Although machine learning (ML) for intrusion detection is attracting research, its deployment in practice has proven difficult. Major hindrances are that training a classifier requires training data with attack samples, and that trained models are bound to a specific network.
To overcome these problems, we propose two new methods for anomaly-based intrusion detection. Both are trained on normal-only data, making deployment much easier. The first approach is based on One-class SVMs, while the second leverages our novel Cellwise Estimator algorithm, which is based on multidimensional OLAP cubes. The latter has the additional benefit of explainable output, in contrast to many ML methods like neural networks. The created models capture the normal behavior of a network and are used to find anomalies that point to attacks. We present a thorough evaluation using benchmark data and a comparison to related approaches showing that our approach is competitive.
History
Editor
Aïmeur E ; Laurent M ; Yaich R ; Dupont B ; García-Alfaro J
Name of Conference
FPS
CISPA Affiliation
No
Journal
FPS
Volume
13291
Page Range
265-282
Publisher
Springer
BibTeX
@conference{Heine:Kleiner:Klostermeyer:Ahlers:Laue:Wellermann:2021,
title = "Detecting Attacks in Network Traffic Using Normality Models: The Cellwise Estimator.",
author = "Heine, Felix" AND "Kleiner, Carsten" AND "Klostermeyer, Philip" AND "Ahlers, Volker" AND "Laue, Tim" AND "Wellermann, Nils",
editor = "Aïmeur, Esma" AND "Laurent, Maryline" AND "Yaich, Reda" AND "Dupont, Benoît" AND "García-Alfaro, Joaquín",
year = 2021,
month = 1,
journal = "FPS",
pages = "265--282",
publisher = "Springer"
}