Reducing False Positives of Network Anomaly Detection by Local Adaptive Multivariate Smoothing

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F17%3A00306972" target="_blank" >RIV/68407700:21230/17:00306972 - isvavai.cz</a>

Výsledek na webu

<a href="http://www.sciencedirect.com/science/article/pii/S0022000016300022" target="_blank" >http://www.sciencedirect.com/science/article/pii/S0022000016300022</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1016/j.jcss.2016.03.007" target="_blank" >10.1016/j.jcss.2016.03.007</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Reducing False Positives of Network Anomaly Detection by Local Adaptive Multivariate Smoothing

Popis výsledku v původním jazyce

Network intrusion detection systems based on the anomaly detection paradigm have high false alarm rate making them difficult to use. To address this weakness, we propose to smooth the outputs of anomaly detectors by online Local Adaptive Multivariate Smoothing (LAMS). LAMS can reduce a large portion of false positives introduced by the anomaly detection by replacing the anomaly detector's output on a network event with an aggregate of its output on all similar network events observed previously. The arguments are supported by extensive experimental evaluation involving several anomaly detectors in two domains: NetFlow and proxy logs. Finally, we show how the proposed solution can be efficiently implemented to process large streams of non-stationary data.

Název v anglickém jazyce

Reducing False Positives of Network Anomaly Detection by Local Adaptive Multivariate Smoothing

Popis výsledku anglicky

Network intrusion detection systems based on the anomaly detection paradigm have high false alarm rate making them difficult to use. To address this weakness, we propose to smooth the outputs of anomaly detectors by online Local Adaptive Multivariate Smoothing (LAMS). LAMS can reduce a large portion of false positives introduced by the anomaly detection by replacing the anomaly detector's output on a network event with an aggregate of its output on all similar network events observed previously. The arguments are supported by extensive experimental evaluation involving several anomaly detectors in two domains: NetFlow and proxy logs. Finally, we show how the proposed solution can be efficiently implemented to process large streams of non-stationary data.

Druh

J_imp - Článek v periodiku v databázi Web of Science

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

I - Institucionalni podpora na dlouhodoby koncepcni rozvoj vyzkumne organizace

Rok uplatnění

2017

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název periodika

Journal of Computer and System Sciences

ISSN

0022-0000

e-ISSN

1090-2724

Svazek periodika

83

Číslo periodika v rámci svazku

1

Stát vydavatele periodika

NL - Nizozemsko

Počet stran výsledku

15

Strana od-do

43-57

Kód UT WoS článku

000384038500004

EID výsledku v databázi Scopus

2-s2.0-84962684610