“LADS: A Live Anomaly Detection System based on Machine Learning Methods”
in In Proceedings of the Workshop on Security and Cryptography (with SECRYPT 2019), Jul. 2019.
Abstract: Network anomaly detection using NetFlow has been widely studied during the last decade. NetFlow providesthe ability to collect network traffic attributes (e.g., IP source, IP destination, source port, destination port,protocol) and allows the use of association rule mining to extract the flows that have caused a malicious event.Despite of all the developments in network anomaly detection, the most popular procedure to detect non-conformity patterns in network traffic is still manual inspection during the period under analysis (e.g., visualanalysis of plots, identification of variations in the number of bytes, packets, flows). This paper presents a LiveAnomaly Detection System (LADS) based on One class Support Vector Machine (One-class SVM) to detecttraffic anomalies. Experiments have been conducted using a valid data-set containing over 1.4 million packets(captured using NetFlow v5 and v9) that build models with one and several features in order to identify theapproach that most accurately detects traffic anomalies in our system. A multi-featured approach that restrictsthe analysis to one IP address and extends it in terms of samples (valid and invalid ones) is considered as apromising approach in terms of accuracy of the detected malicious instances
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)