Professional Documents
Culture Documents
I. I NTRODUCTION
Nowadays the network is a vital part of any company
and even became an important part of our daily life.
Technology innovations brought us a facility to gather
and share information, to communicate our ideas with
others, the opportunity to work from home and other
small gestures that have became part of everyday life and
it would be impossible to survive without the Internet.
The infrastructure behind the convenience, in most cases,
are monitored to prevent possible failures and loses of
performance. The causes can be a simple misconfiguration
to attacks that can harm the system, among many other.
One of the causes that may affect the operation of the
network is an anomaly behavior, which has a focus
on areas such as Network Traffic, Data Mining, Image
Processing, Credit Card Transactions and other pointed
in [1].
This paper is based on Anomaly Detection Using Firefly Harmonic
Clustering Algorithm by M. H. A. C. Adaniya, M. F. Lima, L. H.
D. Sampaio, T. Abrao, and M. L. Proenca Jr., which appeared in the
Proceedings of the 8th International Joint Conference on e-Business
c
and Telecommunications (ICETE), Seville, Spain, July 2011.
2011
SciTePress.
83
84
(1)
with dimension of N 1.
The parameter is a measure of the deviation level occurred in the DSNS. We can adopt a constant value based
on prior knowledge of the network or using a statistical
measure. In our work, is statistically characterized by:
=
1
J
PJ
(dj )
;
max[(dj )]
i=1
(2)
Figure 1. DSNS and real traffic collected from GBA from 08/01/2011 to 08/05/2011.
85
86
2.5
x 10
DSNS
THRESHOLD UP
THRESHOLD DOWN
REAL TRAFFIC
1.5
0.5
0
0
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
TIME [HOUR]
2.5
x 10
DSNS
THRESHOLD UP
THRESHOLD DOWN
REAL TRAFFIC
1.5
0.5
0
0
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
TIME [HOUR]
x 10
DSNS
THRESHOLD UP
THRESHOLD DOWN
REAL TRAFFIC
2.5
1.5
0.5
0
0
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
TIME [HOUR]
x 10
DSNS
THRESHOLD UP
THRESHOLD DOWN
REAL TRAFFIC
2.5
1.5
0.5
0
0
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
TIME [HOUR]
x 10
DSNS
THRESHOLD UP
THRESHOLD DOWN
REAL TRAFFIC
2.5
1.5
0.5
0
0
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
TIME [HOUR]
Figure 2. DSNS, the threshold range and real traffic of tcpInSegs SNMP object, on Web-Server of State University of Londrina.
87
(4)
MEANS CLUSTERING
k X
n
X
kxi cj k
(6)
j=1 i=1
KHM (x, c) =
n
X
i=1
1
j=1 kxi cj kp
(7)
(8)
88
(11)
k=1
2
1
xi = xi + 0 erij (xj xi ) + (rand ), (12)
2
where the second term is the attraction and the third
term is randomization with being the randomization
parameter. rand is a uniform distribution in [0, 1]. The
author adopt values of 0 = 1 and [0, 1]. According
to [9], the emission intensity of light from a firefly is
proportional to the objective function, i.e., I(x) f (x),
but the intensity with which light is perceived by the
firefly decreases with the distance between the fireflies.
The agents in FA have adjustable visibility and more
versatile in attractiveness variations, which usually leads
to higher mobility and thus the search space is explored
more efficiently, getting a better ability to escape local
minimum or maximum [9].
According to [9], the emission intensity of light from
a firefly is proportional to the objective function, i.e.,
I(x) f (x), but the intensity with which light is perceived by the firefly decreases with the distance between
the fireflies. Thus, the perceived intensity of a firefly is
2
given by: I(r) = I0 er , where I0 is the intensity of
light emitted, r is the Euclidean distance between i and j
firefly, i being the bright and j the less bright; and the
absorption coefficient. The attractiveness of a firefly is
defined by:
2
(r) = 0 expr ,
(13)
89
False Positive
Number of Normal Data
(14)
True Positive
Number of Anomaly Data
(15)
True Positive
True Positive + False Positive
(16)
90
90
80
K=4
K=2
K=3
70
60
90
80
70
60
50
40
30
20
10
0
0
50
20
40
60
80
100
40
30
20
10
0
300
600
900
INTERVAL [TIME]
1200
IX. CONCLUSIONS
ACKNOWLEDGEMENTS
This work was supported by Coordenaca o de
Aperfeicoamento de Pessoal de Nvel Superior (CAPES)
through a post-graduate masters degree level and
SETI/Fundaca o Araucaria and MCT/CNPq by the
financial support for the Rigel Project.
91
PRECISION RATE
75
70
90
65
300
85
30
40
50
600
900
INTERVAL [TIME]
60
1200
70
90
PRECISION RATE
30
85
%
95
95
100
80
25
20
300
75
70
45
50
55
60
600
900
INTERVAL [TIME]
65
1200
70
75
R EFERENCES
[1] V. Chandola, A. Banerjee, and V. Kumar, Anomaly detection: A survey. ACM Computing Surveys., vol. 41, no. 3,
2009.
[2] A. Patcha and J. Park, An overview of anomaly detection techniques: Existing solutions and latest technological
trends, Computer Networks: The International Journal of
Computer and Telecommunications Networking, vol. 51,
pp. 34483470, August 2007.
[3] S. Shanbhag and T. Wolf, Anombench: A benchmark for volume-based internet anomaly detection, in
Global Telecommunications Conference, 2009. GLOBECOM 2009. IEEE, December 2009, pp. 16.
[4] M. L. Proenca Jr., B. B. Zarpelao, and L. S. Mendes,
Anomaly detection for network servers using digital
signature of network segment, in Advanced Industrial
Conference on Telecommunications, 2005, Advanced ICT
2005. IEEE, 2005, pp. 290295.
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]