Catch It If You Can: Real-Time Network Anomaly Detection with Low False Alarm Rates

Catch It If You Can: Real-Time Network Anomaly Detection with Low False Alarm Rates

Unsupervised anomaly detection (AD) has shown promise against the frequently new cyberattacks. But, as anomalies are not always malicious, such systems generate prodigious false alarm rates. The resulting manual validation workload often overwhelms the IT operators: it slows down the system reaction...

Full description

Saved in:
Bibliographic Details
Published in:2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA) pp. 924 - 929
Main Authors: Kathareios, Georgios, Anghel, Andreea, Mate, Akos, Clauberg, Rolf, Gusat, Mitch
Format: Conference Proceeding
Language:English
Published: IEEE 01-12-2017
Subjects:
Adaptation models
Anomaly detection
Data models
Manuals
neural nets
online
Pipelines
Real-time systems
Security
Training
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Unsupervised anomaly detection (AD) has shown promise against the frequently new cyberattacks. But, as anomalies are not always malicious, such systems generate prodigious false alarm rates. The resulting manual validation workload often overwhelms the IT operators: it slows down the system reaction by orders of magnitude and ultimately thwarts its applicability. Therefore, we propose a real-time network AD system that reduces the manual workload by coupling 2 learning stages. The first stage performs adaptive unsupervised AD using a shallow autoencoder. The second stage uses a custom nearest-neighbor classifier to filter the false positives by modeling the manual classification. We implement a prototype for 10-50Gbps speeds and evaluate it with traffic from a national network operator: we achieve 98.5% true and 1.3% false positive rates, while reducing the human intervention rate by 5x.
DOI:10.1109/ICMLA.2017.00-36