Reducing false positives of network anomaly detection by local adaptive multivariate smoothing
| Autor: | Tomáš Pevný, Martin Grill, Martin Rehak |
|---|---|
| Rok vydání: | 2017 |
| Předmět: |
Computer Networks and Communications
Event (computing) Applied Mathematics Detector 020206 networking & telecommunications 02 engineering and technology computer.software_genre Theoretical Computer Science Constant false alarm rate Computational Theory and Mathematics NetFlow 0202 electrical engineering electronic engineering information engineering False positive paradox 020201 artificial intelligence & image processing Anomaly detection Data mining Anomaly (physics) computer Smoothing Mathematics |
| Zdroj: | Journal of Computer and System Sciences. 83:43-57 |
| ISSN: | 0022-0000 |
| DOI: | 10.1016/j.jcss.2016.03.007 |
| Popis: | Network intrusion detection systems based on the anomaly detection paradigm have high false alarm rate making them difficult to use. To address this weakness, we propose to smooth the outputs of anomaly detectors by online Local Adaptive Multivariate Smoothing (LAMS). LAMS can reduce a large portion of false positives introduced by the anomaly detection by replacing the anomaly detector's output on a network event with an aggregate of its output on all similar network events observed previously. The arguments are supported by extensive experimental evaluation involving several anomaly detectors in two domains: NetFlow and proxy logs. Finally, we show how the proposed solution can be efficiently implemented to process large streams of non-stationary data. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|
Full Text from ScienceDirect