télécom SudParis, Palaiseau, France

    Maryline Laurent

  3. IRT SystemX, Palaiseau, France

    Reda Yaich

  4. University of Montreal, Montreal, QC, Canada

    Benoît Dupont

  5. Télécom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Heine, F., Kleiner, C., Klostermeyer, P., Ahlers, V., Laue, T., Wellermann, N. (2022). Detecting Attacks in Network Traffic Using Normality Models: The Cellwise Estimator. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-08147-7_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-08146-0

  • Online ISBN: 978-3-031-08147-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation