3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

Real-time network anomaly detection architecture based on frequent pattern mining technique

Aiman Moyaid Said, Dhanapal Durai Dominic, Ibrahima Faye Faculty of Science and Information Technology,

Universiti Teknologi PETRONAS, Tronoh, Perak, Malaysia

aiman.moyaid@yahoo.com, dhanapal_d@petronas.com.my, ibrahima_faye@petronas.com.my

Abstract— Online network anomaly-based intrusion detection systems responsible about monitoring the novel anomalies. Network anomaly detection system architecture with a new outlier detection approach is presented in this paper. A new outlierness measurement is proposed which is based on frequent patterns technique and an approach for detecting outliers is introduced. The proposed approach features main advantages which are: effective and direct in detect the anomalous of the online traffic data; adaptive to underlying changes of the traffic streams. The empirical results exhibit a good detection for the new anomalous behavior and the accuracy performance of our proposed approach is approximately close to the static approach.

Keywords— Data mining; Network security; Anomaly detection ; Outlier detection; Data stream.

I. INTRODUCTION The actions which try to disclose the integrity,

confidentiality, or availability of resource are known as intrusion[1]. As systems become more multipart, there are continuously usable weaknesses as a result of design and programming glitches, or through the use of different “socially engineered” penetration techniques. The attacks target a machine and endeavor to use the grant services or resources on machine are host-based attacks. In network-based attacks, the services and the resources of the network can be intentionally conquered or devastated to overburden the entrance of valid users to the different services of the network.

A momentous trial in bestowing a competent protection mechanism to a network perimeter possesses the capability to spot intrusions and apply preventive actions. Intrusion Detection Systems (IDS) is the network perimeter defense component which is capable of identifies the intrusions.

Intrusion detection system can be further categorized depending on the methodology of identifying the intrusions into signature–based (which is known as misuse system) or anomaly–based. The methodology of detecting intrusion using signature–based system is by endeavor to match the monitored activities against the old patterns (i.e. signatures). As for anomaly–based methodology, it is based on finding any evident of activities that deviate from what is believed to be

normal system behavior. Anomaly detection methodology is competent of identifying new attacks, while signature based methodology is more competent for detection well-known attacks.

It is very important to build automated and immediate detection systems for the purpose of protecting the availability, confidentiality and integrity of the network information systems. Those systems should be effective in real time network anomaly detection with adaptive aspect and effective in handling data without labels for building the normal profile of the network traffic. The detection should happen as the intrusion take place to minimize security compromises.

In this paper, we propose real time anomaly detection system architecture based on frequent patterns. The system uses the frequent patterns to find the outliers in the network traffic. The reminder of the paper is structured as follows: Section II presents the related work. Section III briefly describes the proposed system of our detection scheme. The system description and the anomaly detection methodology are presented in section III-A and III-B respectively. Section IV evaluates the efficiency of the proposed system. Finally, Section V concludes the paper.

II. BACKGROUND A verity of anomaly detection techniques have been

demonstrated the effectiveness and efficiency in detection of wide anomalies in network traffics [2-5].

Leung et al. [6] investigate density-based and grid-based clustering approach for unsupervised anomaly detection in the network intrusion detection application. The results of this study indicate an acceptable detection rate while preserving a low positive rate.

Recent work [7] propose Network Anomaly Detection using Outlier approach (NADO), which is effective outlier based approach, for detection of anomalies networks, combining clustering and scoring techniques to find the outliers from the network traffic data. The author used variant of the k-means clustering technique for high dimensional data to clusters the normal data. Then the reference point from each cluster is calculated and builds pro les for each cluster.

392

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

Finally, the score for each candidate point, w.r.t the reference points, is calculated and it is reported as anomaly if it exceeds a user de ned threshold value. NADO was evaluated on several datasets and compared with different algorithms in terms of effectiveness and the results show that NADO outperformed the previous approaches.

Lu et al. [8] investigate the detection of online network intrusion. The author apply a framework which is consist of feature extraction technique, based on a novel anomalousness metrics, named IP Weight, and an outlier detection algorithm ,which utilized Gaussian Mixture Model (GMM).The performance evaluation indicate the effectiveness of detection and shows a strong runtime efficiency.

After an extensive survey, to the best of our knowledge there is no work that presents a combined use of frequent pattern mining from network data stream and anomaly detection. Indeed there are only four works that used the frequent pattern mining from data stream to find the outliers [9-12].Hence in this paper, we employ the outlier detection based on frequent patterns mining, from network data streams, for semi-supervised anomaly detection.

III. METHODOLOGY

The proposed real time anomaly detection system architecture is presented in this section. A. System Description We propose an approach which has the ability to detect the new type of attack on online mode. Fig. 1 shows the components of our system architecture of detecting the intrusion in the network data stream. The main focus of this paper is the anomaly detector component; in the next section the methodology of the anomaly detection is clarified. B. Anomaly Detection Methodology The characteristics of objects determine the state of object whether it is anomaly or normal object. The basic idea of detection the anomaly is to examine those characteristics and check if the object is deviate from the feature of normal object. The inspection of the characteristics of the coming data objects can be expressed as common happening patterns (frequent pattern) in the data stream. Definition 1: An anomaly is any data object in the data stream that has short and/or small number of frequent patterns. In the knowledge discovery the concept of frequent patterns represent the common patterns that happen in a large percentage of objects in the data stream. In contrast, the process of anomaly detection focuses on the data objects which are considered as very small percentage of data stream. The discovery of frequent patterns in the data stream is substantial for the process of detecting the anomalies.

Base on that paradigm we propose a new outlier degree measurement, as follow:

Fig. 1. Adaptive network anomaly detection architecture

Definition 2: Let D ={t1,t2,..,tn} be a data set comprising a set of n transactions with items I. Given a threshold minimum support , the set of all frequent patterns is represented as: FPS(D, ) ={X I |support(X) } For every transaction t, the outlier degree of t is defined as:

MaxFPOF (t)=||),(

support(x)t

MaxDFPS σ

(1)

∀ X ∈ t and X∈ FPS(D, ), Where t is the transaction, support(x) is the support value for the itemset x, FPS is the set for all itemsets in the database, || is the length of the itemset or the transaction. The value of the outlierness is between 0 and 1. The intrusion detection application domain focuses on the speed of finding the intrusion in the network. Therefore, the selection of approximate approach for discovering the frequent patterns is considered as the best approach for the intrusion detection. The changes of the frequent pattern in the past several minutes are valuable and can be used to detect the network intrusion. From the aforementioned main issues in the intrusion detection area, FP-stream algorithm [13] was found to be the most suitable for our architecture. The reason of choosing FPstream algorithm because it is using data stream model, tilted time window, which place a great importance on the recent data. This data stream model is almost similar to window slide window but it is not only focus on the recent data but also keep information about some specific period of old data. It also permits the queries of time sensitive (it will report the frequent patterns in a specific period of time). Definition 3: Let X be a pattern, the frequency of X over a time period T is the number of packets in T which contains X. The support of X is the percentage of the frequency of the

393

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

pattern to the total number of packets observed in T. Let the minimum support be , (0, 1) and the maximum support error be , < . Then the relaxation ration will be = / . The found pattern will be categorized as: If the frequency of X greater or equal to then the pattern is frequent. If the frequency of X is between and then the pattern is subfrequent. If the frequency of X is less than then the pattern is infrequent. The anomaly detection methodology is divided into two stages; the training stage and the detection stage. Fig. 2 presents the main steps in our anomaly detection approach Online Anomaly Detection based on Frequent Patterns (OAD-FP). Steps 1-4 perform the training stage using the free anomalies data to build the normality model which is represented by FPstream structure. FPstream structure will retain all the frequent patterns in the training data. After finishing updating the FPstream structure with the common patterns the detection stage starts by reading the data stream. For clarity the data streams is presented with set of batches and each batch has specific number of packets. Algorithm: OAD-FP (Dt, Ds, , ,k) Input: Training data Dt, data stream Ds, minimum support threshold , maximum support error , Top outliers k; Output: The top-k outliers; //Training stage 1. Begin 2. foreach data point p in Dt 3. Update FPstream structure (p, , ); 4. End //Detection stage 5. foreach batch B in Ds 6. foreach data point p in B 7. Update FPstream structure (p, , ); 8. End 9. Compute the MaxFPOF using the current frequent patterns. 10. Output Top-k anomalies 11. End 12. End

Fig. 2. OAD-FP pseudo code

As significant aspect of this approach is that the original model, known to mirror the current normality, consequently there is no necessity to retrain the model as soon as new cases of normality are encountered. As result in this detection stage the first thing is updating FPstream structure with frequent patterns which are found in the coming data batch as shown in steps 6-8. The model is then used for detection. Step 9 compute the anomaly score is assigned to the coming packets (in this step the FPstream structure need to be read from the beginning of the stream to calculate the anomaly degree). At the end, the top anomaly will be outputted, as shown in step 10.This process will be repeated for each batch.

IV. EXPERIMENTAL RESULTS A. Dataset preparation

It is very difficult to evaluate an outlier detection approach based on live network traffic or any raw network traffic [14]. Hence to evaluate our approach KDD CUP99[15] intrusion data set is employed for testing. In our experiment we chose samples from the KDD testing. B. Evaluation criteria

The effectiveness reflects the ability of the system to produce the intended results (i.e. the accuracy of the system).To measure the effectiveness performance of the intrusion detection system the detection rate and the False Positive Rate (FPR) is used, Equation (2) and (3) illustrate the detection rate and the false positive rate.

Detection rate=outliers trueall ofNumber

outliers truedetected ofNumber (2)

FPR=normal all ofNumber

outlier as normal detectedy incorrectl ofNumber (3)

C. Experimental results

This section is going to present the results of different studies to evaluate the performance of the proposed approach under different settings.

1) Measurement Evaluation study This section elaborates the performance of the proposed measurements under the static condition. The unsupervised learning approach was followed to validate the effectiveness. For this evaluation the network intrusion data set was used [16]. The accuracy and the false positive was measured and compared against other approaches. For all the experiments, the detection performance is based on the top-k outlier data points; the reason is to control the level of the false positive rate. Table I and Table II show the detection rate and the false positive rate, respectively, of the new proposed measurement against the counterpart methods.

TABLE I. Detection rate (support 10%)

TopK MaxFPOF FindFPOF [17]

Db-Outlier [18]

Gaussian Mixture

Outlier [19] 5 0.1000 0.1000 0.1000 0.0667

10 0.1667 0.1667 0.1667 0.1667 15 0.3333 0.3333 0.2667 0.2333 20 0.5000 0.5000 0.3333 0.3333 25 0.6667 0.6667 0.5000 0.4000 30 0.8333 0.8333 0.6667 0.5000

Average 0.4333 0.4333 0.3389 0.2833

394

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

TABLE II. False positive rate (support 10%)

TopK MaxFPOF FPOF Db-outlier Gaussian mixture outlier

5 0.0021 0.0021 0.0021 0.0031 10 0.0052 0.0052 0.0052 0.0052 15 0.0052 0.0052 0.0072 0.0082 20 0.0052 0.0052 0.0103 0.0103 25 0.0052 0.0052 0.0103 0.0134 30 0.0052 0.0052 0.0103 0.0155

Average 0.0046 0.0046 0.0076 0.0093

As we know, the detector which has higher detection rate level, and lower false positive rate that indicate its performance is better than other detectors. From the data in Table, it is apparent that the average value for the detection rate is 0.4333 which is similar to FPOF and they are better than the other two approaches. The value of the average in used to rank the values, the real important number is the one in the top 30 as it shown from the table; our approach achieved a good level of detection as the value was 0.8333. Table II shows the level of the false positive of our measurement is low (i.e. 0.0052).

2) Adaptability study These experiments to study the self-evolution of the propose approach. In the experiment we study the evolution of the FP-stream structure as an helpful indicator of concept drift of data streams. The detection ability of concept-drift means being able to follow the changes and update model accordingly. To see the self-evaluation we will need to have large data set 10,000 transactions will be enough. To measure the concept drift effect on the model or the tree, the data in the batches should be similar except for one batch that will have different transactions from different normal data distribution. Therefore for that one, we will measure if there is a change in the number of the nodes of the pattern tree. The batches should be similar; taking into consideration the minimum support is set to 0.1. Table III shows the distribution of the data in each batch. Black color represents data from distribution and red color (underline) another data from different distribution. As the table illustrates, for the data-generating process evolves over time with different distributions. This evolving in the distribution will be used in this experiment to study the effect of the data distribution changing on the size of the FPstream structure. Fig. 3 presents the number of data that have been processed against the size of the FP-stream structure. As we can notice that for the first two batches the size of the FP-stream is stable. The size of the FPstream is start to increase gradually from batch number three, that is because the algorithm start to find more frequent patterns as the batches duplicate which mean that there were certain pattern which become frequent. Sample 1 has increasing of FPstream size smaller than the other two samples, which is because the patterns in the data are less than the other two samples. The change of the size of

the FPstream indicates that the structure is affected by the new behavior of the data and this is clear in batch number ten.

TABLE III. Data distribution for Adaptability study Name Batch #

Sample 1 Sample 2 Sample 3

Batch 1 1000 1000 1000

Batch 2 1000 1000 950/50

Batch 3 1000 1000 900/100

Batch 4 1000 1000 850/150

Batch 5 1000 1000 800/100

Batch 6 500/500 800/200 750/250

Batch 7 1000 600/400 700/300

Batch 8 1000 400/600 650/350

Batch 9 1000 200/800 600/400

Batch 10 1000 1000 550/450

1 2 3 4 5 6 7 8 9 100

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5x 10

5

Batches

FP

stre

am s

ize

Sample 1

Sample 2

Sample 3

Fig. 3. The number of the data against the size of the FP-

stream.

3) Comparative study with existing Methods This study to investigate the detection rate and false positive rate of the propose approach and other existing outlier detection methods, including, FindFPOF [17], Distance based outlier [18], Gaussian mixture outlier [19]. All of the competitive methods are designed to work in static context. In order to apply the competitive methods in the context of data stream, a periodical detection strategy will be conducted [20, 21].In this periodically strategy the competitive methods will be run in the entire data set periodically (e.g. after every data batch is inserted the algorithms will be run). One may argue that this strategy is unable to detect outliers related to the beginning of their appearance in the inserted data batch and the expensive resource consumption but our purpose is to

395

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

compare the detection performance. The data set for the static approach will be divided into batches; each batch will contain the data of its pervious batch. For each batch the algorithm will be run, and the result will be recorded for each batch (Periodical detection). In the case of dynamic approach the data will be divided into batches and will be feed to the algorithm (all of them) and we calculate the result for each batch also and record them. The data set distribution for this study is shown in TABLE IV. We are reporting the detection rate and the false positive rate for the five approaches.

TABLE IV. Data distribution

In Fig. 4, we present the detection rate of our two approaches and the other three competitive methods. We can see from this

gure that detection rate of our two proposed approaches is better than the other methods. A closer examination of the

gure suggests OAD-FP performs well. The level of the detection rate for both Distance based outlier and the Gaussian mixture outlier is less than the other methods. The reason is the data is categorical and for those methods they do not work accurately with the categorical attributes as they are based on calculating the distance and the statistically distribution respectively. This aspect gives advantage to our proposed method as they are dealing with numeric as categorical values therefore the scale of the numeric attribute has no effect on the calculation of finding the frequent pattern. The false positive rate is plotted in Fig. 5. It is clear that OAD-FP achieves low false positive rate in a range of 0.0058 and 0.

Fig. 4. Data set and the detection rate (the average of all the batches)

Fig. 5. Data set and the false positive rate (The average of all the batches) Although the performance of our proposed method feature a close performance with FindFPOF, It is difficult for FindFPOF technique to capture the latest data characteristics and cope with the possible concept drift in the streams. This is not preferred in the data stream applications. In contrast the proposed approach is able to update the FPstream structure with the in a timely fashion each time when a new data from the stream is processed, enabling our proposed approach to handle the dynamics of data streams e ciently.

V. CONCLUSION

In this paper, we investigate anomaly detection problem in network data streams. Network anomaly detection system with adaptive outlier detection approach which based on frequent patterns technique is proposed. The main focus of this paper is to determine the effectiveness the of the anomaly detection approach (OAD-FP).We conduct offline evaluation for the proposed approach on KDD CUP99 data set. The results of this investigation show that our approach has the ability to detect the anomalous in real time context. In addition to that, our approach achieved effectiveness which is almost resembled to FindFPOF algorithm. Nevertheless, the training data should contain only the normal behavior and enough to represent the whole behavior of the normal behavior. Further research should be done to investigate the effect of the parameters on the obtained results.

ACKNOWLEDGMENT The Research is supported by Universiti Teknologi PETRONAS under URIF grant No. 23/2012.

REFERENCES

[1] R. Heady, G. Luger, A. Maccabe, and M. Servilla, The architecture of a network-level intrusion detection system: Department of Computer Science, College of Engineering, University of New Mexico, 1990.

Data set Training batch

Testing Batch

1

Testing Batch 2

Testing Batch 3

new_intrusion (90+2910)

2058 15/284 15/284+ 15/284

15/284+ 15/284+ 15/284

396

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

[2] P. Gogoi, D. K. Bhattacharyya, B. Borah, and J. K. Kalita, "A survey of outlier detection methods in network anomaly identification," The Computer Journal, vol. 54, pp. 570-588, 2011.

[3] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27, pp. 1569-1584, 2004.

[4] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, and E. Vazquez, "Anomaly-based network intrusion detection: Techniques, systems and challenges," computers & security, vol. 28, pp. 18-28, 2009.

[5] A. Lof and R. Nelson, "Comparing anomaly detection methods in computer networks," in Internet Monitoring and Protection (ICIMP), 2010 Fifth International Conference on, 2010, pp. 7-10.

[6] K. Leung and C. Leckie, "Unsupervised anomaly detection in network intrusion detection using clusters," in Proceedings of the Twenty-eighth Australasian conference on Computer Science-Volume 38, 2005, pp. 333-342.

[7] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, "NADO: network anomaly detection using outlier approach," in Proceedings of the 2011 International Conference on Communication, Computing & Security, 2011, pp. 531-536.

[8] W. Lu and I. Traore, "A new unsupervised anomaly detection framework for detecting network attacks in real-time," in Cryptology and Network Security: Springer, 2005, pp. 96-109.

[9] H. Zengyou, X. Xiaofei, and D. Shengchun, "Outlier detection over data streams," in proceeding of the 7th international conference for young computer scientists , 2003.

[10] X.-Y. Zhou, Z.-H. Sun, B.-L. Zhang, and Y.-D. Yang, "Fast outlier detection algorithm for high dimensional categorical data streams," Ruan Jian Xue Bao(Journal of Software), vol. 18, pp. 933-942, 2007.

[11] G. L. X. Tang, and G. Chen, "Fast Detection outliers over online data streams," in International Conference on Information Engineering and Computer Science, 2009. ICIECS09, 2009.

[12] W. L. F. Lin, and J. Bo, "Research on maximal frequent pattern outlier factor for online high dimensional time-series outlier detection," Journal of convergence information technology, vol. Vol.5, 2010.

[13] C. Giannella, J. Han, J. Pei, X. Yan, and P. S. Yu, "Mining frequent patterns in data streams at multiple time granularities," Next generation data mining, vol. 212, pp. 191-212, 2003.

[14] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, "Incremental Approaches for Network Anomaly Detection: Existing Solutions and Challenges," 2011.

[15] http://www.sigkdd.org/kddcup/index.php?section=1999&method=info

[16] W. Zhang, J. Wu, and J. Yu, "An Improved Method of Outlier Detection Based on Frequent Pattern," in Information Engineering (ICIE), 2010 WASE International Conference on, 2010, pp. 3-6.

[17] Z. He, X. Xu, J. Z. Huang, and S. Deng, "A frequent pattern discovery method for outlier detection," in Advances in Web-Age Information Management: Springer, 2004, pp. 726-732.

[18] E. M. Knox and R. T. Ng, "Algorithms for mining distance-based outliers in large datasets," in Proceedings of the International Conference on Very Large Data Bases, 1998.

[19] E. Eskin, "Anomaly detection over noisy data using learned probability distributions," 2000.

[20] D. Pokrajac, A. Lazarevic, and L. J. Latecki, "Incremental local outlier detection for data streams," in Computational Intelligence and Data Mining, 2007. CIDM 2007. IEEE Symposium on, 2007, pp. 504-515.

[21] P. Domingos and G. Hulten, "A general framework for mining massive data streams," Journal of Computational and Graphical Statistics, vol. 12, pp. 945-949, 2003.

397