A novel network user behaviors and profile testing based on anomaly detection techniques

Muhammad Tahir*, Mingchu Li, Xiao Zheng, Anil Carie, Xing Jin, Muhammad Azhar, Naeem Ayoub, Atif Wagan, Muhammad Aamir, Liaquat Ali Jamali, Muhammad Asif Imran, Zahid Hussain Hulio

*Kontaktforfatter for dette arbejde

Publikation: Bidrag til tidsskriftTidsskriftartikelForskningpeer review

15 Downloads (Pure)

Resumé

The proliferation of smart devices and computer networks has led to a huge rise in internet traffic and network attacks that necessitate efficient network traffic monitoring. There have been many attempts to address these issues; however, agile detecting solutions are needed. This research work deals with the problem of malware infections or detection is one of the most challenging tasks in modern computer security. In recent years, anomaly detection has been the first detection approach followed by results from other classifiers. Anomaly detection methods are typically designed to new model normal user behaviors and then seek for deviations from this model. However, anomaly detection techniques may suffer from a variety of problems, including missing validations for verification and a large number of false positives. This work proposes and describes a new profile-based method for identifying anomalous changes in network user behaviors. Profiles describe user behaviors from different perspectives using different flags. Each profile is composed of information about what the user has done over a period of time. The symptoms extracted in the profile cover a wide range of user actions and try to analyze different actions. Compared to other symptom anomaly detectors, the profiles offer a higher level of user experience. It is assumed that it is possible to look for anomalies using high-level symptoms while producing less false positives while effectively finding real attacks. Also, the problem of obtaining truly tagged data for training anomaly detection algorithms has been addressed in this work. It has been designed and created datasets that contain real normal user actions while the user is infected with real malware. These datasets were used to train and evaluate anomaly detection algorithms. Among the investigated algorithms for example, local outlier factor (LOF) and one class support vector machine (SVM). The results show that the proposed anomaly-based and profile-based algorithm causes very few false positives and relatively high true positive detection. The two main contributions of this work are a new approaches based on network anomaly detection and datasets containing a combination of genuine malware and actual user traffic. Finally, the future directions will focus on applying the proposed approaches for protecting the internet of things (IOT) devices.

OriginalsprogEngelsk
TidsskriftInternational Journal of Advanced Computer Science and Applications
Vol/bind10
Udgave nummer6
Sider (fra-til)305-324
Antal sider20
ISSN2158-107X
DOI
StatusUdgivet - 2019

Fingeraftryk

Testing
Security of data
Computer networks
Support vector machines
Classifiers
Internet
Detectors
Monitoring
Malware
Internet of things

Citer dette

Tahir, Muhammad ; Li, Mingchu ; Zheng, Xiao ; Carie, Anil ; Jin, Xing ; Azhar, Muhammad ; Ayoub, Naeem ; Wagan, Atif ; Aamir, Muhammad ; Jamali, Liaquat Ali ; Imran, Muhammad Asif ; Hulio, Zahid Hussain. / A novel network user behaviors and profile testing based on anomaly detection techniques. I: International Journal of Advanced Computer Science and Applications. 2019 ; Bind 10, Nr. 6. s. 305-324.
@article{76b7afa015874ec19049dc2c836a5fd8,
title = "A novel network user behaviors and profile testing based on anomaly detection techniques",
abstract = "The proliferation of smart devices and computer networks has led to a huge rise in internet traffic and network attacks that necessitate efficient network traffic monitoring. There have been many attempts to address these issues; however, agile detecting solutions are needed. This research work deals with the problem of malware infections or detection is one of the most challenging tasks in modern computer security. In recent years, anomaly detection has been the first detection approach followed by results from other classifiers. Anomaly detection methods are typically designed to new model normal user behaviors and then seek for deviations from this model. However, anomaly detection techniques may suffer from a variety of problems, including missing validations for verification and a large number of false positives. This work proposes and describes a new profile-based method for identifying anomalous changes in network user behaviors. Profiles describe user behaviors from different perspectives using different flags. Each profile is composed of information about what the user has done over a period of time. The symptoms extracted in the profile cover a wide range of user actions and try to analyze different actions. Compared to other symptom anomaly detectors, the profiles offer a higher level of user experience. It is assumed that it is possible to look for anomalies using high-level symptoms while producing less false positives while effectively finding real attacks. Also, the problem of obtaining truly tagged data for training anomaly detection algorithms has been addressed in this work. It has been designed and created datasets that contain real normal user actions while the user is infected with real malware. These datasets were used to train and evaluate anomaly detection algorithms. Among the investigated algorithms for example, local outlier factor (LOF) and one class support vector machine (SVM). The results show that the proposed anomaly-based and profile-based algorithm causes very few false positives and relatively high true positive detection. The two main contributions of this work are a new approaches based on network anomaly detection and datasets containing a combination of genuine malware and actual user traffic. Finally, the future directions will focus on applying the proposed approaches for protecting the internet of things (IOT) devices.",
keywords = "Anomaly detection algorithms, Anomaly detection techniques, Datasets, Machine learning, Network user behaviors, Profile testing",
author = "Muhammad Tahir and Mingchu Li and Xiao Zheng and Anil Carie and Xing Jin and Muhammad Azhar and Naeem Ayoub and Atif Wagan and Muhammad Aamir and Jamali, {Liaquat Ali} and Imran, {Muhammad Asif} and Hulio, {Zahid Hussain}",
year = "2019",
doi = "10.14569/IJACSA.2019.0100641",
language = "English",
volume = "10",
pages = "305--324",
journal = "International Journal of Advanced Computer Science and Applications",
issn = "2156-5570",
publisher = "TheScience and Information Organization Inc.",
number = "6",

}

A novel network user behaviors and profile testing based on anomaly detection techniques. / Tahir, Muhammad; Li, Mingchu; Zheng, Xiao; Carie, Anil; Jin, Xing; Azhar, Muhammad; Ayoub, Naeem; Wagan, Atif; Aamir, Muhammad; Jamali, Liaquat Ali; Imran, Muhammad Asif; Hulio, Zahid Hussain.

I: International Journal of Advanced Computer Science and Applications, Bind 10, Nr. 6, 2019, s. 305-324.

Publikation: Bidrag til tidsskriftTidsskriftartikelForskningpeer review

TY - JOUR

T1 - A novel network user behaviors and profile testing based on anomaly detection techniques

AU - Tahir, Muhammad

AU - Li, Mingchu

AU - Zheng, Xiao

AU - Carie, Anil

AU - Jin, Xing

AU - Azhar, Muhammad

AU - Ayoub, Naeem

AU - Wagan, Atif

AU - Aamir, Muhammad

AU - Jamali, Liaquat Ali

AU - Imran, Muhammad Asif

AU - Hulio, Zahid Hussain

PY - 2019

Y1 - 2019

N2 - The proliferation of smart devices and computer networks has led to a huge rise in internet traffic and network attacks that necessitate efficient network traffic monitoring. There have been many attempts to address these issues; however, agile detecting solutions are needed. This research work deals with the problem of malware infections or detection is one of the most challenging tasks in modern computer security. In recent years, anomaly detection has been the first detection approach followed by results from other classifiers. Anomaly detection methods are typically designed to new model normal user behaviors and then seek for deviations from this model. However, anomaly detection techniques may suffer from a variety of problems, including missing validations for verification and a large number of false positives. This work proposes and describes a new profile-based method for identifying anomalous changes in network user behaviors. Profiles describe user behaviors from different perspectives using different flags. Each profile is composed of information about what the user has done over a period of time. The symptoms extracted in the profile cover a wide range of user actions and try to analyze different actions. Compared to other symptom anomaly detectors, the profiles offer a higher level of user experience. It is assumed that it is possible to look for anomalies using high-level symptoms while producing less false positives while effectively finding real attacks. Also, the problem of obtaining truly tagged data for training anomaly detection algorithms has been addressed in this work. It has been designed and created datasets that contain real normal user actions while the user is infected with real malware. These datasets were used to train and evaluate anomaly detection algorithms. Among the investigated algorithms for example, local outlier factor (LOF) and one class support vector machine (SVM). The results show that the proposed anomaly-based and profile-based algorithm causes very few false positives and relatively high true positive detection. The two main contributions of this work are a new approaches based on network anomaly detection and datasets containing a combination of genuine malware and actual user traffic. Finally, the future directions will focus on applying the proposed approaches for protecting the internet of things (IOT) devices.

AB - The proliferation of smart devices and computer networks has led to a huge rise in internet traffic and network attacks that necessitate efficient network traffic monitoring. There have been many attempts to address these issues; however, agile detecting solutions are needed. This research work deals with the problem of malware infections or detection is one of the most challenging tasks in modern computer security. In recent years, anomaly detection has been the first detection approach followed by results from other classifiers. Anomaly detection methods are typically designed to new model normal user behaviors and then seek for deviations from this model. However, anomaly detection techniques may suffer from a variety of problems, including missing validations for verification and a large number of false positives. This work proposes and describes a new profile-based method for identifying anomalous changes in network user behaviors. Profiles describe user behaviors from different perspectives using different flags. Each profile is composed of information about what the user has done over a period of time. The symptoms extracted in the profile cover a wide range of user actions and try to analyze different actions. Compared to other symptom anomaly detectors, the profiles offer a higher level of user experience. It is assumed that it is possible to look for anomalies using high-level symptoms while producing less false positives while effectively finding real attacks. Also, the problem of obtaining truly tagged data for training anomaly detection algorithms has been addressed in this work. It has been designed and created datasets that contain real normal user actions while the user is infected with real malware. These datasets were used to train and evaluate anomaly detection algorithms. Among the investigated algorithms for example, local outlier factor (LOF) and one class support vector machine (SVM). The results show that the proposed anomaly-based and profile-based algorithm causes very few false positives and relatively high true positive detection. The two main contributions of this work are a new approaches based on network anomaly detection and datasets containing a combination of genuine malware and actual user traffic. Finally, the future directions will focus on applying the proposed approaches for protecting the internet of things (IOT) devices.

KW - Anomaly detection algorithms

KW - Anomaly detection techniques

KW - Datasets

KW - Machine learning

KW - Network user behaviors

KW - Profile testing

U2 - 10.14569/IJACSA.2019.0100641

DO - 10.14569/IJACSA.2019.0100641

M3 - Journal article

VL - 10

SP - 305

EP - 324

JO - International Journal of Advanced Computer Science and Applications

JF - International Journal of Advanced Computer Science and Applications

SN - 2156-5570

IS - 6

ER -