Are Network Attacks Outliers? A Study of Space Representations and Unsupervised Algorithms

Félix Iglesias*, Alexander Hartl, Tanja Zseby, Arthur Zimek

*Kontaktforfatter

Publikation: Kapitel i bog/rapport/konference-proceedingKonferencebidrag i proceedingsForskningpeer review

Abstrakt

Among network analysts, “anomaly” and “outlier” are terms commonly associated to network attacks. Attacks are outliers (or anomalies) in the sense that they exploit communication protocols with novel infiltration techniques against which there are no defenses yet. But due to the dynamic and heterogeneous nature of network traffic, attacks may look like normal traffic variations. Also attackers try to make attacks indistinguishable from normal traffic. Then, are network attacks actual anomalies? This paper tries to answer this important question from analytical perspectives. To that end, we test the outlierness of attacks in a recent, complete dataset for evaluating Intrusion Detection by using five different feature vectors for network traffic representation and five different outlier ranking algorithms. In addition, we craft a new feature vector that maximizes the discrimination power of outlierness. Results show that attacks are significantly more outlier than legitimate traffic—specially in representations that profile network endpoints—, although attack and non-attack outlierness distributions strongly overlap. Given that network spaces are noisy and show density variations in non-attack spaces, algorithms that measure outlierness locally are less effective than algorithms that measure outlierness with global distance estimations. Our research confirms that unsupervised methods are suitable for attack detection, but also that they must be combined with methods that leverage pre-knowledge to prevent high false positive rates. Our findings expand the basis for using unsupervised methods in attack detection.

OriginalsprogEngelsk
TitelMachine Learning and Knowledge Discovery in Databases - International Workshops of ECML PKDD 2019, Proceedings
RedaktørerPeggy Cellier, Kurt Driessens
ForlagSpringer
Publikationsdato2020
Sider159-175
ISBN (Trykt)9783030438869
ISBN (Elektronisk)978-3-030-43887-6
DOI
StatusUdgivet - 2020
Begivenhed19th Joint European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML PKDD 2019 - Wurzburg, Tyskland
Varighed: 16. sep. 201920. sep. 2019

Konference

Konference19th Joint European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML PKDD 2019
Land/OmrådeTyskland
ByWurzburg
Periode16/09/201920/09/2019
NavnCommunications in Computer and Information Science
Vol/bind1168 CCIS
ISSN1865-0929

Fingeraftryk

Dyk ned i forskningsemnerne om 'Are Network Attacks Outliers? A Study of Space Representations and Unsupervised Algorithms'. Sammen danner de et unikt fingeraftryk.

Citationsformater