Comparing unsupervised learning approaches to detect network intrusion using NetFlow data

Julina Zhang, Kerry Jones, Tianye Song, Hyojung Kang, Donald E. Brown

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Networks are vulnerable to costly attacks. Thus, the ability to detect these intrusions early on and minimize their impact is imperative to the financial security and reputation of an institution. There are two mainstream systems of intrusion detection (IDS), signature-based and anomaly-based IDS. Signature-based IDS identify intrusions by referencing a database of known identity, or signature, for each of the previous intrusion events. Anomaly-based IDS attempt to identify intrusions by referencing a baseline or learned patterns of normal behavior. Under this approach, deviations from the baseline are considered intrusions. We assume this type of behavior is rare and distinguishable from normal activity. Our research investigates unsupervised techniques for anomaly-based network intrusion detection. For this research, we use real-time traffic data from University of Virginia network. We evaluate the performance between Local Outlier Factor (LOF) and Isolation Forest (iForest) by probing the similarities and differences between the result of each approach. Distribution plots show there is a greater variation of attributes in anomalies identified by iForest than those anomalies identified by LOF. Furthermore, iForest results are more distinctive from all data than the LOF results. With the assumptions that anomalies are points that are rare and distinctive, we find that iForest performs well in identifying anomalies compared to LOF.

Original languageEnglish (US)
Title of host publication2017 Systems and Information Engineering Design Symposium, SIEDS 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages122-127
Number of pages6
ISBN (Electronic)9781538618486
DOIs
StatePublished - May 31 2017
Externally publishedYes
Event2017 Systems and Information Engineering Design Symposium, SIEDS 2017 - Charlottesville, United States
Duration: Apr 28 2017 → …

Publication series

Name2017 Systems and Information Engineering Design Symposium, SIEDS 2017

Conference

Conference2017 Systems and Information Engineering Design Symposium, SIEDS 2017
CountryUnited States
CityCharlottesville
Period4/28/17 → …

Keywords

  • Anomaly Detection
  • Machine Learning
  • Network Security
  • Unsupervised Learning

ASJC Scopus subject areas

  • Hardware and Architecture
  • Information Systems and Management
  • Computer Science Applications
  • Information Systems
  • Control and Systems Engineering
  • Decision Sciences (miscellaneous)

Fingerprint Dive into the research topics of 'Comparing unsupervised learning approaches to detect network intrusion using NetFlow data'. Together they form a unique fingerprint.

  • Cite this

    Zhang, J., Jones, K., Song, T., Kang, H., & Brown, D. E. (2017). Comparing unsupervised learning approaches to detect network intrusion using NetFlow data. In 2017 Systems and Information Engineering Design Symposium, SIEDS 2017 (pp. 122-127). [7937701] (2017 Systems and Information Engineering Design Symposium, SIEDS 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SIEDS.2017.7937701