Performance evaluation of unsupervised techniques in cyber-attack anomaly detection

  • PDF / 1,903,198 Bytes
  • 13 Pages / 595.276 x 790.866 pts Page_size
  • 83 Downloads / 245 Views

DOWNLOAD

REPORT


ORIGINAL RESEARCH

Performance evaluation of unsupervised techniques in cyber‑attack anomaly detection Jorge Meira2   · Rui Andrade1 · Isabel Praça1 · João Carneiro1 · Verónica Bolón‑Canedo2 · Amparo Alonso‑Betanzos2 · Goreti Marreiros1 Received: 28 November 2018 / Accepted: 1 August 2019 © Springer-Verlag GmbH Germany, part of Springer Nature 2019

Abstract Cyber security is a critical area in computer systems especially when dealing with sensitive data. At present, it is becoming increasingly important to assure that computer systems are secured from attacks due to modern society dependence from those systems. To prevent these attacks, nowadays most organizations make use of anomaly-based intrusion detection systems (IDS). Usually, IDS contain machine learning algorithms which aid in predicting or detecting anomalous patterns in computer systems. Most of these algorithms are supervised techniques, which contain gaps in the detection of unknown patterns or zero-day exploits, since these are not present in the algorithm learning phase. To address this problem, we present in this paper an empirical study of several unsupervised learning algorithms used in the detection of unknown attacks. In this study we evaluated and compared the performance of different types of anomaly detection techniques in two public available datasets: the NSL-KDD and the ISCX. The aim of this evaluation allows us to understand the behavior of these techniques and understand how they could be fitted in an IDS to fill the mentioned flaw. Also, the present evaluation could be used in the future, as a comparison of results with other unsupervised algorithms applied in the cybersecurity field. The results obtained show that the techniques used are capable of carrying out anomaly detection with an acceptable performance and thus making them suitable candidates for future integration in intrusion detection tools. Keywords  Anomaly detection · One-class classification · Intrusion detection · Unsupervised learning * Jorge Meira [email protected]

1 Introduction

Rui Andrade [email protected]

Computer systems play a major role in modern everyday life. Almost everything from personal calendars to financial records and e-commerce operations are done with resource to a computing device with a network connection. Important information is stored and sent in all sorts of devices, from small low power smartwatches to huge datacenters. This creates an extensive attack vector that intended individuals and/or organizations may try to outbreak. Attackers use a variety of different techniques to try to exploit safety flaws in systems. This may result in sensible data breaches, stolen user accounts or taking control over the system. To combat these attacks, system administrators and security experts often need to use safety measures to eliminate these attacks or at least mitigate their effects. One of these safety measures are intrusion detection systems (IDS). These systems perform cyber-attack detection, using a variety of techniques to discover failures and m