Title :
Mining Concept Drifting Network Traffic in Cloud Computing Environments
Author :
Mukkavilli, Sai Kiran ; Shetty, Sachin
Author_Institution :
Dept. of Electr. & Comput. Eng., Tennessee State Univ., Nashville, TN, USA
Abstract :
Anomaly-based network Intrusion Detection Systems (IDS)model patterns of normal activity and detect novel network attacks. However, these systems depend on the availability of the systems normal traffic pattern profile. But the statistical fingerprint of the normal traffic pattern can change and shift over a period of time due to changes in operational or user activity at the networked site or even system updates. The changes in normal traffic patterns over time lead to concept drift. Some changes can be temporal, cyclical and can be short-lived or they can last for longer periods of time. Depending on a number of factors the speed at which the change in traffic patterns occurs can also be variable, ranging from near instantaneous to the change occurring over the span of numerous months. These changes in traffic patterns are a cause of concern for IDSs as they can lead to a significant increase in false positive rates, thereby reducing the overall system performance. In order to improve the reliability of the IDS, there is a need for an automated mechanism to detect valid traffic changes and avoid inappropriate ad hoc responses. ROC curves have historically been used to evaluate the accuracy of IDSs. ROC curves generated using fixed, time-invariant classification thresholds do not characterize the best accuracy that an IDS can achieve in presence of concept-drifting network traffic. In this paper, we present integrated supervised machine learning and control theoretic model (especially for clouds) for detecting concept drift in network traffic patterns. The model comprises of an online support vector machine based classifier (incremental anomaly based detection), a Kullback-Leiblerdivergence based relative entropy measurement scheme (quantifying concept drift) and feedback control engine (adapting ROC thresholding). In our proposed system, any intrusion activity will cause significant variations, thereby causing a large error, while a minor aberration in the variat- ons(concept drift) will not be immediately reported as alert.
Keywords :
cloud computing; computer network performance evaluation; computer network security; data mining; feedback; pattern classification; support vector machines; telecommunication traffic; IDS reliability improvement; Kullback-Leibler divergence based relative entropy measurement scheme; ROC curves; ROC thresholding; anomaly-based network IDS; anomaly-based network intrusion detection systems; cloud computing environments; concept drift detection; concept drift mining; concept-drifting network traffic; control theoretic model; false positive rates; feedback control engine; fixed time-invariant classification thresholds; incremental anomaly based detection; network attack detection; normal activity patterns; normal traffic pattern profile availability; online support vector machine based classifier; statistical fingerprint; supervised machine learning; system performance reduction; system updates; user activity; Accuracy; Adaptation models; Hidden Markov models; Intrusion detection; Support vector machines; Telecommunication traffic; Traffic control; Anomaly Based Intrusion Detection Systems; Support Vector Machine and Concept Drift;
Conference_Titel :
Cluster, Cloud and Grid Computing (CCGrid), 2012 12th IEEE/ACM International Symposium on
Conference_Location :
Ottawa, ON
Print_ISBN :
978-1-4673-1395-7
DOI :
10.1109/CCGrid.2012.142
