4,598 research outputs found
"Forget" the Forget Gate: Estimating Anomalies in Videos using Self-contained Long Short-Term Memory Networks
Abnormal event detection is a challenging task that requires effectively
handling intricate features of appearance and motion. In this paper, we present
an approach of detecting anomalies in videos by learning a novel LSTM based
self-contained network on normal dense optical flow. Due to their sigmoid
implementations, standard LSTM's forget gate is susceptible to overlooking and
dismissing relevant content in long sequence tasks like abnormality detection.
The forget gate mitigates participation of previous hidden state for
computation of cell state prioritizing current input. In addition, the
hyperbolic tangent activation of standard LSTMs sacrifices performance when a
network gets deeper. To tackle these two limitations, we introduce a bi-gated,
light LSTM cell by discarding the forget gate and introducing sigmoid
activation. Specifically, the LSTM architecture we come up with fully sustains
content from previous hidden state thereby enabling the trained model to be
robust and make context-independent decision during evaluation. Removing the
forget gate results in a simplified and undemanding LSTM cell with improved
performance effectiveness and computational efficiency. Empirical evaluations
show that the proposed bi-gated LSTM based network outperforms various LSTM
based models verifying its effectiveness for abnormality detection and
generalization tasks on CUHK Avenue and UCSD datasets.Comment: 16 pages, 7 figures, Computer Graphics International (CGI) 202
On the Evaluation of Sequential Machine Learning for Network Intrusion Detection
Recent advances in deep learning renewed the research interests in machine
learning for Network Intrusion Detection Systems (NIDS). Specifically,
attention has been given to sequential learning models, due to their ability to
extract the temporal characteristics of Network traffic Flows (NetFlows), and
use them for NIDS tasks. However, the applications of these sequential models
often consist of transferring and adapting methodologies directly from other
fields, without an in-depth investigation on how to leverage the specific
circumstances of cybersecurity scenarios; moreover, there is a lack of
comprehensive studies on sequential models that rely on NetFlow data, which
presents significant advantages over traditional full packet captures. We
tackle this problem in this paper. We propose a detailed methodology to extract
temporal sequences of NetFlows that denote patterns of malicious activities.
Then, we apply this methodology to compare the efficacy of sequential learning
models against traditional static learning models. In particular, we perform a
fair comparison of a `sequential' Long Short-Term Memory (LSTM) against a
`static' Feedforward Neural Networks (FNN) in distinct environments represented
by two well-known datasets for NIDS: the CICIDS2017 and the CTU13. Our results
highlight that LSTM achieves comparable performance to FNN in the CICIDS2017
with over 99.5\% F1-score; while obtaining superior performance in the CTU13,
with 95.7\% F1-score against 91.5\%. This paper thus paves the way to future
applications of sequential learning models for NIDS
End-to-end anomaly detection in stream data
Nowadays, huge volumes of data are generated with increasing velocity through various systems, applications, and activities. This increases the demand for stream and time series analysis to react to changing conditions in real-time for enhanced efficiency and quality of service delivery as well as upgraded safety and security in private and public sectors. Despite its very rich history, time series anomaly detection is still one of the vital topics in machine learning research and is receiving increasing attention. Identifying hidden patterns and selecting an appropriate model that fits the observed data well and also carries over to unobserved data is not a trivial task. Due to the increasing diversity of data sources and associated stochastic processes, this pivotal data analysis topic is loaded with various challenges like complex latent patterns, concept drift, and overfitting that may mislead the model and cause a high false alarm rate. Handling these challenges leads the advanced anomaly detection methods to develop sophisticated decision logic, which turns them into mysterious and inexplicable black-boxes. Contrary to this trend, end-users expect transparency and verifiability to trust a model and the outcomes it produces. Also, pointing the users to the most anomalous/malicious areas of time series and causal features could save them time, energy, and money. For the mentioned reasons, this thesis is addressing the crucial challenges in an end-to-end pipeline of stream-based anomaly detection through the three essential phases of behavior prediction, inference, and interpretation. The first step is focused on devising a time series model that leads to high average accuracy as well as small error deviation. On this basis, we propose higher-quality anomaly detection and scoring techniques that utilize the related contexts to reclassify the observations and post-pruning the unjustified events. Last but not least, we make the predictive process transparent and verifiable by providing meaningful reasoning behind its generated results based on the understandable concepts by a human. The provided insight can pinpoint the anomalous regions of time series and explain why the current status of a system has been flagged as anomalous. Stream-based anomaly detection research is a principal area of innovation to support our economy, security, and even the safety and health of societies worldwide. We believe our proposed analysis techniques can contribute to building a situational awareness platform and open new perspectives in a variety of domains like cybersecurity, and health
Keep the moving vehicle secure: context-aware intrusion detection system for in-vehicle CAN bus security.
The growth of information technologies has driven the development of the transportation sector, including connected and autonomous vehicles. Due to its communication capabilities, the controller area network (CAN) is the most widely used in-vehicle communication protocol. However, CAN lacks suitable security mechanisms such as message authentication and encryption. This makes the CAN bus vulnerable to numerous cyberattacks. Not only are these attacks a threat to information security and privacy, but they can also directly affect the safety of drivers, passengers and the surrounding environment of the moving vehicles. This paper presents CAN-CID, a context-aware intrusion detection system (IDS) to detect cyberattacks on the CAN bus, which would be suitable for deployment in automobiles, including military vehicles, passenger cars and commercial vehicles, and other CAN-based applications such as aerospace, industrial automation and medical equipment. CAN-CID is an ensemble model of a gated recurrent unit (GRU) network and a time-based model. A GRU algorithm works by learning to predict the centre ID of a CAN ID sequence, and ID-based probabilistic thresholds are used to identify anomalous IDs, whereas the time-based model identifies anomalous IDs using time-based thresholds. The number of anomalies compared to the total number of IDs over an observation window is used to classify the window status as anomalous or benign. The proposed model uses only benign data for training and threshold estimation, avoiding the need to collect realistic attack data to train the algorithm. The performance of the CAN-CID model was tested against three datasets over a range of 16 attacks, including fabrication and more sophisticated masquerade attacks. The CAN-CID model achieved an F1-Score of over 99% for 13 of those attacks and outperformed benchmark models from the literature for all attacks, with near real-time detection latency
CBAM: A Contextual Model for Network Anomaly Detection
Anomaly-based intrusion detection methods aim to combat the increasing rate of zero-day attacks, however, their success is currently restricted to the detection of high-volume attacks using aggregated traffic features. Recent evaluations show that the current anomaly-based network intrusion detection methods fail to reliably detect remote access attacks. These are smaller in volume and often only stand out when compared to their surroundings. Currently, anomaly methods try to detect access attack events mainly as point anomalies and neglect the context they appear in. We present and examine a contextual bidirectional anomaly model (CBAM) based on deep LSTM-networks that is specifically designed to detect such attacks as contextual network anomalies. The model efficiently learns short-term sequential patterns in network flows as conditional event probabilities. Access attacks frequently break these patterns when exploiting vulnerabilities, and can thus be detected as contextual anomalies. We evaluated CBAM on an assembly of three datasets that provide both representative network access attacks, real-life traffic over a long timespan, and traffic from a real-world red-team attack. We contend that this assembly is closer to a potential deployment environment than current NIDS benchmark datasets. We show that, by building a deep model, we are able to reduce the false positive rate to 0.16% while effectively detecting six out of seven access attacks, which is significantly lower than the operational range of other methods. We further demonstrate that short-term flow structures remain stable over long periods of time, making the CBAM robust against concept drift
SHStream: Self-Healing Framework for HTTP Video-Streaming
HTTP video-streaming is leading delivery of video
content over the Internet. This phenomenon is explained by the
ubiquity of web browsers, the permeability of HTTP traffic
and the recent video technologies around HTML5. However,
the inclusion of multimedia requests imposes new requirements
on web servers due to responses with lifespans that can reach
dozens of minutes and timing requirements for data fragments
transmitted during the response period. Consequently, web-
servers require real-time performance control to avoid playback
outages caused by overloading and performance anomalies. We
present
SHStream
, a self-healing framework for web servers
delivering video-streaming content that provides (1) load admit-
tance to avoid server overloading; (2) prediction of performance
anomalies using online data stream learning algorithms; (3)
continuous evaluation and selection of the best algorithm for
prediction; and (4) proactive recovery by migrating the server
to other hosts using container-based virtualization techniques.
Evaluation of our framework using several variants of
Hoeffding
trees
and
ensemble algorithms
showed that with a small number of
learning instances, it is possible to achieve approximately 98% of
recall
and 99% of
precision
for failure predictions. Additionally,
proactive failover can be performed in less than 1 secon
- …