Show simple item record

dc.contributor.authorClausen, Henryen_GB
dc.contributor.authorGrov, Gudmunden_GB
dc.contributor.authorAspinall, Daviden_GB
dc.date.accessioned2021-06-14T06:36:52Z
dc.date.accessioned2021-06-16T07:29:39Z
dc.date.available2021-06-14T06:36:52Z
dc.date.available2021-06-16T07:29:39Z
dc.date.issued2021
dc.identifier.citationClausen H, Grov G, Aspinall D. CBAM: A Contextual Model for Network Anomaly Detection. Computers. 2021;10(6)en_GB
dc.identifier.urihttp://hdl.handle.net/20.500.12242/2901
dc.descriptionClausen, Henry; Grov, Gudmund; Aspinall, David. CBAM: A Contextual Model for Network Anomaly Detection. Computers 2021 ;Volum 10.(6)en_GB
dc.description.abstractAnomaly-based intrusion detection methods aim to combat the increasing rate of zero-day attacks, however, their success is currently restricted to the detection of high-volume attacks using aggregated traffic features. Recent evaluations show that the current anomaly-based network intrusion detection methods fail to reliably detect remote access attacks. These are smaller in volume and often only stand out when compared to their surroundings. Currently, anomaly methods try to detect access attack events mainly as point anomalies and neglect the context they appear in. We present and examine a contextual bidirectional anomaly model (CBAM) based on deep LSTM-networks that is specifically designed to detect such attacks as contextual network anomalies. The model efficiently learns short-term sequential patterns in network flows as conditional event probabilities. Access attacks frequently break these patterns when exploiting vulnerabilities, and can thus be detected as contextual anomalies. We evaluated CBAM on an assembly of three datasets that provide both representative network access attacks, real-life traffic over a long timespan, and traffic from a real-world red-team attack. We contend that this assembly is closer to a potential deployment environment than current NIDS benchmark datasets. We show that, by building a deep model, we are able to reduce the false positive rate to 0.16% while effectively detecting six out of seven access attacks, which is significantly lower than the operational range of other methods. We further demonstrate that short-term flow structures remain stable over long periods of time, making the CBAM robust against concept drift.en_GB
dc.language.isoenen_GB
dc.subjectNettverken_GB
dc.subjectDyp læringen_GB
dc.subjectAvviksdeteksjonen_GB
dc.titleCBAM: A Contextual Model for Network Anomaly Detectionen_GB
dc.typeArticleen_GB
dc.date.updated2021-06-14T06:36:52Z
dc.identifier.cristinID1915474
dc.identifier.doi10.3390/computers10060079
dc.source.issn2073-431X
dc.type.documentJournal article
dc.relation.journalComputers


Files in this item

This item appears in the following Collection(s)

Show simple item record