Projects per year
Abstract / Description of output
Anomaly-based intrusion detection methods aim to combat the increasing rate of zero-day attacks, however, their success is currently restricted to the detection of high-volume attacks using aggregated traffic features. Recent evaluations show that the current anomaly-based network intrusion detection methods fail to reliably detect remote access attacks. These are smaller in volume and often only stand out when compared to their surroundings. Currently, anomaly methods try to detect access attack events mainly as point anomalies and neglect the context they appear in. We present and examine a contextual bidirectional anomaly model (CBAM) based on deep LSTM-networks that is specifically designed to detect such attacks as contextual network anomalies. The model efficiently learns short-term sequential patterns in network flows as conditional event probabilities. Access attacks frequently break these patterns when exploiting vulnerabilities, and can thus be detected as contextual anomalies. We evaluated CBAM on an assembly of three datasets that provide both representative network access attacks, real-life traffic over a long timespan, and traffic from a real-world red-team attack. We contend that this assembly is closer to a potential deployment environment than current NIDS benchmark datasets. We show that, by building a deep model, we are able to reduce the false positive rate to 0.16% while effectively detecting six out of seven access attacks, which is significantly lower than the operational range of other methods. We further demonstrate that short-term flow structures remain stable over long periods of time, making the CBAM robust against concept drift.
Original language | English |
---|---|
Article number | 79 |
Number of pages | 28 |
Journal | Computers |
Volume | 10 |
Issue number | 6 |
DOIs | |
Publication status | Published - 11 Jun 2021 |
Keywords / Materials (for Non-textual outputs)
- network intrusion detection
- deep learning
- anomaly detection
- flow prediction
- access attacks
Fingerprint
Dive into the research topics of 'CBAM: A Contextual Model for Network Anomaly Detection'. Together they form a unique fingerprint.Projects
- 1 Finished
-
Robustness-as-evolvability: building a dynamic control plane with Software-Defined Networking
Aspinall, D. & Lee, M.
1/04/15 → 31/03/18
Project: Research