Network anomaly detection: a survey and comparative analysis of stochastic and deterministic methods

7 pages. 1 more figure than final CDC 2013 versionWe present five methods to the problem of network anomaly detection. These methods cover most of the common techniques in the anomaly detection field, including Statistical Hypothesis Tests (SHT), Support Vector Machines (SVM) and clustering analysis. We evaluate all methods in a simulated network that consists of nominal data, three flow-level anomalies and one packet-level attack. Through analyzing the results, we point out the advantages and disadvantages of each method and conclude that combining the results of the individual methods can yield improved anomaly detection results

Near-Optimal Evasion of Convex-Inducing Classifiers

Classifiers are often used to detect miscreant activities. We study how an adversary can efficiently query a classifier to elicit information that allows the adversary to evade detection at near-minimal cost. We generalize results of Lowd and Meek (2005) to convex-inducing classifiers. We present algorithms that construct undetected instances of near-minimal cost using only polynomially many queries in the dimension of the space and without reverse engineering the decision boundary.Comment: 8 pages; to appear at AISTATS'201

A Comparison of Generalizability for Anomaly Detection

In security-related areas there is concern over the novel “zeroday” attack that penetrates system defenses and wreaks havoc. The best methods for countering these threats are recognizing “non-self” as in an Artificial Immune System or recognizing “self” through clustering. For either case, the concern remains that something that looks similar to self could be missed. Given this situation one could logically assume that a tighter fit to self rather than generalizability is important for false positive reduction in this type of learning problem. This article shows that a tight fit, although important, does not supersede having some model generality. This is shown using three systems. The first two use sphere and ellipsoid clusters with a k-means algorithm modified to work on the one-class/blind classification problem. The third is based on wrapping the self points with a multidimensional convex hull (polytope) algorithm capable of learning disjunctive concepts via a thresholding constant. All three of these algorithms are tested on an intrusion detection problem and a steganalysis problem with results exceeding published results using an Artificial Immune System

EPASAD: Ellipsoid decision boundary based Process-Aware Stealthy Attack Detector

Due to the importance of Critical Infrastructure (CI) in a nation's economy, they have been lucrative targets for cyber attackers. These critical infrastructures are usually Cyber-Physical Systems (CPS) such as power grids, water, and sewage treatment facilities, oil and gas pipelines, etc. In recent times, these systems have suffered from cyber attacks numerous times. Researchers have been developing cyber security solutions for CIs to avoid lasting damages. According to standard frameworks, cyber security based on identification, protection, detection, response, and recovery are at the core of these research. Detection of an ongoing attack that escapes standard protection such as firewall, anti-virus, and host/network intrusion detection has gained importance as such attacks eventually affect the physical dynamics of the system. Therefore, anomaly detection in physical dynamics proves an effective means to implement defense-in-depth. PASAD is one example of anomaly detection in the sensor/actuator data, representing such systems' physical dynamics. We present EPASAD, which improves the detection technique used in PASAD to detect these micro-stealthy attacks, as our experiments show that PASAD's spherical boundary-based detection fails to detect. Our method EPASAD overcomes this by using Ellipsoid boundaries, thereby tightening the boundaries in various dimensions, whereas a spherical boundary treats all dimensions equally. We validate EPASAD using the dataset produced by the TE-process simulator and the C-town datasets. The results show that EPASAD improves PASAD's average recall by 5.8% and 9.5% for the two datasets, respectively.Comment: Submitte

Magmatic Cu-Ni-PGE-Au sulfide mineralisation in alkaline igneous systems: An example from the Sron Garbh intrusion, Tyndrum, Scotland

Magmatic sulfide deposits typically occur in ultramafic-mafic systems, however, mineralisation can occur in more intermediate and alkaline magmas. Sron Garbh is an appinite-diorite intrusion emplaced into Dalradian metasediments in the Tyndrum area of Scotland that hosts magmatic Cu-Ni-PGE-Au sulfide mineralisation in the appinitic portion. It is thus an example of magmatic sulfide mineralisation hosted by alkaline rocks, and is the most significantly mineralised appinitic intrusion known in the British Isles. The intrusion is irregularly shaped, with an appinite rim, comprising amphibole cumulates classed as vogesites. The central portion of the intrusion is comprised of unmineralised, but pyrite-bearing, diorites. Both appinites and diorites have similar trace element geochemistry that suggests the diorite is a more fractionated differentiate of the appinite from a common source that can be classed with the high Ba-Sr intrusions of the Scottish Caledonides. Mineralisation is present as a disseminated, primary chalcopyrite-pyrite-PGM assemblage and a blebby, pyrite-chalcopyrite assemblage with significant Co-As-rich pyrite. Both assemblages contain minor millerite and Ni-Co-As-sulfides. The mineralisation is Cu-, PPGE-, and Au-rich and IPGE-poor and the platinum group mineral assemblage is overwhelmingly dominated by Pd minerals; however, the bulk rock Pt/Pd ratio is around 0.8. Laser ablation analysis of the sulfides reveals that pyrite and the Ni-Co-sulfides are the primary host for Pt, which is present in solid solution in concentrations of up to 22 ppm in pyrite. Good correlations between all base and precious metals indicate very little hydrothermal remobilisation of metals despite some evidence of secondary pyrite and PGM. Sulfur isotope data indicate some crustal S in the magmatic sulfide assemblages. The source of this is unlikely to have been the local quartzites, but S-rich Dalradian sediments present at depth. The generation of magmatic Cu-Ni-PGE-Au mineralisation at Sron Garbh can be attributed to post-collisional slab drop off that allowed hydrous, low-degree partial melting to take place that produced a Cu-PPGE-Au-enriched melt, which ascended through the crust, assimilating crustal S from the Dalradian sediments. The presence of a number of PGE-enriched sulfide occurrences in appinitic intrusions across the Scottish Caledonides indicates that the region contains certain features that make it more prospective than other alkaline provinces worldwide, which may be linked the post-Caledonian slab drop off event. We propose that the incongruent melting of pre-existing magmatic sulfides or ‘refertilised’ mantle in low-degree partial melts can produce characteristically fractionated, Cu-PPGE-Au-semi metal bearing, hydrous, alkali melts, which, if they undergo sulfide saturation, have the potential to produce alkaline-hosted magmatic sulfide deposits

The Importance of Generalizability to Anomaly Detection

In security-related areas there is concern over novel “zero-day” attacks that penetrate system defenses and wreak havoc. The best methods for countering these threats are recognizing “nonself” as in an Artificial Immune System or recognizing “self” through clustering. For either case, the concern remains that something that appears similar to self could be missed. Given this situation, one could incorrectly assume that a preference for a tighter fit to self over generalizability is important for false positive reduction in this type of learning problem. This article confirms that in anomaly detection as in other forms of classification a tight fit, although important, does not supersede model generality. This is shown using three systems each with a different geometric bias in the decision space. The first two use spherical and ellipsoid clusters with a k-means algorithm modified to work on the one-class/blind classification problem. The third is based on wrapping the self points with a multidimensional convex hull (polytope) algorithm capable of learning disjunctive concepts via a thresholding constant. All three of these algorithms are tested using the Voting dataset from the UCI Machine Learning Repository, the MIT Lincoln Labs intrusion detection dataset, and the lossy-compressed steganalysis domain

On the ongoing multiple blowout in NGC 604

Several facts regarding the structure of NGC 604 are examined here. The three main cavities, produced by the mechanical energy from massive stars which in NGC 604 are spread over a volume of 10$^6$ pc$^3$, are shown here to be undergoing blowout into the halo of M33. High resolution long slit spectroscopy is used to track the impact from massive stars while HST archive data is used to display the asymmetry of the nebula. NGC 604 is found to be a collection of photoionized filaments and sections of shells in direct contact with the thermalized matter ejected by massive stars. The multiple blowout events presently drain the energy injected by massive stars and thus the densest photoionized gas is found almost at rest and is expected to suffer a slow evolution.Comment: 15 pages (11 text), 4 figures. To be published in Ap

A survey of outlier detection methodologies

Outlier detection has been used for centuries to detect and, where appropriate, remove anomalous observations from data. Outliers arise due to mechanical faults, changes in system behaviour, fraudulent behaviour, human error, instrument error or simply through natural deviations in populations. Their detection can identify system faults and fraud before they escalate with potentially catastrophic consequences. It can identify errors and remove their contaminating effect on the data set and as such to purify the data for processing. The original outlier detection methods were arbitrary but now, principled and systematic techniques are used, drawn from the full gamut of Computer Science and Statistics. In this paper, we introduce a survey of contemporary techniques for outlier detection. We identify their respective motivations and distinguish their advantages and disadvantages in a comparative review

Integrated multi-scale methods for modeling the deformation field of volcanic sources

The modeling of volcanic deformation sources represents a crucial task for investigating and monitoring the activity of magmatic systems. In this framework, inverse methods are the most used approach to image deforming volcanic bodies by considering the assumptions of the elasticity theory. However, several issues affect the inverse modeling and the interpretation of the ground deformation phenomena, such as the inherent ambiguity, the theoretical ambiguity and the related choice of the forward problem. Despite assuming appropriate a priori information and constraints, we are led to an ambiguous estimate of the physical and geometrical parameters of volcanic bodies and, in turn, to an unreliable analysis of the hazard evaluation and risk assessment. In this scenario, we propose a new approach for the interpretation of the large amount of deformation data retrieved by the SBAS-DInSAR technique in volcanic environments. The proposed approach is based on the assumptions of the homogeneous and harmonic elastic fields, which satisfy the Laplace's equation; specifically, we consider Multiridge, ScalFun and THD methods to provide in a fast way preliminary information on the active volcanic source, even for the analysis of complex cases, such as the depth, the horizontal position, the geometrical configuration and the horizontal extent. In this thesis, firstly we analyse the biharmonic general solution of the elastic problem to state the deformation field surely satisfy the Laplace's equation in the case of hydrostatic pressure condition within a source embedded in a homogeneous elastic half-space. Then, we show the results of different simulations by highlighting how the proposed approach allows overcoming many ambiguities since it provides unique information about the geometrical parameters of the active source. Finally, we show the results of Multiridge, ScalFun and THD methods used for the analysis of the deformation components recorded at Okmok volcano, Uturuncu volcano, Campi Flegrei caldera, Fernandina volcano and Yellowstone caldera. We conclude this thesis by remarking the proposed approach represents a crucial tool for fixing modeling ambiguities and to provide useful information for monitoring purposes and/or for constraining the geometry of the volcanic systems