FOSS: Towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic

Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with (i) fine-grained unknown attack detection and (...

Full description

Saved in:
Bibliographic Details
Main Authors: ZHAO, Ziming, LI, Zhaoxuan, XIE, Xiaofei, YU, Jiongchi, ZHANG, Fan, ZHANG, Rui, CHEN, Binbin, LUO, Xiangyang, HU, Ming, MA, Wenrui
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2024
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/9363
https://ink.library.smu.edu.sg/context/sis_research/article/10363/viewcontent/FOSS_2024_av.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-10363
record_format dspace
spelling sg-smu-ink.sis_research-103632024-10-25T09:28:43Z FOSS: Towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic ZHAO, Ziming LI, Zhaoxuan XIE, Xiaofei YU, Jiongchi ZHANG, Fan ZHANG, Rui CHEN, Binbin LUO, Xiangyang HU, Ming MA, Wenrui Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with (i) fine-grained unknown attack detection and (ii) ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named FOSS, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that FOSS significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of FOSS by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of FOSS to identify previously-unseen attacks in a fine-grained manner. 2024-08-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/9363 info:doi/10.1109/TNET.2024.3413789 https://ink.library.smu.edu.sg/context/sis_research/article/10363/viewcontent/FOSS_2024_av.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Intrusion detection system fine-grained unknown class detection isolation forest Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Intrusion detection system
fine-grained unknown class detection
isolation forest
Information Security
spellingShingle Intrusion detection system
fine-grained unknown class detection
isolation forest
Information Security
ZHAO, Ziming
LI, Zhaoxuan
XIE, Xiaofei
YU, Jiongchi
ZHANG, Fan
ZHANG, Rui
CHEN, Binbin
LUO, Xiangyang
HU, Ming
MA, Wenrui
FOSS: Towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic
description Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with (i) fine-grained unknown attack detection and (ii) ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named FOSS, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that FOSS significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of FOSS by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of FOSS to identify previously-unseen attacks in a fine-grained manner.
format text
author ZHAO, Ziming
LI, Zhaoxuan
XIE, Xiaofei
YU, Jiongchi
ZHANG, Fan
ZHANG, Rui
CHEN, Binbin
LUO, Xiangyang
HU, Ming
MA, Wenrui
author_facet ZHAO, Ziming
LI, Zhaoxuan
XIE, Xiaofei
YU, Jiongchi
ZHANG, Fan
ZHANG, Rui
CHEN, Binbin
LUO, Xiangyang
HU, Ming
MA, Wenrui
author_sort ZHAO, Ziming
title FOSS: Towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic
title_short FOSS: Towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic
title_full FOSS: Towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic
title_fullStr FOSS: Towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic
title_full_unstemmed FOSS: Towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic
title_sort foss: towards fine-grained unknown class detection against the open-set attack spectrum with variable legitimate traffic
publisher Institutional Knowledge at Singapore Management University
publishDate 2024
url https://ink.library.smu.edu.sg/sis_research/9363
https://ink.library.smu.edu.sg/context/sis_research/article/10363/viewcontent/FOSS_2024_av.pdf
_version_ 1814047934717624320