UNADA: unsupervised network anomaly detection using sub-space outliers ranking

Authors:
Pedro Casas;Johan Mazel;Philippe Owezarski
Affiliations:
CNRS/ LAAS/ Toulouse Cedex, France and Université/ de Toulouse/ UPS, INSA, INP, ISAE/ UT1, UTM, LAAS/ F-31077, Toulouse Cedex, France;CNRS/ LAAS/ Toulouse Cedex, France and Université/ de Toulouse/ UPS, INSA, INP, ISAE/ UT1, UTM, LAAS/ F-31077, Toulouse Cedex, France;CNRS/ LAAS/ Toulouse Cedex, France and Université/ de Toulouse/ UPS, INSA, INP, ISAE/ UT1, UTM, LAAS/ F-31077, Toulouse Cedex, France
Venue:
NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
Year:
2011

Citing 12
Cited 1

A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Sketch-based change detection: methods, evaluation, and applications

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Subspace clustering for high dimensional data: a review

ACM SIGKDD Explorations Newsletter - Special issue on learning from imbalanced datasets
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Combining Multiple Clusterings Using Evidence Accumulation

IEEE Transactions on Pattern Analysis and Machine Intelligence
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Unsupervised anomaly detection in network intrusion detection using clusters

ACSC '05 Proceedings of the Twenty-eighth Australasian conference on Computer Science - Volume 38
A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification

ACM SIGCOMM Computer Communication Review
Combining filtering and statistical methods for anomaly detection

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Traffic data repository at the WIDE project

ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures

Proceedings of the 2007 workshop on Large scale attack defense
Data clustering: 50 years beyond K-means

Pattern Recognition Letters

Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Current network monitoring systems rely strongly on signature-based and supervised-learning-based detection methods to hunt out network attacks and anomalies. Despite being opposite in nature, both approaches share a common downside: they require the knowledge provided by an expert system, either in terms of anomaly signatures, or as normal-operation profiles. In a diametrically opposite perspective we introduce UNADA, an Unsupervised Network Anomaly Detection Algorithm for knowledge-independent detection of anomalous traffic. UNADA uses a novel clustering technique based on Sub-Space-Density clustering to identify clusters and outliers in multiple low-dimensional spaces. The evidence of traffic structure provided by these multiple clusterings is then combined to produce an abnormality ranking of traffic flows, using a correlation-distance-based approach. We evaluate the ability of UNADA to discover network attacks in real traffic without relying on signatures, learning, or labeled traffic. Additionally, we compare its performance against previous unsupervised detection methods using traffic from two different networks.