Using Self-Organizing Maps for Computer Network Intrusion Detection

Anomaly detection in user access patterns using artificial neural networks is a novel way of combating the ever-present concern of computer network intrusion detection for many entities around the world. Anomaly detection is a technique in network security in which a profile is built around a user\u27s normal daily actions. The data collected for these profiles can be as following: file access attempts; failed login attempts; file creations; file access failures; and countless others. This data is collected and used as training data for a neural network. There are many types of neural networks, such as multi-layer feed-forward network; recurrent networks; support vector machines; and others. For our study, we implemented our own self¬ organizing map (SOM), which we found to not be as heavily researched as other neural network approaches. Using the KDD Cup 99 dataset, we compared our own SOM implementation against other neural network implementations and determine the effectiveness of such an approach

Anomaly Detection and Explanation Discovery on Event Streams

International audienceAs enterprise information systems are collecting event streams from various sources, the ability of a system to automatically detect anomalous events and further provide human readable explanations is of paramount importance. In this position paper, we argue for the need of a new type of data stream analytics that can address anomaly detection and explanation discovery in a single, integrated system, which not only offers increased business intelligence, but also opens up opportunities for improved solutions. In particular , we propose a two-pass approach to building such a system, highlight the challenges, and offer initial directions for solutions

Survey on encode biometric data for transmission in wireless communication networks

The aim of this research survey is to review an enhanced model supported by artificial intelligence to encode biometric data for transmission in wireless communication networks can be tricky as performance decreases with increasing size due to interference, especially if channels and network topology are not selected carefully beforehand. Additionally, network dissociations may occur easily if crucial links fail as redundancy is neglected for signal transmission. Therefore, we present several algorithms and its implementation which addresses this problem by finding a network topology and channel assignment that minimizes interference and thus allows a deployment to increase its throughput performance by utilizing more bandwidth in the local spectrum by reducing coverage as well as connectivity issues in multiple AI-based techniques. Our evaluation survey shows an increase in throughput performance of up to multiple times or more compared to a baseline scenario where an optimization has not taken place and only one channel for the whole network is used with AI-based techniques. Furthermore, our solution also provides a robust signal transmission which tackles the issue of network partition for coverage and for single link failures by using airborne wireless network. The highest end-to-end connectivity stands at 10 Mbps data rate with a maximum propagation distance of several kilometers. The transmission in wireless network coverage depicted with several signal transmission data rate with 10 Mbps as it has lowest coverage issue with moderate range of propagation distance using enhanced model to encode biometric data for transmission in wireless communication

Spatiotemporal anomaly detection: streaming architecture and algorithms

Includes bibliographical references.2020 Summer.Anomaly detection is the science of identifying one or more rare or unexplainable samples or events in a dataset or data stream. The field of anomaly detection has been extensively studied by mathematicians, statisticians, economists, engineers, and computer scientists. One open research question remains the design of distributed cloud-based architectures and algorithms that can accurately identify anomalies in previously unseen, unlabeled streaming, multivariate spatiotemporal data. With streaming data, time is of the essence, and insights are perishable. Real-world streaming spatiotemporal data originate from many sources, including mobile phones, supervisory control and data acquisition enabled (SCADA) devices, the internet-of-things (IoT), distributed sensor networks, and social media. Baseline experiments are performed on four (4) non-streaming, static anomaly detection multivariate datasets using unsupervised offline traditional machine learning (TML), and unsupervised neural network techniques. Multiple architectures, including autoencoders, generative adversarial networks, convolutional networks, and recurrent networks, are adapted for experimentation. Extensive experimentation demonstrates that neural networks produce superior detection accuracy over TML techniques. These same neural network architectures can be extended to process unlabeled spatiotemporal streaming using online learning. Space and time relationships are further exploited to provide additional insights and increased anomaly detection accuracy. A novel domain-independent architecture and set of algorithms called the Spatiotemporal Anomaly Detection Environment (STADE) is formulated. STADE is based on federated learning architecture. STADE streaming algorithms are based on a geographically unique, persistently executing neural networks using online stochastic gradient descent (SGD). STADE is designed to be pluggable, meaning that alternative algorithms may be substituted or combined to form an ensemble. STADE incorporates a Stream Anomaly Detector (SAD) and a Federated Anomaly Detector (FAD). The SAD executes at multiple locations on streaming data, while the FAD executes at a single server and identifies global patterns and relationships among the site anomalies. Each STADE site streams anomaly scores to the centralized FAD server for further spatiotemporal dependency analysis and logging. The FAD is based on recent advances in DNN-based federated learning. A STADE testbed is implemented to facilitate globally distributed experimentation using low-cost, commercial cloud infrastructure provided by Microsoft™. STADE testbed sites are situated in the cloud within each continent: Africa, Asia, Australia, Europe, North America, and South America. Communication occurs over the commercial internet. Three STADE case studies are investigated. The first case study processes commercial air traffic flows, the second case study processes global earthquake measurements, and the third case study processes social media (i.e., Twitter™) feeds. These case studies confirm that STADE is a viable architecture for the near real-time identification of anomalies in streaming data originating from (possibly) computationally disadvantaged, geographically dispersed sites. Moreover, the addition of the FAD provides enhanced anomaly detection capability. Since STADE is domain-independent, these findings can be easily extended to additional application domains and use cases

Untersuchungen zur Anomalieerkennung in automotive Steuergeräten durch verteilte Observer mit Fokus auf die Plausibilisierung von Kommunikationssignalen

Die zwei herausragenden automobilen Trends Konnektivität und hochautomatisiertes Fahren bieten viele Chancen, aber vor allem in ihrer Kombination auch Gefahren. Einerseits wird das Fahrzeug immer mehr mit seiner Außenwelt vernetzt, wodurch die Angriffsfläche für unautorisierten Zugriff deutlich steigt. Andererseits erhalten Steuergeräte die Kontrolle über sicherheitsrelevante Funktionen. Um das Risiko und die potentiellen Folgen eines erfolgreichen Angriffs möglichst gering zu halten, sollte eine Absicherung auf mehreren Ebenen erfolgen. Der Fokus dieser Arbeit liegt auf der innersten Absicherungsebene und dabei speziell auf der Überwachung von Fahrezug-interner Kommunikation. Hierfür empfehlen Wissenschaft und Industrie unter anderem den Einsatz von Intrusion Detection/Intrusion Prevention Systemen. Das erarbeitete Konzept greift diesen Vorschlag auf und berücksichtigt bei der Detaillierung die Steuergeräte-spezifischen Randbedingungen, wie beispielsweise die vergleichsweise statische Fahrzeugvernetzung und die limitierten Ressourcen. Dadurch entsteht ein hybrider Ansatz, bestehend aus klassischen Überwachungsregeln und selbstlernenden Algorithmen. Dieser ist nicht nur für die Fahrzeug-interne Kommunikation geeignet, sondern gleichermaßen für den Steuergeräte-internen Informationsaustausch, die Interaktion zwischen Applikations- und Basissoftware sowie die Überwachung von Laufzeit- und Speichereigenschaften. Das übergeordnete Ziel ist eine ganzheitliche Steuergeräte-Überwachung und damit eine verbesserte Absicherung im Sinne der Security. Abweichungen vom Sollverhalten - sogenannte Anomalien - werden jedoch unabhängig von deren Ursache erkannt, sei es ein mutwilliger Angriff oder eine Fehlfunktion. Daher kann dieser Ansatz auch zur Verbesserung der Safety beitragen, speziell wenn Applikationen und Algorithmen abzusichern sind, die sich während des Lebenszyklus eines Fahrzeugs verändern oder weiterentwickeln. Im zweiten Teil der Arbeit steht die Plausibilisierung von einzelnen Kommunikationssignalen im Vordergrund. Da deren möglicher Verlauf nicht formal beschrieben ist, kommen hierfür selbstlernende Verfahren zum Einsatz. Neben der Analyse und der Auswahl von grundsätzlich geeigneten Algorithmen ist die Leistungsbewertung eine zentrale Herausforderung. Die zu erkennenden Anomalien sind vielfältig und in der Regel sind nur Referenzdaten des Normalverhaltens in ausreichender Menge vorhanden. Aus diesem Grund werden unterschiedliche Anomalie-Typen definiert, welche die Anomaliesynthese in Normaldaten strukturieren und somit eine Evaluierung anhand der Erkennungsrate erlauben. Die Evaluierungsergebnisse zeigen, dass eine Signalplausibilisierung mittels künstlichen neuronalen Netzen (Autoencoder) vielversprechend ist. Zum Abschluss betrachtet die vorliegende Arbeit daher die Herausforderungen bei deren Realisierung auf automotive Steuergeräten und liefert entsprechende Kennzahlen für die benötigte Laufzeit und den Speicherverbrauch