Performance Evaluation of Network Anomaly Detection Systems

Nowadays, there is a huge and growing concern about security in information and communication technology (ICT) among the scientific community because any attack or anomaly in the network can greatly affect many domains such as national security, private data storage, social welfare, economic issues, and so on. Therefore, the anomaly detection domain is a broad research area, and many different techniques and approaches for this purpose have emerged through the years. Attacks, problems, and internal failures when not detected early may badly harm an entire Network system. Thus, this thesis presents an autonomous profile-based anomaly detection system based on the statistical method Principal Component Analysis (PCADS-AD). This approach creates a network profile called Digital Signature of Network Segment using Flow Analysis (DSNSF) that denotes the predicted normal behavior of a network traffic activity through historical data analysis. That digital signature is used as a threshold for volume anomaly detection to detect disparities in the normal traffic trend. The proposed system uses seven traffic flow attributes: Bits, Packets and Number of Flows to detect problems, and Source and Destination IP addresses and Ports, to provides the network administrator necessary information to solve them. Via evaluation techniques, addition of a different anomaly detection approach, and comparisons to other methods performed in this thesis using real network traffic data, results showed good traffic prediction by the DSNSF and encouraging false alarm generation and detection accuracy on the detection schema. The observed results seek to contribute to the advance of the state of the art in methods and strategies for anomaly detection that aim to surpass some challenges that emerge from the constant growth in complexity, speed and size of today’s large scale networks, also providing high-value results for a better detection in real time.Atualmente, existe uma enorme e crescente preocupação com segurança em tecnologia da informação e comunicação (TIC) entre a comunidade científica. Isto porque qualquer ataque ou anomalia na rede pode afetar a qualidade, interoperabilidade, disponibilidade, e integridade em muitos domínios, como segurança nacional, armazenamento de dados privados, bem-estar social, questões econômicas, e assim por diante. Portanto, a deteção de anomalias é uma ampla área de pesquisa, e muitas técnicas e abordagens diferentes para esse propósito surgiram ao longo dos anos. Ataques, problemas e falhas internas quando não detetados precocemente podem prejudicar gravemente todo um sistema de rede. Assim, esta Tese apresenta um sistema autônomo de deteção de anomalias baseado em perfil utilizando o método estatístico Análise de Componentes Principais (PCADS-AD). Essa abordagem cria um perfil de rede chamado Assinatura Digital do Segmento de Rede usando Análise de Fluxos (DSNSF) que denota o comportamento normal previsto de uma atividade de tráfego de rede por meio da análise de dados históricos. Essa assinatura digital é utilizada como um limiar para deteção de anomalia de volume e identificar disparidades na tendência de tráfego normal. O sistema proposto utiliza sete atributos de fluxo de tráfego: bits, pacotes e número de fluxos para detetar problemas, além de endereços IP e portas de origem e destino para fornecer ao administrador de rede as informações necessárias para resolvê-los. Por meio da utilização de métricas de avaliação, do acrescimento de uma abordagem de deteção distinta da proposta principal e comparações com outros métodos realizados nesta tese usando dados reais de tráfego de rede, os resultados mostraram boas previsões de tráfego pelo DSNSF e resultados encorajadores quanto a geração de alarmes falsos e precisão de deteção. Com os resultados observados nesta tese, este trabalho de doutoramento busca contribuir para o avanço do estado da arte em métodos e estratégias de deteção de anomalias, visando superar alguns desafios que emergem do constante crescimento em complexidade, velocidade e tamanho das redes de grande porte da atualidade, proporcionando também alta performance. Ainda, a baixa complexidade e agilidade do sistema proposto contribuem para que possa ser aplicado a deteção em tempo real

Discovering anomalies in big data: a review focused on the application of metaheuristics and machine learning techniques

With the increase in available data from computer systems and their security threats, interest in anomaly detection has increased as well in recent years. The need to diagnose faults and cyberattacks has also focused scientific research on the automated classification of outliers in big data, as manual labeling is difficult in practice due to their huge volumes. The results obtained from data analysis can be used to generate alarms that anticipate anomalies and thus prevent system failures and attacks. Therefore, anomaly detection has the purpose of reducing maintenance costs as well as making decisions based on reports. During the last decade, the approaches proposed in the literature to classify unknown anomalies in log analysis, process analysis, and time series have been mainly based on machine learning and deep learning techniques. In this study, we provide an overview of current state-of-the-art methodologies, highlighting their advantages and disadvantages and the new challenges. In particular, we will see that there is no absolute best method, i.e., for any given dataset a different method may achieve the best result. Finally, we describe how the use of metaheuristics within machine learning algorithms makes it possible to have more robust and efficient tools

Water filtration by using apple and banana peels as activated carbon

Water filter is an important devices for reducing the contaminants in raw water. Activated from charcoal is used to absorb the contaminants. Fruit peels are some of the suitable alternative carbon to substitute the charcoal. Determining the role of fruit peels which were apple and banana peels powder as activated carbon in water filter is the main goal. Drying and blending the peels till they become powder is the way to allow them to absorb the contaminants. Comparing the results for raw water before and after filtering is the observation. After filtering the raw water, the reading for pH was 6.8 which is in normal pH and turbidity reading recorded was 658 NTU. As for the colour, the water becomes more clear compared to the raw water. This study has found that fruit peels such as banana and apple are an effective substitute to charcoal as natural absorbent

Privacy reinforcement learning for faults detection in the smart grid

Recent anticipated advancements in ad hoc Wireless Mesh Networks (WMN) have made them strong natural candidates for Smart Grid’s Neighborhood Area Network (NAN) and the ongoing work on Advanced Metering Infrastructure (AMI). Fault detection in these types of energy systems has recently shown lots of interest in the data science community, where anomalous behavior from energy platforms is identified. This paper develops a new framework based on privacy reinforcement learning to accurately identify anomalous patterns in a distributed and heterogeneous energy environment. The local outlier factor is first performed to derive the local simple anomalous patterns in each site of the distributed energy platform. A reinforcement privacy learning is then established using blockchain technology to merge the local anomalous patterns into global complex anomalous patterns. Besides, different optimization strategies are suggested to improve the whole outlier detection process. To demonstrate the applicability of the proposed framework, intensive experiments have been carried out on well-known CASAS (Center of Advanced Studies in Adaptive Systems) platform. Our results show that our proposed framework outperforms the baseline fault detection solutions.publishedVersio

Privacy reinforcement learning for faults detection in the smart grid

Recent anticipated advancements in ad hoc Wireless Mesh Networks (WMN) have made them strong natural candidates for Smart Grid’s Neighborhood Area Network (NAN) and the ongoing work on Advanced Metering Infrastructure (AMI). Fault detection in these types of energy systems has recently shown lots of interest in the data science community, where anomalous behavior from energy platforms is identified. This paper develops a new framework based on privacy reinforcement learning to accurately identify anomalous patterns in a distributed and heterogeneous energy environment. The local outlier factor is first performed to derive the local simple anomalous patterns in each site of the distributed energy platform. A reinforcement privacy learning is then established using blockchain technology to merge the local anomalous patterns into global complex anomalous patterns. Besides, different optimization strategies are suggested to improve the whole outlier detection process. To demonstrate the applicability of the proposed framework, intensive experiments have been carried out on well-known CASAS (Center of Advanced Studies in Adaptive Systems) platform. Our results show that our proposed framework outperforms the baseline fault detection solutions.publishedVersio

A novel approach to data mining using simplified swarm optimization

Data mining has become an increasingly important approach to deal with the rapid growth of data collected and stored in databases. In data mining, data classification and feature selection are considered the two main factors that drive people when making decisions. However, existing traditional data classification and feature selection techniques used in data management are no longer enough for such massive data. This deficiency has prompted the need for a new intelligent data mining technique based on stochastic population-based optimization that could discover useful information from data. In this thesis, a novel Simplified Swarm Optimization (SSO) algorithm is proposed as a rule-based classifier and for feature selection. SSO is a simplified Particle Swarm Optimization (PSO) that has a self-organising ability to emerge in highly distributed control problem space, and is flexible, robust and cost effective to solve complex computing environments. The proposed SSO classifier has been implemented to classify audio data. To the author’s knowledge, this is the first time that SSO and PSO have been applied for audio classification. Furthermore, two local search strategies, named Exchange Local Search (ELS) and Weighted Local Search (WLS), have been proposed to improve SSO performance. SSO-ELS has been implemented to classify the 13 benchmark datasets obtained from the UCI repository database. Meanwhile, SSO-WLS has been implemented in Anomaly-based Network Intrusion Detection System (A-NIDS). In A-NIDS, a novel hybrid SSO-based Rough Set (SSORS) for feature selection has also been proposed. The empirical analysis showed promising results with high classification accuracy rate achieved by all proposed techniques over audio data, UCI data and KDDCup 99 datasets. Therefore, the proposed SSO rule-based classifier with local search strategies has offered a new paradigm shift in solving complex problems in data mining which may not be able to be solved by other benchmark classifiers

Novel techniques of computational intelligence for analysis of astronomical structures

Gravitational forces cause the formation and evolution of a variety of cosmological structures. The detailed investigation and study of these structures is a crucial step towards our understanding of the universe. This thesis provides several solutions for the detection and classification of such structures. In the first part of the thesis, we focus on astronomical simulations, and we propose two algorithms to extract stellar structures. Although they follow different strategies (while the first one is a downsampling method, the second one keeps all samples), both techniques help to build more effective probabilistic models. In the second part, we consider observational data, and the goal is to overcome some of the common challenges in observational data such as noisy features and imbalanced classes. For instance, when not enough examples are present in the training set, two different strategies are used: a) nearest neighbor technique and b) outlier detection technique. In summary, both parts of the thesis show the effectiveness of automated algorithms in extracting valuable information from astronomical databases

Customer active power consumption prediction for the next day based on historical profile

Energy consumption prediction application is one of the most important fieldsthat is artificially controlled with Artificial Intelligence technologies to maintainaccuracy for electricity market costs reduction. This work presents a way to buildand apply a model to each costumer in residential buildings. This model is built by using Long Short Term Memory (LSTM) networks to address a demonstration of time-series prediction problem and Deep Learning to take into consideration the historical consumption of customers and hourly load profiles in order to predict future consumption. Using this model, the most probable sequence of a certain industrial customer’s consumption levels for a coming day is predicted. In the case of residential customers, determining the particular period of the prediction in terms of either a year or a month would be helpful and more accurate due to changes in consumption according to the changes in temperature and weather conditions in general. Both of them are used together in this research work to make a wide or narrow prediction window.A test data set for a set of customers is used. Consumption readings for anycustomer in the test data set applying LSTM model are varying between minimum and maximum values of active power consumption. These values are always alternating during the day according to customer consumption behavior. This consumption variation leads to leveling all readings to be determined in a finite set and deterministic values. These levels could be then used in building the prediction model. Levels of consumption’s are modeling states in the transition matrix. Twenty five readings are recorded per day on each hour and cover leap years extra ones. Emission matrix is built using twenty five values numbered from one to twenty five and represent the observations. Calculating probabilities of being in each level (node) is also covered. Logistic Regression Algorithm is used to determine the most probable nodes for the next 25 hours in case of residential or industrial customers.Index Terms—Smart Grids, Load Forecasting, Consumption Prediction, Long Short Term Memory (LSTM), Logistic Regression Algorithm, Load Profile, Electrical Consumption.</p

Incidental Sensor Networks for Human Mobility Detection

Transportation systems need to get better by moving ever more people while consuming ever fewer resources. To build better transportation systems, planners need an accurate understanding of how people exercise mobility and tools to apply that understanding to the transportation system. Such an understanding can come through the development of existing sources of implicit and explicit mobility data and tools suitable for planners to apply the results. Transportation organizations may struggle to produce the necessary tools internally, leaving external bodies, both public and private, to pursue development. In this research, three frameworks were developed that employ data already being collected to facilitate analysis of human mobility and improve the utilization of that analysis in its application to transportation systems. First, two new metrics as potential objectives for finding solutions to a type of Urban Transit Routing Problem (UTRP) are proposed and applied. The metrics assess the social experience of transit users and can be used to produce transit routes that may improve a rider’s transit experience. In the presented case study, the improved routes increased the social metrics by 242% and 119% compared to current baseline routes. Next, the UTRP construct is again adapted to produce solutions that allow transit planners to balance the need to reduce the susceptibility of disease transmission in their transit vehicles while maintaining transit network utility for potential riders. In the presented case study, a Pareto front is produced of solutions from which a transit planner could choose what best suits their community’s needs. Both the UTRP-type frameworks use a novel source of mobility data to simulate the solutions’ impacts in a real-world environment. Finally, further exploring new uses of mobility data, an anomaly detection framework that leverages redundancies in sampling populations that will arise as additional sources of data are identified is developed. The anomaly detection framework provides increased quality assurance to planners as new sources of data are developed. In the presented case study, a previously unacknowledged anomaly in traffic data is successfully identified. The three frameworks demonstrate the potential of advancing the use of additional data in transportation planning. Future work requires additional resources to support data-driven transportation planning and adapting proven practices from elsewhere to the specific US transportation needs

Scalable and Efficient Network Anomaly Detection on Connection Data Streams

Everyday, security experts and analysts must deal with and face the huge increase of cyber security threats that are propagating very fast on the Internet and threatening the security of hundreds of millions of users worldwide. The detection of such threats and attacks is of paramount importance to these experts in order to prevent these threats and mitigate their effects in the future. Thus, the need for security solutions that can prevent, detect, and mitigate such threats is imminent and must be addressed with scalable and efficient solutions. To this end, we propose a scalable framework, called Daedalus, to analyze streams of NIDS (network-based intrusion detection system) logs in near real-time and to extract useful threat security intelligence. The proposed system pre-processes massive amounts of connections stream logs received from different participating organizations and applies an elaborated anomaly detection technique in order to distinguish between normal and abnormal or anomalous network behaviors. As such, Daedalus detects network traffic anomalies by extracting a set of significant pre-defined features from the connection logs and then applying a time series-based technique in order to detect abnormal behavior in near real-time. Moreover, we correlate IP blocks extracted from the logs with some external security signature-based feeds that detect factual malicious activities (e.g., malware families and hashes, ransomware distribution, and command and control centers) in order to validate the proposed approach. Performed experiments demonstrate that Daedalus accurately identifies the malicious activities with an average F_1 score of 92.88\%. We further compare our proposed approach with existing K-Means and deep learning (LSTMs) approaches and demonstrate the accuracy and efficiency of our system