Anomaly detection algorithms aim at identifying unexpected flctuations in the exp e cte d b ehavior of target indicators, and, when applie d to intrusion dete ction, susp e ct attacks whenever the above deviations are obser ve d. Through years, several of such algorithms have b e en prop ose d, evaluate d exp erimentally, and analyzed in qualitative and quantitative sur veys. However, the exp erimental comparison of a comprehensive set of algorithms for anomaly-based intrusion dete ction against a comprehensive set of attacks datasets and attack typ es was not investigate d yet. To fil such gap, in th is pap er we exp erimentally evaluate a p o ol of twelve unsup er vise d anomaly dete ction algorithms on fie attacks datasets. Results allow elaborating on a wide range of arguments, from the b ehavior of the individual algorithm to the suitability of the datasets to anomaly detection. We identify the families of algorithms that are more eff ctive for intrusion dete ction, and the families that are more robust to the choice of confiuration parameters. Further, we confim exp erimentally that attacks with unstable and non-rep eatable b ehavior are more diffilt to dete ct, and that datasets where anomalies are rare events usually result in b etter dete ction scores.
Quantitative Comparison of Unsupervised Anomaly Detection Algorithms for Intrusion Detection / Filipe, Falcão Batista dos Santos; Zoppi, Tommaso; Caio, BARBOSA VIEIRA DA SILVA; Anderson, SANTOS DA SILVA; Baldoino, FONSECA DOS SANTOS NETO; Ceccarelli, Andrea; Bondavalli, Andrea. - ELETTRONICO. - (2019), pp. 318-327. (Intervento presentato al convegno ACM SYMPOSIUM ON APPLIED COMPUTING tenutosi a Limassol, Cyprus nel 8-12/4/2019) [10.1145/3297280.3297314].
Quantitative Comparison of Unsupervised Anomaly Detection Algorithms for Intrusion Detection
Tommaso Zoppi;
2019-01-01
Abstract
Anomaly detection algorithms aim at identifying unexpected flctuations in the exp e cte d b ehavior of target indicators, and, when applie d to intrusion dete ction, susp e ct attacks whenever the above deviations are obser ve d. Through years, several of such algorithms have b e en prop ose d, evaluate d exp erimentally, and analyzed in qualitative and quantitative sur veys. However, the exp erimental comparison of a comprehensive set of algorithms for anomaly-based intrusion dete ction against a comprehensive set of attacks datasets and attack typ es was not investigate d yet. To fil such gap, in th is pap er we exp erimentally evaluate a p o ol of twelve unsup er vise d anomaly dete ction algorithms on fie attacks datasets. Results allow elaborating on a wide range of arguments, from the b ehavior of the individual algorithm to the suitability of the datasets to anomaly detection. We identify the families of algorithms that are more eff ctive for intrusion dete ction, and the families that are more robust to the choice of confiuration parameters. Further, we confim exp erimentally that attacks with unstable and non-rep eatable b ehavior are more diffilt to dete ct, and that datasets where anomalies are rare events usually result in b etter dete ction scores.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
