SuperB: Superior Behavior-based Anomaly Detection Defining Authorized Users' Traffic Patterns
- Authors
- Karasek, Daniel Y.; Kim, Jeehyeong; Kemmoe, Victor Youdom; Bhuiyan, Md Zakirul Alam; Cho, Sunghyun; Son, Junggab
- Issue Date
- Sep-2020
- Publisher
- IEEE
- Keywords
- Anomaly Detection; Network Anomaly; Deep Learning; Classification; Behavior identification
- Citation
- 2020 29th International Conference on Computer Communications and Networks (ICCCN), v.2020-August, pp 1 - 9
- Pages
- 9
- Indexed
- SCI
SCOPUS
- Journal Title
- 2020 29th International Conference on Computer Communications and Networks (ICCCN)
- Volume
- 2020-August
- Start Page
- 1
- End Page
- 9
- URI
- https://scholarworks.bwise.kr/erica/handle/2021.sw.erica/116311
- DOI
- 10.1109/ICCCN49398.2020.9209657
- ISSN
- 1095-2055
- Abstract
- Network anomalies are correlated to activities that deviate from regular behavior patterns in a network, and they are undetectable until their actions are defined as malicious. Current work in network anomaly detection includes network-based and host-based intrusion detection systems. However, most of them suffer from high false detection rates due to the base rate fallacy. To overcome such a drawback, this paper proposes a superior behavior-based anomaly detection system (SuperB) that defines legitimate network behaviors of authorized users in order to identify unauthorized accesses. We define the network behaviors of the authorized users by training the proposed deep learning model with time-series data extracted from network packets of each of the users. Then, the trained model is used to classify all other behaviors (we define these as anomalies) from the defined legitimate behaviors. As a result, SuperB effectively detects all anomalies of network behaviors. Our simulation results show that the proposed algorithm needs at least five end-toend conversations to achieve over 95% accuracy and over 93% recall rate. Some simulations show 100% accuracy and recall rate. Our simulations use live network data combined with the CICIDS2017 data set. The performance has an average of less than 1.1% false-positive rate with some simulations showing 0%. The execution time to process each conversation is 85.20 +/- 0.60 milliseconds (ms), and thus it takes about only 426 ms to process five conversations to identify anomaly.
- Files in This Item
-
Go to Link
- Appears in
Collections - COLLEGE OF COMPUTING > ERICA 컴퓨터학부 > 1. Journal Articles
![qrcode](https://api.qrserver.com/v1/create-qr-code/?size=55x55&data=https://scholarworks.bwise.kr/erica/handle/2021.sw.erica/116311)
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.