• KSII Transactions on Internet and Information Systems
    Monthly Online Journal (eISSN: 1976-7277)

Flow-based Anomaly Detection Using Access Behavior Profiling and Time-sequenced Relation Mining


Abstract

Emerging attacks aim to access proprietary assets and steal data for business or political motives, such as Operation Aurora and Operation Shady RAT. Skilled Intruders would likely remove their traces on targeted hosts, but their network movements, which are continuously recorded by network devices, cannot be easily eliminated by themselves. However, without complete knowledge about both inbound/outbound and internal traffic, it is difficult for security team to unveil hidden traces of intruders. In this paper, we propose an autonomous anomaly detection system based on behavior profiling and relation mining. The single-hop access profiling model employ a novel linear grouping algorithm PSOLGA to create behavior profiles for each individual server application discovered automatically in historical flow analysis. Besides that, the double-hop access relation model utilizes in-memory graph to mine time-sequenced access relations between different server applications. Using the behavior profiles and relation rules, this approach is able to detect possible anomalies and violations in real-time detection. Finally, the experimental results demonstrate that the designed models are promising in terms of accuracy and computational efficiency.


Statistics

Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2015)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article

[IEEE Style]
W. Liu, K. Zheng, B. Wu, C. Wu, X. Niu, "Flow-based Anomaly Detection Using Access Behavior Profiling and Time-sequenced Relation Mining," KSII Transactions on Internet and Information Systems, vol. 10, no. 6, pp. 2781-2800, 2016. DOI: 10.3837/tiis.2016.06.018.

[ACM Style]
Weixin Liu, Kangfeng Zheng, Bin Wu, Chunhua Wu, and Xinxin Niu. 2016. Flow-based Anomaly Detection Using Access Behavior Profiling and Time-sequenced Relation Mining. KSII Transactions on Internet and Information Systems, 10, 6, (2016), 2781-2800. DOI: 10.3837/tiis.2016.06.018.

[BibTeX Style]
@article{tiis:21137, title="Flow-based Anomaly Detection Using Access Behavior Profiling and Time-sequenced Relation Mining", author="Weixin Liu and Kangfeng Zheng and Bin Wu and Chunhua Wu and Xinxin Niu and ", journal="KSII Transactions on Internet and Information Systems", DOI={10.3837/tiis.2016.06.018}, volume={10}, number={6}, year="2016", month={June}, pages={2781-2800}}