Approaches for Anomaly Detection in Network : A

Survey
Anuja A. Sawant Pravin S. Game
Department of Computer Engineering Department of Computer Engineering
Pune Institute of Computer Technology Pune Institute of Computer Technology
Pune, India Pune, India
ajsawant10@gmail.com pravinsgame@gmail.com

Abstract—In recent years there is a constant rise in cyber Anomalies can be classified as normal or abnormal. Anomaly
attacks. These attacks affect not only the individuals but the in network communication could be different attacks, such
organizations at large also. To detect these attacks requires as DoS (Service to authorized user gets denied due to busy
high-end systems, since there is continuous flow of data to-
and-from the network. This huge data flow makes it difficult network by malicious node), Probe (an action taken to learn
to analyze traffic and identify anomalous communication. Rule something about the state of network, simply by sending a
based engines are capable of identifying sophisticated attacks, ping), U2R (gives root access to normal user), R2L (designed
but it fails to identify unknown and new attacks as the rules to give local access to target systems). Any sudden change
are always based on prior knowledge of the administrators. in upload or download speed can also be considered as
It is virtually impossible to code all the rules beforehand that
may capture all the attacks. Most of the attacks have common anomaly. It also includes malicious attacks such as worms,
characteristics, i.e. abnormal or anomalous network communi- viruses, trojan horses and spyware, also abrupt node or link
cation, authentication attempts or access attempts on objects. disconnection, multiple authentication attempts on same ob-
This work surveys different approaches to detect anomalies in ject. Anomalies could occur in network communication due
network communication. to mis-configuration of the systems or system that run on
Index Terms—Anomaly detection, Classification, Clustering, undocumented services.
Feature selection, network communication. Anomalies in network communication leads to different
attacks on the system which mostly tends to steal the data
or harm the applications. If anomalies are unnoticed, system
I. I NTRODUCTION may leak confidential information to outside world, which may
Last ten years, witnessed the tremendous advancement in cause financial complications and/or losses or even it may
technology, specifically the communication technology. As lead to making totally wrong decisions. Not only hardware
well, it has also marked the easy adaption of the technology malfunction, but software malfunction can also lead to anoma-
by the people from all strata of life. People are using this lous behavior, which may impact performance of the system.
technology not only for simple text or telephonic application Damages caused due to anomaly would directly affect the data,
but also for financial transaction as well as computational like hacked computer may send out data to an unauthorized
purposes. destination. An anomalous MRI image may indicate presence
With tremendous growth in personal and organizational of malignant tumors, wherein it is a disease free image. Either
transactions and data, secure communication has become one way anomalies within a network should not go unnoticed they
of the most important research area. So in communication need to be detected, located and mitigated timely and properly.
systems it is equally important to analyze the traffic by looking This paper studies different techniques which include
at messages from source to destination as it may give valuable multiple solutions for anomaly detection. There is a system
information not just about imminent attacks but also about the which helps to detect anomalies in network communication
unit movements and other routine matters [29]. Over the time called as intrusion detection system. IDS (Intrusion Detection
many attacks on computer communication have been discussed System) is a device or a separate machine, that monitors
and researched for the solutions [30]. Out of such attacks we activity to identify malicious or suspicious events. Such as a
focus on anomalous communications. smoke detector sensor, which raises an alarm on detection
Anomalies are unusual events which differ from normal of specific things. An IDS receives raw inputs from sensor,
or something that deviates from anything that is standard or where it first stores the input, analyze them and then required
expected, like a sudden rise in temperature, country with left- actions are taken [30]. Intrusion Detection System are
hand driving rule, seen with a vehicle moving in opposite classified based on where the detection takes place and based
direction, such situations would be termed as anomalies. on the detection method used [12].
A) Intrusion detection system are classified based on where
1 978-1-5386-5257-2/18/$31.00 2018 IEEE the detection takes place :
Network Intrusion Detection System: methods used for checking malicious activities: scanning,
activity monitoring and integrity check [2].
Network Intrusion Detection System exists at certain
point in the network to monitor traffic to and from all the
devices in the network. It analyses the network traffic and There are various network security systems used, such as
matches it to the library of known attacks. For detecting, it firewall which monitors and controls incoming traffic based on
uses unsupervised method which runs in three consecutive predefined security rules. Firewall is a type of Signature based
steps i.e. it detects anomalous time slot, all the flows in the Intrusion Detection System. In signature based IDS a set of
time slot are flagged as anomalous, and top-ranked outlying rules are previously defined which are only used to detect an
flows are flagged as anomalies using a simple thresholding intrusion attempt if it matches the rules, therefore causing the
detection approach [5]. Another method is hidden naive bayes rule-set to be constantly updated but has a disadvantage of not
classifier for detecting intrusion [6]. detecting new or unknown attacks [12].
To overcome the disadvantage of detecting new or unknown
Host Intrusion Detection System: attacks an Anomaly based Intrusion Detection System is in
use. Anomaly detection is the technique of discovering the
Host Intrusion Detection System are mostly present on patterns in the dataset whose behavior is abnormal. These ab-
individual devices in the network, to protect that host. It normal behaviors are called as anomalies or outliers. Anomaly
is used to track the incoming and outgoing packets from detection system finds for abnormal events rather than the
the device on which it has been installed. It also monitors attacks. So anomalies are not always categorized as an attack
essential system files and attempts made to overwrite them. but it could be an unpredictable behavior which is not known
Example, a system that monitors important operating system previously, which may or may not be harmful [11]. We can
files. apply this anomaly detection technique to analyze firewall logs
for identifying the anomalous network.
B) Intrusion detection system are classified based on Anomaly detection is an application of data mining where
detection method : different techniques can be practiced to find the anomalies
[11].
Signature Intrusion Detection System: There are various data mining techniques such as K-mean,
K-Nearest Neighbor, K-Medoids, Decision Tree, Naive Bayes
Signature Intrusion Detection System monitors and analyzes Tree, J48(C4.5), Best-first Tree, Support Vector Machine,
network packets, such as byte sequences in network traffic, Naive Bayes, Neural Networks, Genetic Algorithm, Multilayer
and compare them with the signature of known attacks. Perceptron, Artificial Neural Network [1][12] which have
Problem with signature based IDS is signature themselves, been used for anomaly detection in network communication.
as there could be an attacker who may try to modify a basic
attack in such a way that it doesn’t match the know signature
of the attack [30]. It is powerful in detecting known attacks II. R EVIEW OF L ITERATURE
but fails to detect new type of attacks as its signature may As we discussed in above section that anomalies in network
not be present in the database, so manual update of new communication leads to different attacks. This paper summa-
signatures is required. rizes recent attacks occurred in computer world followed by
the detection techniques.
Anomaly Intrusion Detection System: Ransomeware attack which was seen in the year 2017,
infected 300,000+ computers. It did not harm the victim but
Instead of looking for an exact match it heuristically threatened to publish their data, by encrypting it, till a ransom
looks for a behavior which is abnormal. For example, a user is paid [31].
might always start the day by only reading e-mail, simply There are also social media threats, which unknowingly
writing different documents using a word processor and creates anomalies, usually when we use their applications
occasionally back up files, which seems to be normal actions. and accept the conditions without reading, which may contain
But if this person is seen accessing any of administrator’s malicious intentions [32].
sensitive information, would indicate an abnormal behavior Recently in Feb 2018, it is aliased that organization name
[30]. Anomaly Intrusion Detection System helps to monitor CA (Cambridge Analytica) a British political firm which
and analyze network packets and compare them against a handles data mining, data brokerage and data analysis with
threshold. This threshold refers to normal data transaction. If the help of strategic communication, performed data analysis
there is slight amount of variance from the ordinary behavior in different presidential campaign and illegally worked in
defined by the threshold then it is considered as malicious. It targeting voters during the time of election. Data used for these
helps to classify input into normal or anomalous, and detects campaigns were indirectly been shared through Facebook with
known as well as unknown attacks. It works with both host the app called ”thisisyourdigitallife”. Such kind of data leak
level as well as network level. There are three major detection of million users, will be considered as theft to social systems.

2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA)
The main issue with this is data privacy which should not be located instances.
bridge without users concern [33][34].
A cryptocurrency-bitcoin has become a popular mechanism Winding et al. [3] aims to solve the issues related to
for transactions through Internet. However, at the same time mis-configuration of machines and machines that run
it is found that, it is been used for trading illegal transactions undocumented services. Paper discusses about different data
such as drugs. As per the findings of [35] 25% of the bitcoins mining techniques to identify anomalies in firewall logs, but
users and 50% of bitcoin transactions are linked with illegal not all the techniques are covered. Also additional analysis is
activities. This findings suggested the emergence of black e- required to identify false negative rate.
commerce. Advertisement shown on the internet, sometimes
are not genuine and are duped through bitcoins. Mostly the Thottan et al. [10] have conducted a review on different
main motive behind bitcoins of some users is for payment approaches to network anomaly detection, which include
system insted of investment. statistical methods, streaming algorithms and machine
Wireless sensor network which consists of sensor nodes learning approaches. It also discusses on open problems in
among which compromise node are the ones which attract area of network anomaly detection.
network traffic by broadcasting its fake routing table, which
further leads to sinkhole attack. Due to this the WSN Zhang et al. [13] has proposed an approach to analyze
becomes vulnerable to sinkhole attack. Such compromised the network traffic and estimate by using relative entropy
nodes can also be used to set other attacks like selective theory (RET). This network anomaly detection model
forwarding, acknowledge spoofing and drops or altered based on RET mainly includes detection phase and training
routing information [36][37]. phase. Detection based on RET, includes relative entropy
calculations. Where as in training phase training samples are
Below section studies about the different approaches to processed and SVLNM (Statistics Values Library of Normal
detect anomalies in network communication. Measures) is obtained. Results shows that detection rate
of RETAD (Relative Entropy Theory Anomaly Detection)
Xiao et al. [9] proposed a method for anomaly intrusion is higher than other systems. This relative entropy method
detection which uses k-means clustering based on particle can also be applied in image segmentation and biological
swarm optimization algorithm. Particle swarm optimization evolution.
technique is used to improve the search ability and which can
be achieved due to swarm intelligence. They used KDD-CUP Jianliang et al. [14] discusses that anomaly detection is
dataset to test the proposed method. Experimental results the basic method to defend new attack which monitors
showed that PSO-KM is effective in partitioning large dataset. the events occurring in a computing system or network
The only drawback which can be overcome is dependency of and analyze them for signs of intrusions. Clustering is the
k-means on the number of clusters. most important unsupervised learning process used to find
the structures or patterns. It is shown that this method
Ramaswamy et al. [7] has discussed an efficient algorithm can detect unknown intrusions efficiently. K-means is an
for mining outliers from large datasets where, outliers are effective method for partitioning large dataset and has better
found on the basis of distance calculated from its neighbor. search ability. This technique is applied on KDD-CUP dataset.
Ranking is done on basis of distance and top n points in the
rank are declared as outliers. Before this, the data is first Lima et al. [15] proposed a method for network anomaly
partitioned into disjoint subsets till it cannot contain any detection which combines baseline, k-means clustering
outlier. This results in reducing the computations. This has and particle swarm optimization techniques. The baseline
been experimented on real-life NBA (National Basketball consists of network traffic normal behavior profiles. k-means
Association) data and synthetic dataset which contains 100 algorithm is used to classify the data into k groups. PSO
hyper-spherical clusters, amongst which synthetic datasets is a computuaion technique based on swarm intelligence,
performed well with respect to both dataset size and dataset associated with birds social behavior. This is tested on real
dimensionality. network traffic and shows that it is capable of detecting
volume anomalies with satisfactory results that are 82.92%
Prerau et al. [8] proposed an optimized KNN algorithm detection rate and 2.85% false alarm rate for test day. Volume
for unsupervised anomaly detection. This has been tested on anomaly are the large and sudden changes in positive or
KDD-CUP dataset. The proposed optimization part in this negative traffic volume due to strong variances in traffic
paper means breaking down the search space into smaller flows. Thus in future it can be extended to other types of
subsets. Kulling, which eliminates data in linear time from anomalies while improving the detection and false alarm rate.
cluster information is another form of optimization on KNN
algorithm. Canopy clustering is used for breaking down the Jyosthsna et al. [16] summarized the study of different
space into smaller subsets which will help new instances to categories of intrusion detection systems and their techniques.
be quickly tested against the smaller number of similarly It also discusses about the work done by researchers on

2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA)
anomaly detection. faults. It uses a KNN based hypergrid approach to overcome
a lazy learning problem. The proposed system works well
Koc et al. [6] proposed an HNB (Hidden Naive Bayes) automatically without manually adjusting the parameters.
technique to identify intrusion which is then compared with This proposed scheme requires very low computation and has
the naive bayes technique. To test this technique KDD-CUP low communication overheads.
dataset is used. HNB performs best in terms of accuracy,
error rate and miss-classification cost. It has shown improved Aziz et al. [20] proposed a multilayer hybrid machine
accuracy in detecting DoS attack only. learning technique to detect anomalies. This technique is
tested on KDD-NSL dataset which is then processed by
Casas et al. [5] proposed UNIDS (Unsupervised Network PCA algorithm for feature selection. To determine normal
Intrusion Detection System) technique which is based on and anomalous behaviour genetic algorithm is used which
sub-space clustering and multiple evidence accumulation. generates anomaly detectors. Further to increase the detection
It mainly focuses on attacks such as DoS/DDoS, probing accuracy, classification is done using naive bayes, MLP neural
attack, propogation of worms, buffer overflows, illegal access network and decision tree. Comparing the results of these
to network resources. This technique is tested on three algorithms, in general, decision tree performs better. But with
different dataset namely, KDD-CUP, real traffic traces from respect to specific attacks and when 20% training dataset
two operational networks- public MAWI repository of WIDE is used naive bayes gives best results. When 100% training
project and METROSEC. Results shows that the proposed data set is used naive bayes and J48 gives best results. It is
technique outperforms in detecting the unknown network found that distance measure used, amongst which minkowski
attacks. The detection accuracy can be improved if UNIDS is performs better than euclidean distance.
implemented on real parallel computational architecture.
Jadidi et al. [21] proposed a Gravitational Search Algorithm-
Akoglu et al. [17] proposed a method which works based Flow Anomaly Detection System using ANN to detect
in two-fold, for fast and reliable anomaly detection in anomaly. Dataset used in this paper was from Sperotto which
categorical data. In this two-fold technique first it achieves provides a flow based data for anomaly detection. This
fast categorization of data by mining subspace code-tables i.e. dataset is divided into malicious traffic, side-effect traffic,
patterns sets and secondly apply the descriptive patterns to unknown traffic and uncorrelated alerts and are processed
reliable anomaly detection in categorical data. This approach further. It showed 99.43% accuracy in classifying the benign
exhibits four features i.e. parameter-free, general, scalable and malicious traffic.
and effective.
Breier et al. [2] proposed an anomaly based IDS which
Chitrakar et al. [18] proposed a hybrid approach of create rules dynamically to detect new type of breaches.
combining with clustering technique to get more accurate Rules are generated automatically without human intervention.
and effective classification. They have proposed combinations To improve the performance of detection they have used
such as k-means with naive bayes, k-medoids with naive Apache Hadoop technology which indeed processes the data
bayes and k-medoids with SVM. All these combinations are in parallel. Testing was done on DARPA Intrusion detection
tested on kyoyo2006+ dataset. The experimental results and evaluationa and snort logs dataset. For faster processing
analysis shows that the proposed approach of k-medoids with Hadoop technology with single node cluster is used, which
SVM performs better in increasing the detection rate as well can later be made multiple.
as decreasing the false positive rate. Time complexity of
K-medoids can be reduced more if MapReduce or OptiGrid Lin et al. [4] proposed a three phase method, using
is applied on large dataset. SDM and SCDM mechanism for classification. Phase-1 does
faster detection to filter samples using SDM mechanism
Abdel et al. [1] proposed a machine learning based approache (provides faster way to observe a program). Phase-2 is
for detecting anomalies in data. In that the pre-processing is a slower detector as it observers remaining ambiguous
done to identify the features using GA and PCA. Machine samples using SCDM mechanism (observes program in a
learning approaches - Decision Tree, Bayesian Network and finer-grained way and achieves better detection accuracy).
Multiple Layer Perceptron are used to classify the data as Phase-3 identifies the type of malware. This experiment
normal or anomalous. This is been tested on KDD-NSL was done on a sample space consisting of 1800 executable
dataset. Distance measure used amongst which Minkowski programs out of which 1000 were malicious and 800 were
gives better classification than Euclidean distance. Classifiers benign programs and additional 900 programs (500 malicious
are tested on variable size data so every approach performs and 400 benign programs) for training and detection. Further
better in different situation. the accuracy can be improved or compared with bayesian and
ANN by using other similar classifier.
Xie et al. [19] proposed an online anomaly detection
technique to protect WSN from cyber attacks and random Abit et al. [22] studied KNN technique based on euclidean

2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA)
distance to detecting abnormalities in WSN. Dataset required and processed using Netflow protocol. Aggregation criteria
is collected from WSN using LEACH protocol. In this is applied on dataset based on specific properties. Artificial
they considered three types of errors such as occasional, Neural Network technique is applied on this aggregated data
byzantine and continuous error. The energy and accuracy which shows promising results in detecting both known as
based measures showed that the detection algorithm is able well as unknown type of anomalies. So optimizing the dataset
to detect the anomalies. will increase the detection accuracy.

Pang et al. [23] proposed an improved-KNN (K-Nearest Shakya et al. [28] proposed a hybrid approach for anomaly
Neighbor) technique called as LeSiNN to detect the anomalies. detection. This proposed hybrid approach uses Support Vector
18 real world dataset from UCI repository and one synthetic Machine and Naive Bayes technique for anomaly detection.
dataset are used, from which the instance having least The proposed algorithm was tested on 10% KDD-CUP
similar nearest neighbours are considered as anomalies. dataset. The results of SVM and Naive Bayes are compared
These dataset consists of different application domains with hybrid algorithm where hybrid shows better precision,
such as health care, network security, image recognition recall, accuracy and F1-score than SVM and Naive Bayes. So
and internet advertising. This technique operates in small Hybrid algorithm is efficient in terms of reducing the false
random samples of dataset rather than full. It is different than alarm ratio for anomaly detection.
KNN as LeSiNN only requires for each test instance to find
the nearest neighbor where as KNN requires K instances.
III. D ISCUSSION
LeSiNN performs well in both numeric and categorical data,
as KNN can work on only numeric. LeSiNN works best in an Firewall log is used as an input dataset, which includes
ensemble approach where as KNN is suitable for single model. class label as different attack types. Figure-1 shows that,
three different machine learning techniques can be applied to
Haq et al. [24] focuses on feature selection search techniques identify anomalies in the dataset. To improve the prediction
namely, best-first search, genetic search and rank search. Final Ensemble method is applied.
feature set is generated which combines the results of these In future for faster processing of this data, Hadoop tech-
techniques to reduce the features by keeping the appropriate nology can be used. To improve the results dataset must be
ones. For classification, it uses hybrid approach with three normalized.
basic classifiers that are bayesian network, naive bayes and
J48. KDD-NSL dataset is used, and the experimental results
shows that proposed hybrid approach gives better results than
individual ones.

Krishnan et al. [25] did a research to address the issue

of predictive and decision making of false positive attacks in
network system. To detect and classify network-based attacks
an IDS based on Multilayer perceptron feedforward artificial
neural network is proposed. This technique is tested on
KDD-CUP dataset which classifies the normal and abnormal
data. It improves the false positive rate but is suitable for
detecting only four types of attacks, viz. probe, DoS, U2R
and R2L.

In Kumari et al. [26], k-means clustering technique is

tested on KDD-CUP dataset. Spark technology is used to
process the dataset which helps to obtain specific features
from the data. Streaming K-means clustering technique is
applied on the processed data which will update a cluster
as new data arrives. This cluster is then normalized using
euclidean distance which determines the closeness of the data
points not only to one cluster but also to other clusters as
well. This technique is not just useful for anomaly detection
but can also be applied to study financial data, behavior of
customers, market basket analysis. Fig. 1. System workflow

Andropov et al. [27] uses Artificial Neural Network technique Figure-1 takes firewall log files as an input dataset, on
to detect anomaly and classify them. Dataset is obtained which three machine learning algorithms namely decision

2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA)
tree, naive bayes and gradient boosting algorithms are applied [16] V. Jyothsna, V. Prasad, “A review of anomaly based intrusion detection
to identify the anomalies. Applying ensemble methodology systems”, International Journal of Computer Applications, 2011, pp. 26-
35.
helps to combine the results of algorithms used above, [17] L. Akoglu, H. Tong, J. Vreeken, C. Faloutsos, “Fast and reliable anomaly
improving the predicted results of anomalies. detection in categorical data”, 21st ACM international conference on
Information and knowledge management, 2012, pp. 1-10.
[18] R. Chitrakar, H. Chuanhe, “Anomaly detection using support vector
machine classification with k-medoids clustering”, IEEE Third Asian
IV. C ONCLUSION Himalayas International Conference, 2012, pp. 1-5.
[19] M. Xie, J. Hu, S. Han, H. Chen, “Scalable hypergrid K-NN-based online
In this paper, we studied different approaches to find anomaly detection in wireless sensor network”, IEEE Transactions on
anomalies in network communication. Many researchers have Parallel and Distributed Systems, 2013, pp. 1661-1670.
found a Machine learning approaches to be quite useful [20] A. Aziz, A. Hassanien, S. Hanafy, M. Tolba, “Multi-layer hybrid
machine learning techniques for anomalies detection and classification
in detecting the anomalies. Some researchers have also approach”, IEEE 13th International Conference on Hybrid Intelligent
demonstrated hybrid approaches to detect anomaly. With such Systems (HIS), 2013, pp.215-220.
a study, we believe that an ensemble approach will be more [21] Z. Jadidi, M. Sheikhan, “Flow-based anomaly detection using neural
network optimized with GSA algorithm”, IEEE 33rd International Con-
suitable for detecting anomalies. Such ensemble will not only ference on Distributed Computing Systems Workshops, 2013, pp. 76-81.
detect but will also give a confidence of correctness on the [22] A. Abid, A. Guiloufi, N. Nasri, A. Kachouri, A. Mahfoudhi, M. Abid,
detected anomalies. “Centralized KNN anomaly detector for WSN”, IEEE 12th International
Multi-Conference on Systems, Signals and Devices, 2015, pp. 1-4.
[23] G. Pang, K. Ting, D. Albercht, “LeSiNN: Detecting anomalies by
identifying least similar nearest neighbours”, IEEE 15th International
R EFERENCES Conference on Data Mining Workshops, 2015, pp. 623-630.
[24] N. Haq, A. Onik, F. Shah, “An ensemble framework of anomaly detet-
[1] A. Abdel-Aziz, A. Hassanien, “Machine learning techniques for anoma- cion using hybridized feature selection approach”, IEEE SAI Intelligent
lies detection and classification”, Springer-Verlag Berlin Heidelberg Con- System Conference, 2015, pp. 989-995.
ference of Advances in Security of Information and Communication [25] R. Krishnan, N. Raajan, “An enhanced multilayer perceptron based
Networks, 2013, Vol. 381, pp. 219-229. approach for efficient intrusion detection system”, International Journal
[2] J. Breier, J. Branisova, “Anomaly detection from log files using data of Pharmacy and Technology, 2016, pp. 23139-23156.
mining techniques”, Springer-Verlag Berlin Heidelberg Conference of [26] R. Kumari, Sheetanshu, M. Singh, R. Jha, N. Singh, “Anomaly detection
Information Science and Applications, 2015, Vol. 339, pp. 449-457. in network traffic using k-means clustering”, IEEE 3rd Int’l Conf. on
[3] R. Winding, T. Wright, M. Chapple, “System anomaly detection: mining Recent Advances in Information Technology (RAIT), 2016, pp. 1-7.
firewall logs”, IEEE Conference of Securecomm and workshop, 2006, [27] S. Andropov, A. Guirik, M. Budko, M. Budko, “Network anomaly
pp. 1-5. detection using artificial neural networks”, 20th Conference of Fruct
[4] Y. Lin, Y. Lai, C. Lu, P. Hsu, C. Lee, “Three-phase behavior-based Association, 2017, pp. 26-31
detection and classification of known and unknown malware”, Research [28] S. Shakya, S. Sigdel, “An approach to develop a hybrid algorithm based
Article of Security and Communication Networks, 2015, Vol. 8, pp. 1-12. on support vector machine and naive bayes for anomaly detection”, IEEE
[5] P. Casas, J. Mazel, P. Owezarski, “Unsupervised network intrusion International Conference on Computing, Communication and Automation
detection systems: detecting the unknown without knowledge”, Elsevier (ICCCA), 2017, pp. 323-327.
Journal of Computer Communications, 2012, Vol. 35, pp. 772-783. [29] R. Anderson, “Security Engineering, A guide to building dependable
[6] L. Koc, T. Mazzuchi, S. Sarkani, “A network intrusion detection system distributed systems”, 2003, First edition, Ch-16, pp. 325.
on a hidden naive bayes multiclass classifier”, Elsevier Journal of Experts [30] C. Pfleeger, S. Pfleeger, “Security in Computing”, 2008, Fourth edition,
Systems with Applications, 2012, Vol. 39, pp. 13492-13500. Ch-7, pp. 484.
[7] S. Ramaswamy, R. Rastogi, K. Shim, “Efficient algorithms for mining [31] Ransomeware, [Online]. Available: https://en.wikipedia.org/wiki/ Ran-
outiers from large data sets”, ACM SIGMOD international conference somware, [Accessed: 21-Mar-2018].
on Management of data, 2000, Vol. 29, pp. 427-438. [32] Types of Cyber attacks, [Online]. Available: https://www.csoonline.
[8] M. Prerau, E. Eskin, “Unsupervised anomaly detection using an optimized com/article/2616316/data-protection/the-5-types-of-cyber-attack-youre-
k-nearest neighbors algorithm”, Article, pp. 1-14. most-likely-to-face.html, [Accessed: 22-Mar-2018].
[9] L. Xiao, Z. Shao, G. Liu, “K-means algorithm based on particle swarm [33] Cambridge Analytica, [Online]. Available: https://en.wikipedia.org/wiki
optimization algorithm for anomaly intrusion detection”, IEEE Confer- /Cambridge Analytica, [Accessed: 25-Mar-2018].
ence on Intelligent Control and Automation, 2006, pp. 5854-5858. [34] Facebook’s Cambridge Analytica data scandal, [Online]. Available:
[10] M. Thottan, G. Liu, C. Ji, “Anomaly detection approaches for commu- https://www.youtube.com/watch?vV̄DR8qGmyEQg, [Accessed: 25-Mar-
nication networks”, Algorithms for Next Generation Networks, 2009, pp. 2018].
239-261. [35] S. Foley, J. Karlsen, T. Putnins, “Sex, drugs, and bitcoin: How much
[11] S. Agrawal, J. Agrawal, “Survey on anomaly detection using data mining illegal activity is financed through cryptocurrencies?”, SSRN’s eLibrary
techniques”, 19th International Conference on Knowledge Based and a research paper, 2018, pp. 1-58.
Intelligent Information and Engineering Systems, 2015, Vol. 60, pp. 708- [36] S. Salehi, M. Razzaque, P. Naraei, “Detection of sinkhole attack in
713. woreless sensor network”, IEEE International Conference on Space
[12] A. Sahasrabuddhe, S. Naikade, A. Ramaswamy, B. Sadliwala, P. Futane, Science and Communication (IconSpace), 2013, pp. 361-365.
“Survey on intrusion detection system using data mining techniques”, [37] G. Kibirige, C. Sanga, “A survey on detection of sinkhole attack in
International Research Journal of Engineering and Technology (IRJET), wireless sensor network”, International Journal of Computer Science and
2017, pp. 1780-1784. Information Security (IJCSIS), 2015, Vol. 13, pp. 1-9.
[13] Y. Zhang, Z. Han, J. Ren, “A network anomaly detection method based
on relative entropy theory”, IEEE Second International Symposium on
Electronic Commerce and Security, 2009, pp. 231-235.
[14] M. Jianliang, S. Haikum, B. Ling, “The application on intrusion detec-
tion based on k-means cluster algorithm”, IEEE International Forum on
Information Technology and Applications, 2009, pp. 150-152.
[15] M. Lima, B. Zarpelao, L. Sampaio, J. Rodrigues, T. Abrao, M.
Proenca, “Anomaly detection using baseline and k-means clustering”,
International Conference Software, Telecommunications and Computer
Networks (SoftCOM), 2010, pp. 1-5.

2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA)