Martins, Rodrigo Siqueira and Angelov, Plamen and Costa, Bruno Sielly Jales (2018) Automatic detection of computer network traffic anomalies based on eccentricity analysis. In: 2018 IEEE International Conference on Fuzzy Systems, FUZZ 2018 - Proceedings :. Institute of Electrical and Electronics Engineers Inc., BRA. ISBN 9781509060207
WCCI_verReview1.pdf - Accepted Version
Available under License Creative Commons Attribution-NonCommercial.
Download (694kB)
Abstract
In this paper, we propose an approach to automatic detection of attacks on computer networks using data that combine the traffic generated with'live' intra-cloud virtual-machine (VM) migration. The method used in this work is the recently introduced typicality and eccentricity data analytics (TEDA) framework. We compare the results of applying TEDA with the traditionally used methods such as statistical analysis, such as k-means clustering. One of the biggest challenges in computer network analysis using statistical or numerical methods is the fact that the protocols information is composed of integer/string values and, thus, not easy to handle by traditional pattern recognition methods that deal with real values. In this study we consider as features the tuple {IP source, IP destination, Port source and Port destination} extracted from the network flow data in addition to the traditionally used real values that represent the number of packets per time or quantity of bytes per time. Using entropy of the IP data helps to convert the integer raw data into real valued signatures. The proposed solution permit to build a real-time anomaly detection system and reduce the number of information that is necessary for evaluation. In general, the systems based on traffic are fast and are used in real time but they do not produce good results in attacks that produce a flow hidden within the background traffic or within a high traffic that is produced by other application. We validate our approach an a dataset which includes attacks on the network port scan (NPS) and network scan (NS) that permit hidden flow within the normal traffic and see this attacks together with live migration which produces a higher traffic flow.