ANOMALY DETECTION IN IT AUDIT : The possibilities and potential in the domain of IT Audit

IT Audit is dealing with a continuous increase in complexity and work. Regulations get stricter, while IT plays an increasingly more important role in companies. New technologies like anomaly detection can play a role in supporting IT Audit decisions. Anomaly detection has recently seen use in many domains, including financial audit, for example in fraud detection. Yet IT Audit does not make use of this technology as of now. This research looks atthe possible roles that anomaly detection can play in this domain. This research starts by attempting to bring the existing literature on both domains closer together and then creating variables that influence successful anomaly detection implementation in IT Audit. Exploratory interviews led to different approaches to implementation. IT Audit currently works with random samples to offer reasonable assurance on a statistical basis. As anomaly detection requires more data than the samples can provide, the potential benefits and consequences of utilizing the entire data population in an audit are researched. As controls are unique to each client, IT Audit tasks have been grouped per common IT risk. For each risk, the potential of anomaly detection is determined based on four variables: the impact of erroneous instances going undetected, the time spent on the audit task, the frequency of the task, and the external pressure. Interviews with IT Audit professionals have been used to go through the IT risks with the highest potential, and determine the challenges. For each challenge, solutions have been discussed, as well as their feasibility. Two use-cases have been formulated based on the interviews. The first use-case aims to use anomaly detection to detect multiple manage change risks, by looking at the full data population of changes at big clients working in standardized systems. The second use-case aims to discover SoD concerns and could be combined with financial audit data to discover fraud. Unsupervised deep learning methods are most likely to succeed. Prior research indicates deep autoencoder neural networks as a suitable method. The biggest challenges for implementation turned out to be in the current audit methodology, rather than development. The current sample approach is based on the notion that testing the full data population would not be possible while remaining within time and budget norms. New techniques, such as anomaly detection, might mean this notion is outdated, but the methods cannot be created and optimized due to the current restraints

Contextual Anomaly Detection in Big Sensor Data

Performing predictive modelling, such as anomaly detection, in Big Data is a difficult task. This problem is compounded as more and more sources of Big Data are generated from environmental sensors, logging applications, and the Internet of Things. Further, most current techniques for anomaly detection only consider the content of the data source, i.e. the data itself, without concern for the context of the data. As data becomes more complex it is increasingly important to bias anomaly detection techniques for the context, whether it is spatial, temporal, or semantic. The work proposed in this paper outlines a contextual anomaly detection technique for use in streaming sensor networks. The technique uses a well-defined content anomaly detection algorithm for real-time point anomaly detection. Additionally, we present a post-processing context aware anomaly detection algorithm based on sensor profiles, which are groups of contextually similar sensors generated by a multivariate clustering algorithm. Our proposed research has been implemented and evaluated with real-world data provided by Powersmiths, located in Brampton, Ontario, Canada

Integrating State-of-the-Art Approaches for Anomaly Detection and Localization in the Continual Learning Setting

openThe significant attention surrounding the application of anomaly detection (AD) in identifying defects within industrial environments using only normal samples has prompted research and development in this area. However, traditional AD methods have been primarily focused on the current set of examples, resulting in a limitation known as catastrophic forgetting when encountering new tasks. The inflexibility of these methods and the challenges posed by real-world industrial scenarios necessitate the urgent enhancement of the adaptive capabilities of AD models. Therefore, this thesis presents an integrated framework that combines the concepts of continual learning (CL) and anomaly detection (AD) to achieve the objective of anomaly detection in continual learning (ADCL). To evaluate the efficacy of the framework, a thorough comparative analysis is conducted to assess the performance of three specific methods for the AD task: the EfficientAD, Patch Distribution Modeling Framework (PaDiM) and the Discriminatively Trained Reconstruction Anomaly Embedding Model (DRAEM). Moreover, the framework incorporates the use of replay techniques to enable continual learning (CL). In order to determine the superior technique, a comprehensive evaluation is carried out using diverse metrics that measure the relative performance of each method. To validate the proposed approach, a robust real-world dataset called MVTec AD is employed, consisting of images with pixel-based anomalies. This dataset serves as a reliable benchmark for Anomaly Detection in the context of Continual Learning, offering a solid foundation for further advancements in this field of study.The significant attention surrounding the application of anomaly detection (AD) in identifying defects within industrial environments using only normal samples has prompted research and development in this area. However, traditional AD methods have been primarily focused on the current set of examples, resulting in a limitation known as catastrophic forgetting when encountering new tasks. The inflexibility of these methods and the challenges posed by real-world industrial scenarios necessitate the urgent enhancement of the adaptive capabilities of AD models. Therefore, this thesis presents an integrated framework that combines the concepts of continual learning (CL) and anomaly detection (AD) to achieve the objective of anomaly detection in continual learning (ADCL). To evaluate the efficacy of the framework, a thorough comparative analysis is conducted to assess the performance of three specific methods for the AD task: the EfficientAD, Patch Distribution Modeling Framework (PaDiM) and the Discriminatively Trained Reconstruction Anomaly Embedding Model (DRAEM). Moreover, the framework incorporates the use of replay techniques to enable continual learning (CL). In order to determine the superior technique, a comprehensive evaluation is carried out using diverse metrics that measure the relative performance of each method. To validate the proposed approach, a robust real-world dataset called MVTec AD is employed, consisting of images with pixel-based anomalies. This dataset serves as a reliable benchmark for Anomaly Detection in the context of Continual Learning, offering a solid foundation for further advancements in this field of study

Survey of Current Network Intrusion Detection Techniques

The significance of network security has grown enormously and a number of devices have been introduced to perk up the security of a network. NIDS is a retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current open mode. The goal of a network intrusion detection system is to identify, preferably in real time, unauthorized use, misuse and abuse of computer systems by insiders as well as from outside perpetrators. This paper presents a nomenclature of intrusion detection systems that is used to do a survey and identify a number of research prototypes.  Keywords: Security, Intrusion Detection, Misuse and Anomaly Detection, Pattern Matching

Revisiting anomaly-based network intrusion detection systems

Intrusion detection systems (IDSs) are well-known and widely-deployed security tools to detect cyber-attacks and malicious activities in computer systems and networks. A signature-based IDS works similar to anti-virus software. It employs a signature database of known attacks, and a successful match with current input raises an alert. A signature-based IDS cannot detect unknown attacks, either because the database is out of date or because no signature is available yet. To overcome this limitation, researchers have been developing anomaly-based IDSs. An anomaly-based IDS works by building a model of normal data/usage patterns during a training phase, then it compares new inputs to the model (using a similarity metric). A significant deviation is marked as an anomaly. An anomaly-based IDS is able to detect previously unknown, or modifications of well-known, attacks as soon as they take place (i.e., so called zero-day attacks) and targeted attacks. Cyber-attacks and breaches of information security appear to be increasing in frequency and impact. Signature-based IDSs are likely to miss an increasingly number of attack attempts, as cyber-attacks diversify. Thus, one would expect a large number of anomalybased IDSs to have been deployed to detect the newest disruptive attacks. However, most IDSs in use today are still signature-based, and few anomaly-based IDSs have been deployed in production environments. Up to now a signature-based IDS has been easier to implement and simpler to configure and maintain than an anomaly-based IDS, i.e., it is easier and less expensive to use. We see in these limitations the main reason why anomaly-based systems have not been widely deployed, despite research that has been conducted for more than a decade. To address these limitations we have developed SilentDefense, a comprehensive anomaly-based intrusion detection architecture that outperforms competitors not only in terms of attack detection and false alert rates, but it reduces the user effort as well. SilentDefense is the first systematic attempt to develop an anomaly-based intrusion detection system with a high degree of usability

A semi-supervised learning framework based on spatio-temporal semantic events for maritime anomaly detection and behavior analysis

International audienceDetection of abnormal movements of mobile objects has recently received a lot of attention due to the increasing availability of movement data and their potential for ensuring security in many different contexts. As timely detection of these events is often important, most current approaches use automated data-driven approaches. While these approaches have proved to be effective in specific contexts, they are not easily accepted by operators in charge of surveillance due, among other reasons, to the lack of user involvement during the detection process. To improve the detection and analysis of maritime anomalies this paper explores the potential of spatial ontologies for modeling maritime operator knowledge. The goal of this research is to facilitate the integration of human knowledge by modeling it in the form of semantic rules to improve confidence and trust in the anomaly detection system

An Innovative Signature Detection System for Polymorphic and Monomorphic Internet Worms Detection and Containment

Most current anti-worm systems and intrusion-detection systems use signature-based technology instead of anomaly-based technology. Signature-based technology can only detect known attacks with identified signatures. Existing anti-worm systems cannot detect unknown Internet scanning worms automatically because these systems do not depend upon worm behaviour but upon the worm’s signature. Most detection algorithms used in current detection systems target only monomorphic worm payloads and offer no defence against polymorphic worms, which changes the payload dynamically. Anomaly detection systems can detect unknown worms but usually suffer from a high false alarm rate. Detecting unknown worms is challenging, and the worm defence must be automated because worms spread quickly and can flood the Internet in a short time. This research proposes an accurate, robust and fast technique to detect and contain Internet worms (monomorphic and polymorphic). The detection technique uses specific failure connection statuses on specific protocols such as UDP, TCP, ICMP, TCP slow scanning and stealth scanning as characteristics of the worms. Whereas the containment utilizes flags and labels of the segment header and the source and destination ports to generate the traffic signature of the worms. Experiments using eight different worms (monomorphic and polymorphic) in a testbed environment were conducted to verify the performance of the proposed technique. The experiment results showed that the proposed technique could detect stealth scanning up to 30 times faster than the technique proposed by another researcher and had no false-positive alarms for all scanning detection cases. The experiments showed the proposed technique was capable of containing the worm because of the traffic signature’s uniqueness