Publication:
Knowledge based anomaly detection
Knowledge based anomaly detection
| dc.contributor.author | Prayote, Akara | en_US |
| dc.date.accessioned | 2022-03-21T15:42:48Z | |
| dc.date.available | 2022-03-21T15:42:48Z | |
| dc.date.issued | 2007 | en_US |
| dc.description.abstract | Traffic anomaly detection is a standard task for network administrators, who with experience can generally differentiate anomalous traffic from normal traffic. Many approaches have been proposed to automate this task. Most of them attempt to develop a sufficiently sophisticated model to represent the full range of normal traffic behaviour. There are significant disadvantages to this approach. Firstly, a large amount of training data for all acceptable traffic patterns is required to train the model. For example, it can be perfectly obvious to an administrator how traffic changes on public holidays, but very difficult, if not impossible, for a general model to learn to cover such irregular or ad-hoc situations. In contrast, in the proposed method, a number of models are gradually created to cover a variety of seen patterns, while in use. Each model covers a specific region in the problem space. Any novel or ad-hoc patterns can be covered easily. The underlying technique is a knowledge acquisition approach named Ripple Down Rules. In essence we use Ripple Down Rules to partition a domain, and add new partitions as new situations are identified. Within each supposedly homogeneous partition we use fairly simple statistical techniques to identify anomalous data. The special feature of these statistics is that they are reasonably robust with small amounts of data. This critical situation occurs whenever a new partition is added. We have developed a two knowledge base approach. One knowledge base partitions the domain. Within each domain statistics are accumulated on a number of different parameters. The resultant data are passed to a knowledge base which decides whether enough parameters are anomalous to raise an alarm. We evaluated the approach on real network data. The results compare favourably with other techniques, but with the advantage that the RDR approach allows new patterns of use to be rapidly added to the model. We also used the approach to extend previous work on prudent expert systems - expert systems that warn when a case is outside its range of experience. Of particular significance we were able to reduce the false positive to about 5%. | en_US |
| dc.identifier.uri | http://hdl.handle.net/1959.4/40636 | |
| dc.language | English | |
| dc.language.iso | EN | en_US |
| dc.publisher | UNSW, Sydney | en_US |
| dc.rights | CC BY-NC-ND 3.0 | en_US |
| dc.rights.uri | https://creativecommons.org/licenses/by-nc-nd/3.0/au/ | en_US |
| dc.subject.other | Computer networks -- Security measures. | en_US |
| dc.subject.other | Computer networks -- Access control. | en_US |
| dc.subject.other | Computer security. | en_US |
| dc.subject.other | Data protection. | en_US |
| dc.title | Knowledge based anomaly detection | en_US |
| dc.type | Thesis | en_US |
| dcterms.accessRights | open access | |
| dcterms.rightsHolder | Prayote, Akara | |
| dspace.entity.type | Publication | en_US |
| unsw.accessRights.uri | https://purl.org/coar/access_right/c_abf2 | |
| unsw.identifier.doi | https://doi.org/10.26190/unsworks/17451 | |
| unsw.relation.faculty | Engineering | |
| unsw.relation.originalPublicationAffiliation | Prayote, Akara, Computer Science & Engineering, Faculty of Engineering, UNSW | en_US |
| unsw.relation.school | School of Computer Science and Engineering | * |
| unsw.thesis.degreetype | PhD Doctorate | en_US |
Files
Original bundle
1 - 1 of 1