Anomaly detection aims at finding patterns in data that do not conform to the expected behavior. It is largely adopted in intrusion detection systems, relying on unsupervised algorithms that have the potential to detect zero-day attacks; however, efficacy of algorithms varies depending on the observed system and the attacks. Selecting the algorithm that maximizes detection capability is a challenging task with no master key. This paper tackles the challenge above by devising and applying a methodology to identify relations between attack families, anomaly classes and algorithms. The implication is that an unknown attack belonging to a specific attack family is most likely to get observed by unsupervised algorithms that are particularly effective on such attack family. This paves the way to rules for the selection of algorithms based on the identification of attack families. The paper proposes and applies a methodology based on analytical and experimental investigations supported by a tool to i) identify which anomaly classes are most likely raised by the different attack families, ii) study suitability of anomaly detection algorithms to detect anomaly classes, iii) combine previous results to relate anomaly detection algorithms and attack families, and iv) define guidelines to select unsupervised algorithms for intrusion detection.

On the educated selection of unsupervised algorithms via attacks and anomaly classes / Zoppi, T.; Ceccarelli, A.; Salani, L.; Bondavalli, A.. - In: JOURNAL OF INFORMATION SECURITY AND APPLICATIONS. - ISSN 2214-2134. - ELETTRONICO. - 52:(2020), pp. 10247401-10247411. [10.1016/j.jisa.2020.102474]

On the educated selection of unsupervised algorithms via attacks and anomaly classes

Zoppi, T.;
2020-01-01

Abstract

Anomaly detection aims at finding patterns in data that do not conform to the expected behavior. It is largely adopted in intrusion detection systems, relying on unsupervised algorithms that have the potential to detect zero-day attacks; however, efficacy of algorithms varies depending on the observed system and the attacks. Selecting the algorithm that maximizes detection capability is a challenging task with no master key. This paper tackles the challenge above by devising and applying a methodology to identify relations between attack families, anomaly classes and algorithms. The implication is that an unknown attack belonging to a specific attack family is most likely to get observed by unsupervised algorithms that are particularly effective on such attack family. This paves the way to rules for the selection of algorithms based on the identification of attack families. The paper proposes and applies a methodology based on analytical and experimental investigations supported by a tool to i) identify which anomaly classes are most likely raised by the different attack families, ii) study suitability of anomaly detection algorithms to detect anomaly classes, iii) combine previous results to relate anomaly detection algorithms and attack families, and iv) define guidelines to select unsupervised algorithms for intrusion detection.
2020
Zoppi, T.; Ceccarelli, A.; Salani, L.; Bondavalli, A.
On the educated selection of unsupervised algorithms via attacks and anomaly classes / Zoppi, T.; Ceccarelli, A.; Salani, L.; Bondavalli, A.. - In: JOURNAL OF INFORMATION SECURITY AND APPLICATIONS. - ISSN 2214-2134. - ELETTRONICO. - 52:(2020), pp. 10247401-10247411. [10.1016/j.jisa.2020.102474]
File in questo prodotto:
File Dimensione Formato  
On-the-educated-selection-of-unsupervised-algorithms-via-attacks-and-anomaly-classes2020Journal-of-Information-Security-and-Applications.pdf

accesso aperto

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Creative commons
Dimensione 1.98 MB
Formato Adobe PDF
1.98 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/390276
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 20
  • ???jsp.display-item.citation.isi??? 15
social impact