FOSS: Towards Fine-Grained Unknown Class Detection Against the Open-Set Attack Spectrum With Variable Legitimate Traffic

IF 3 3区计算机科学 Q2 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE/ACM Transactions on Networking Pub Date : 2024-08-19 DOI:10.1109/TNET.2024.3413789

Ziming Zhao;Zhaoxuan Li;Xiaofei Xie;Jiongchi Yu;Fan Zhang;Rui Zhang;Binbin Chen;Xiangyang Luo;Ming Hu;Wenrui Ma

{"title":"FOSS: Towards Fine-Grained Unknown Class Detection Against the Open-Set Attack Spectrum With Variable Legitimate Traffic","authors":"Ziming Zhao;Zhaoxuan Li;Xiaofei Xie;Jiongchi Yu;Fan Zhang;Rui Zhang;Binbin Chen;Xiangyang Luo;Ming Hu;Wenrui Ma","doi":"10.1109/TNET.2024.3413789","DOIUrl":null,"url":null,"abstract":"Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with (i) fine-grained unknown attack detection and (ii) ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named FOSS, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that FOSS significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of FOSS by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of FOSS to identify previously-unseen attacks in a fine-grained manner.","PeriodicalId":13443,"journal":{"name":"IEEE/ACM Transactions on Networking","volume":"32 5","pages":"3945-3960"},"PeriodicalIF":3.0000,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE/ACM Transactions on Networking","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10638516/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with (i) fine-grained unknown attack detection and (ii) ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named FOSS, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that FOSS significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of FOSS by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of FOSS to identify previously-unseen attacks in a fine-grained manner.

查看原文本刊更多论文

:针对具有可变合法流量的开放集攻击频谱，实现细粒度未知类别检测

基于异常的网络入侵检测系统（NIDS）对确保网络安全至关重要。然而，当安全界将大多数现有建议付诸实践时，却发现存在一些局限性。这些挑战主要涉及 (i) 细粒度未知攻击检测和 (ii) 不断变化的合法流量适应。为了解决这些问题，我们提出了三个关键的设计规范。核心思想是构建一个模型来分割数据分布超平面，并充分利用隔离概念，以及推进增量模型更新。我们以隔离树为骨干，设计了名为 FOSS 的模型，以呼应上述三个规范。通过分析流行的网络入侵痕迹数据集，我们发现 FOSS 的性能明显优于最先进的方法。此外，我们还与互联网服务提供商（ISP）合作，对 FOSS 进行了初步部署，以检测分布式拒绝服务（DDoS）攻击。通过实际测试和人工分析，我们证明了 FOSS 能够有效地以细粒度的方式识别以前未曾发现的攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE/ACM Transactions on Networking 工程技术-电信学

CiteScore

8.20

自引率

5.40%

发文量

246

审稿时长

4-8 weeks

期刊介绍： The IEEE/ACM Transactions on Networking’s high-level objective is to publish high-quality, original research results derived from theoretical or experimental exploration of the area of communication/computer networking, covering all sorts of information transport networks over all sorts of physical layer technologies, both wireline (all kinds of guided media: e.g., copper, optical) and wireless (e.g., radio-frequency, acoustic (e.g., underwater), infra-red), or hybrids of these. The journal welcomes applied contributions reporting on novel experiences and experiments with actual systems.