Abstract
Although machine learning (ML) for intrusion detection is attracting research, its deployment in practice has proven difficult. Major hindrances are that training a classifier requires training data with attack samples, and that trained models are bound to a specific network.
To overcome these problems, we propose two new methods for anomaly-based intrusion detection. Both are trained on normal-only data, making deployment much easier. The first approach is based on One-class SVMs, while the second leverages our novel Cellwise Estimator algorithm, which is based on multidimensional OLAP cubes. The latter has the additional benefit of explainable output, in contrast to many ML methods like neural networks. The created models capture the normal behavior of a network and are used to find anomalies that point to attacks. We present a thorough evaluation using benchmark data and a comparison to related approaches showing that our approach is competitive.
The GLACIER project has been funded by the German Federal Ministry of Education and Research under grant no. 16KIS0950.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Adhi Tama, B., Comuzzi, M., Rhee, K.H.: TSE-IDS: a two-stage classifier ensemble for intelligent anomaly-based intrusion detection system. IEEE Access 7, 1–10 (2019). https://doi.org/10.1109/ACCESS.2019.2928048
Akinrolabu, O., Agrafiotis, I., Erola, A.: The challenge of detecting sophisticated attacks: Insights from SOC analysts. In: Proceedings of the 13th International Conference on Availability, Reliability and Security. ARES 2018, ACM, New York, NY, USA (2018). https://doi.org/10.1145/3230833.3233280
Al-Riyami, S., Coenen, F., Lisitsa, A.: A re-evaluation of intrusion detection accuracy: Alternative evaluation strategy. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 2195–2197. ACM, New York, NY, USA (2018). https://doi.org/10.1145/3243734.3278490
Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tut. 18(2), 1153–1176 (2016). https://doi.org/10.1109/COMST.2015.2494502
Chowdhury, M.N., Ferens, K., Ferens, M.: Network intrusion detection using machine learning. In: Proceedings of International Conference on Security Management (SAM), pp. 1–7 (2016)
Faraj, O., MegĂas, D., Ahmad, A.M., Garcia-Alfaro, J.: Taxonomy and challenges in machine learning-based approaches to detect attacks in the internet of things. In: Proceedings of the 15th International Conference on Availability, Reliability and Security. ARES 2020, ACM, New York, NY, USA (2020). https://doi.org/10.1145/3407023.3407048
Gharaee, H., Hosseinvand, H.: A new feature selection IDS based on genetic algorithm and SVM. In: 2016 8th International Symposium on Telecommunications (IST), pp. 139–144 (2016). https://doi.org/10.1109/ISTEL.2016.7881798
Gray, J., et al.: Data cube: a relational aggregation operator generalizing group-by, cross-tab, and sub-totals. Data Mining Knowl. Disc. 1(1), 29–53 (1997). https://link.springer.com/article/10.1023/A:1009726021843
Heine, F.: Outlier detection in data streams using OLAP cubes. In: Kirikova, M., et al. (eds.) ADBIS 2017. CCIS, vol. 767, pp. 29–36. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67162-8_4
Heine, F., Laue, T., Kleiner, C.: On the evaluation and deployment of machine learning approaches for intrusion detection. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 4594–4603, December 2020. https://doi.org/10.1109/BigData50022.2020.9378479
Khan, S., Sivaraman, E., Honnavalli, P.B.: Performance evaluation of advanced machine learning algorithms for network intrusion detection system. In: Dutta, M., Krishna, C.R., Kumar, R., Kalra, M. (eds.) Proceedings of International Conference on IoT Inclusive Life (ICIIL 2019), NITTTR Chandigarh, India. LNNS, vol. 116, pp. 51–59. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-3020-3_6
Kimball, R., Ross, M.: The Data Warehouse Toolkit: The Complete Guide To Dimensional Modeling. John Wiley & Sons, Hoboken (2011)
Liu, F.T., Ting, K.M., Zhou, Z.H.: Isolation-based anomaly detection. ACM Trans. Knowl. Disc. Data 6(1), 1–39 (2012). https://doi.org/10.1145/2133360.2133363
Mishra, P., Varadharajan, V., Tupakula, U., Pilli, E.S.: A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE Commun. Surv. Tut. 21(1), 686–728 (2019). https://doi.org/10.1109/COMST.2018.2847722
Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems. In: 2015 Military Communications and Information Systems Conference, pp. 1–6, November 2015. https://doi.org/10.1109/MilCIS.2015.7348942
Moustafa, N.: A new distributed architecture for evaluating AI-based security systems at the edge: network TON_IoT datasets. Sustain. Cities Soc. 72, 102994 (2021). https://doi.org/10.1016/j.scs.2021.102994
Nixon, C., Sedky, M., Hassan, M.: Autoencoders: a low cost anomaly detection method for computer network data streams. In: Proceedings of the 2020 4th International Conference on Cloud and Big Data Computing, pp. 58–62, August 2020. https://doi.org/10.1145/3416921.3416937
Schölkopf, B., Platt, J.C., Shawe-Taylor, J.C., Smola, A.J., Williamson, R.C.: Estimating the support of a high-dimensional distribution. Neural Comput. 13(7), 1443–1471 (2001). https://doi.org/10.1162/089976601750264965
Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP, pp. 108–116 (2018). https://doi.org/10.5220/0006639801080116
Singh, G., Khare, N.: A survey of intrusion detection from the perspective of intrusion datasets and machine learning techniques. Int. J. Comput. App. 1–11 (2021). https://doi.org/10.1080/1206212X.2021.1885150
Singh Panwar, S., Raiwani, Y.P., Singh Panwar, L.: Evaluation of network intrusion detection with features selection and machine learning algorithms on CICIDS-2017 dataset. In: International Conference on Advances in Engineering Science Management and Technology (ICAESMT) (2019). https://doi.org/10.2139/ssrn.3394103
Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: Mitre attack®: Design and philosophy (2020). https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf
Tufan, E., Tezcan, C., Acarturk, C.: Anomaly-based intrusion detection by machine learning: a case study on probing attacks to an institutional network. IEEE Access. 9, 50078–50092 (2021). https://doi.org/10.1109/ACCESS.2021.3068961
Viganò, L., Magazzeni, D.: Explainable security. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS PW), pp. 293–300 (2020). https://doi.org/10.1109/EuroSPW51379.2020.00045
Xin, D., Han, J., Li, X., Wah, B.W.: Star-cubing: computing iceberg cubes by top-down and bottom-up integration. In: Freytag, J.C., Lockemann, P., Abiteboul, S., Carey, M., Selinger, P., Heuer, A. (eds.) Proceedings 2003 VLDB Conference, pp. 476–487. Morgan Kaufmann, San Francisco, January 2003
Zhang, M., Xu, B., Gong, J.: An anomaly detection model based on one-class SVM to detect network intrusions. In: 2015 11th International Conference on Mobile Ad-hoc and Sensor Networks (MSN), pp. 102–107 (2015). https://doi.org/10.1109/MSN.2015.40
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Heine, F., Kleiner, C., Klostermeyer, P., Ahlers, V., Laue, T., Wellermann, N. (2022). Detecting Attacks in Network Traffic Using Normality Models: The Cellwise Estimator. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-08147-7_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08146-0
Online ISBN: 978-3-031-08147-7
eBook Packages: Computer ScienceComputer Science (R0)