Novel Anomaly Detection and Classification Schemes for Machine-to-Machine Uplink
Title | Novel Anomaly Detection and Classification Schemes for Machine-to-Machine Uplink |
Publication Type | Conference Paper |
Year of Publication | 2018 |
Authors | Kumar, A., Abdelhadi, A., Clancy, C. |
Conference Name | 2018 IEEE International Conference on Big Data (Big Data) |
Date Published | dec |
Keywords | anomaly detection, anomaly detection schemes, big data security, classification schemes, Computer crime, computer network security, cyber-attacks, cyber-vulnerabilities, DDoS Attack, Device failures, distributed denial-of-service attacks, emergency scenarios, Engines, feature extraction, feature-based detection schemes, general M2M uplink, high false-alarm rate, Internet, intrusion detection schemes, IT networks, legitimate M2M connections, low-complexity, low-false alarm rate, low-volume sophisticated attacks, M2M, M2M emergency, machine-to-machine communications, machine-to-machine networks, machine-to-machine uplink, Measurement, Metrics, modified Canberra distance metric, Monte Carlo methods, Monte-Carlo simulations, pubcrawl, resilience, Resiliency, Scalability, Sensors, standard information technology systems, terminal device failures, volumetric anomaly detection |
Abstract | Machine-to-Machine (M2M) networks being connected to the internet at large, inherit all the cyber-vulnerabilities of the standard Information Technology (IT) systems. Since perfect cyber-security and robustness is an idealistic construct, it is worthwhile to design intrusion detection schemes to quickly detect and mitigate the harmful consequences of cyber-attacks. Volumetric anomaly detection have been popularized due to their low-complexity, but they cannot detect low-volume sophisticated attacks and also suffer from high false-alarm rate. To overcome these limitations, feature-based detection schemes have been studied for IT networks. However these schemes cannot be easily adapted to M2M systems due to the fundamental architectural and functional differences between the M2M and IT systems. In this paper, we propose novel feature-based detection schemes for a general M2M uplink to detect Distributed Denial-of-Service (DDoS) attacks, emergency scenarios and terminal device failures. The detection for DDoS attack and emergency scenarios involves building up a database of legitimate M2M connections during a training phase and then flagging the new M2M connections as anomalies during the evaluation phase. To distinguish between DDoS attack and emergency scenarios that yield similar signatures for anomaly detection schemes, we propose a modified Canberra distance metric. It basically measures the similarity or differences in the characteristics of inter-arrival time epochs for any two anomalous streams. We detect device failures by inspecting for the decrease in active M2M connections over a reasonably large time interval. Lastly using Monte-Carlo simulations, we show that the proposed anomaly detection schemes have high detection performance and low-false alarm rate. |
URL | https://ieeexplore.ieee.org/document/8622142 |
DOI | 10.1109/BigData.2018.8622142 |
Citation Key | kumar_novel_2018 |
- Monte Carlo methods
- low-false alarm rate
- low-volume sophisticated attacks
- M2M
- M2M emergency
- machine-to-machine communications
- machine-to-machine networks
- machine-to-machine uplink
- Measurement
- Metrics
- modified Canberra distance metric
- low-complexity
- Monte-Carlo simulations
- pubcrawl
- resilience
- Resiliency
- Scalability
- sensors
- standard information technology systems
- terminal device failures
- volumetric anomaly detection
- emergency scenarios
- anomaly detection schemes
- big data security
- classification schemes
- Computer crime
- computer network security
- cyber-attacks
- cyber-vulnerabilities
- DDoS Attack
- Device failures
- distributed denial-of-service attacks
- Anomaly Detection
- Engines
- feature extraction
- feature-based detection schemes
- general M2M uplink
- high false-alarm rate
- internet
- intrusion detection schemes
- IT networks
- legitimate M2M connections