Internet services and web-based applications play pivotal roles in various sensitive domains, encompassing e-commerce, e-learning, e-healthcare, and e-payment. However, safeguarding these services poses a significant challenge, as the need for robust security measures becomes increasingly imperative. This paper presented an innovative method based on differential analyses to detect abrupt changes in network traffic characteristics. The core concept revolves around identifying abrupt alterations in certain characteristics such as input/output volume, the number of TCP connections, or DNS queries—within the analyzed traffic. Initially, the traffic is segmented into distinct sequences of slices, followed by quantifying specific characteristics for each slice. Subsequently, the distance between successive values of these measured characteristics is computed and clustered to detect sudden changes. To accomplish its objectives, the approach combined several techniques, including propositional logic, distance metrics (e.g., Kullback-Leibler Divergence), and clustering algorithms (e.g., K-means). When applied to two distinct datasets, the proposed approach demonstrates exceptional performance, achieving detection rates of up to 100%.
References
[1]
Khraisat, A., Gondal, I., Vamplew, P. and Kamruzzaman, J. (2019) Survey of Intrusion Detection Systems: Techniques, Datasets and Challenges. Cybersecurity, 2, Article No. 20. https://doi.org/10.1186/s42400-019-0038-7
[2]
Sureda Riera, T., Bermejo Higuera, J., Bermejo Higuera, J., Martínez Herraiz, J. and Sicilia Montalvo, J. (2020) Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review. Sustainability, 12, Article 4945. https://doi.org/10.3390/su12124945
[3]
Aldwairi, M., Abu-Dalo, A.M. and Jarrah, M. (2017) Pattern Matching of Signature-Based IDS Using Myers Algorithm under Mapreduce Framework. EURASIP Journal on Information Security, 2017, Article No. 7. https://doi.org/10.1186/s13635-017-0062-7
[4]
Li, W., Tug, S., Meng, W. and Wang, Y. (2019) Designing Collaborative Blockchained Signature-Based Intrusion Detection in IoT Environments. Future Generation Computer Systems, 96, 481-489. https://doi.org/10.1016/j.future.2019.02.064
[5]
Detken, K., Rix, T., Kleiner, C., Hellmann, B. and Renners, L. (2015) SIEM Approach for a Higher Level of IT Security in Enterprise Networks. 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Warsaw, 24-26 September 2015, 322-327. https://doi.org/10.1109/idaacs.2015.7340752
[6]
Madani, A., Rezayi, S. and Gharaee, H. (2011) Log Management Comprehensive Architecture in Security Operation Center (SOC). 2011 International Conference on Computational Aspects of Social Networks (CASoN), Salamanca, 19-21 October 2011, 284-289. https://doi.org/10.1109/cason.2011.6085959
[7]
(2023) The Wazuh Manual. https://documentation.wazuh.com/current/user-manual/index.html
[8]
Najafabadi, M.M., Khoshgoftaar, T.M., Calvert, C. and Kemp, C. (2017) User Behavior Anomaly Detection for Application Layer DDoS Attacks. 2017 IEEE International Conference on Information Reuse and Integration (IRI), San Diego, 4-6 August 2017, 154-161. https://doi.org/10.1109/iri.2017.44
[9]
Betarte, G., Giménez, E., Martínez, R. and Pardo, Á. (2018) Machine Learning-Assisted Virtual Patching of Web Applications. arXiv: 1803.05529.
Wang, L., Cao, S., Wan, L. and Wang, F. (2017) Web Anomaly Detection Based on Frequent Closed Episode Rules. 2017 IEEE Trustcom/BigDataSE/ICESS, Sydney, 1-4 August 2017, 967-972. https://doi.org/10.1109/trustcom/bigdatase/icess.2017.338
[12]
Bronte, R., Shahriar, H. and Haddad, H. (2016) Information Theoretic Anomaly Detection Framework for Web Application. 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), Atlanta, 10-14 June 2016, 394-399. https://doi.org/10.1109/compsac.2016.139
[13]
Ren, X., Hu, Y., Kuang, W. and Souleymanou, M.B. (2018) A Web Attack Detection Technology Based on Bag of Words and Hidden Markov Model. 2018 IEEE 15th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), Chengdu, 9-12 October 2018, 526-531. https://doi.org/10.1109/mass.2018.00081
[14]
Pukkawanna, S., Kadobayashi, Y. and Yamaguchi, S. (2015) Network-based Mimicry Anomaly Detection Using Divergence Measures. 2015 International Symposium on Networks, Computers and Communications (ISNCC), Yasmine Hammamet, 13-15 May 2015, 1-7. https://doi.org/10.1109/isncc.2015.7238570
[15]
Clement, A. (2020) On Network-Based Mimicry Anomaly Detection Using Divergence Measures and Machine Learning. Master’s Thesis, AIMS Senegal.
[16]
Münz, G., Li, S. and Carle, G. (2007) Traffic Anomaly Detection Using K-Means Clustering. GI/ITG Workshop MMBnet.
[17]
Asselin, E., Aguilar-Melchor, C. and Jakllari, G. (2016) Anomaly Detection for Web Server Log Reduction: A Simple yet Efficient Crawling Based Approach. 2016 IEEE Conference on Communications and Network Security (CNS), Philadelphia, 17-19 October 2016, 586-590. https://doi.org/10.1109/cns.2016.7860553
[18]
Swarnkar, M. and Hubballi, N. (2015) Rangegram: A Novel Payload Based Anomaly Detection Technique against Web Traffic. 2015 IEEE International Conference on Advanced Networks and Telecommuncations Systems (ANTS), Kolkata, 15-18 December 2015, 1-6. https://doi.org/10.1109/ants.2015.7413635
[19]
Kang, I., Jeong, M.K. and Kong, D. (2012) A Differentiated One-Class Classification Method with Applications to Intrusion Detection. Expert Systems with Applications, 39, 3899-3905. https://doi.org/10.1016/j.eswa.2011.06.033
[20]
Camacho, J., Pérez-Villegas, A., García-Teodoro, P. and Maciá-Fernández, G. (2016) PCA-Based Multivariate Statistical Network Monitoring for Anomaly Detection. Computers & Security, 59, 118-137. https://doi.org/10.1016/j.cose.2016.02.008
[21]
Yoshimura, N., Kuzuno, H., Shiraishi, Y. and Morii, M. (2022) DOC-IDS: A Deep Learning-Based Method for Feature Extraction and Anomaly Detection in Network Traffic. Sensors, 22, Article 4405. https://doi.org/10.3390/s22124405
[22]
Zavrak, S. and Iskefiyeli, M. (2023) Flow-Based Intrusion Detection on Software-Defined Networks: A Multivariate Time Series Anomaly Detection Approach. Neural Computing and Applications, 35, 12175-12193.
Li, B. and Han, L. (2013) Distance Weighted Cosine Similarity Measure for Text Classification. In: Yin, H., et al., Eds., IntelligentDataEngineeringandAutomatedLearning—IDEAL 2013, Springer, 611-618. https://doi.org/10.1007/978-3-642-41278-3_74
[25]
Sammut, C., and Webb, G. (2010) TF-IDF. In: Sammut, C. and Webb, G.I., Eds., Encyclopedia of Machine Learning, Springer, 986-987. https://doi.org/10.1007/978-0-387-30164-8_832
[26]
Keogh, E., Lonardi, S. and Ratanamahatana, C.A. (2004) Towards Parameter-Free Data Mining. Proceedings of the TenthACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Seattle, 22-25 August 2004, 206-215. https://doi.org/10.1145/1014052.1014077
[27]
Kanungo, T., Mount, D.M., Netanyahu, N.S., Piatko, C.D., Silverman, R. and Wu, A.Y. (2002) An Efficient K-Means Clustering Algorithm: Analysis and Implementation. IEEE Transactions on Pattern Analysis and Machine Intelligence, 24, 881-892. https://doi.org/10.1109/tpami.2002.1017616
[28]
Dempster, A.P., Laird, N.M. and Rubin, D.B. (1977) Maximum Likelihood from Incomplete Data via the em Algorithm. Journal of the Royal Statistical Society Series B: Statistical Methodology, 39, 1-22. https://doi.org/10.1111/j.2517-6161.1977.tb01600.x
[29]
Crawford, C. Computer Network Traffic. https://www.kaggle.com/datasets/crawford/computer-network-traffic
[30]
Moustafa, N. and Slay, J. (2015) UNSW-NB15: A Comprehensive Data Set for Network Intrusion Detection Systems (UNSW-NB15 Network Data Set). 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, 10-12 November 2015, 1-6. https://doi.org/10.1109/milcis.2015.7348942
