Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Article type: Research Article
Authors: Flores, Juan J.a; * | Calderon, Felixa | Antolino, Anastaciob | Garcia, Juan M.b
Affiliations: [a] Division de Estudios de Posgrado, Facultad de Ingenieria Electrica, Universidad Michoacana, Mexico | [b] Instituto Tecnologico de Morelia, Depto. de Sistemas y Computacion, Michoacan, Mexico
Correspondence: [*] Corresponding author: Juan J. Flores, Division de Estudios de Posgrado, Facultad de Ingenieria Electrica, Universidad Michoacana, Mexico. E-mail: [email protected].
Abstract: Information security is an important and growing need. The most common schemes used for detection systems include pattern- or signature-based and anomaly-based. Anomaly-based schemes use a set of metrics, which outline the normal system behavior and any significant deviation from the established profile will be treated as an anomaly. This paper contributes with an anomaly-based scheme that monitors the bandwidth consumption of a subnetwork, at the Universidad Michoacana, in Mexico. A normal behavior model is based on bandwidth consumption of the subnetwork. The presence of an anomaly indicates that something is misusing the network (viruses, worms, denial of service, or any other kind of attack). This work also presents a scheme for an automatic architecture design and parameters optimization of Hidden Markov Models (HMMs), based on Evolutionary Programming (EP). The variables to be used by the HMMs are: the bandwidth consumption of network (IN and OUT), and the associated time where the network activity occurs. The system was tested with univariate and bivariate observation sequences to analyze and detect anomaly behavior. The HMMs, designed and trained by EP, were compared against semi-random HMMs trained by the Baum-Welch algorithm. On a second experiment, the HMMs, designed and trained by EP, were compared against HMMs created by an expert user. The HMMs outperformed the other methods in all cases. Finally, we made the HMMs time-aware, by including time as another variable. This inclusion made the HMMs capable of detecting activity patterns that are normal during a period of time but anomalous at other times. For instance, a heavy load on the network may be completely normal during working times, but anomalous at nights or weekends.
Keywords: HMMs, evolutionary programming, genetic algorithms, anomaly detection, Baum-Welch
DOI: 10.3233/IDA-150722
Journal: Intelligent Data Analysis, vol. 19, no. 2, pp. 391-412, 2015
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
[email protected]
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office [email protected]
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
如果您在出版方面需要帮助或有任何建, 件至: [email protected]