Quantitative comparison of unsupervised anomaly detection algorithms for intrusion detection

Anomaly detection algorithms aim at identifying unexpected fluctuations in the expected behavior of target indicators, and, when applied to intrusion detection, suspect attacks whenever the above deviations are observed. Through years, several of such algorithms have been proposed, evaluated experimentally, and analyzed in qualitative and quantitative surveys. However, the experimental comparison of a comprehensive set of algorithms for anomaly-based intrusion detection against a comprehensive set of attacks datasets and attack types was not investigated yet. To fill such gap, in this paper we experimentally evaluate a pool of twelve unsupervised anomaly detection algorithms on five attacks datasets. Results allow elaborating on a wide range of arguments, from the behavior of the individual algorithm to the suitability of the datasets to anomaly detection. We identify the families of algorithms that are more effective for intrusion detection, and the families that are more robust to the choice of configuration parameters. Further, we confirm experimentally that attacks with unstable and non-repeatable behavior are more difficult to detect, and that datasets where anomalies are rare events usually result in better detection scores.

• Publication year

  2019

• Venue

  ACM Symposium on Applied Computing

• Publication date

  2019-04-08

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/3297280.3297314
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Analisis Tingkat Kerentanan Keamanan pada Website Forum Kerukunan Umat Baragama dengan Menggunakan Metode Open Web Application Security Project (owasp)

  2020cited by this paper
• Vulnerability of injection attacks against the application security of framework based websites open web access security project (OWASP)

  2018cited by this paper
• Exploring anomaly detection in systems of systems

  2017cited by this paper
• A Fault Correlation Approach to Detect Performance Anomalies in Virtual Network Function Chains

  2017cited by this paper
• Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling

  2017cited by this paper
• A Comparative Study of Anomaly Detection Techniques for Smart City Wireless Sensor Networks

  2016cited by this paper
• On the evaluation of unsupervised outlier detection: measures, datasets, and an empirical study

  2016cited by this paper
• On the Evaluation of Outlier Detection: Measures, Datasets, and an Empirical Study Continued

  2016cited by this paper
• A Comparative Evaluation of Unsupervised Anomaly Detection Algorithms for Multivariate Data

  2016influential reference
• Experience Report: System Log Analysis for Anomaly Detection

  2016cited by this paper
• UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)

  2015cited by this paper
• A Framework for Clustering Uncertain Data

  2015cited by this paper
• Estimating the sample mean and standard deviation from the sample size, median, range and/or interquartile range

  2014influential reference
• An experimental evaluation of novelty detection methods

  2014cited by this paper
• Adding Security Concerns to Safety Critical Certification

  2014cited by this paper
• Enhancing one-class support vector machines for unsupervised anomaly detection

  2013influential reference
• Generation of a new IDS test dataset: Time to retire the KDD collection

  2013cited by this paper
• Security and Privacy Controls for Federal Information Systems and Organizations

  2013cited by this paper
• Histogram-based Outlier Score (HBOS): A fast Unsupervised Anomaly Detection Algorithm

  2012cited by this paper
• Before we knew it: an empirical study of zero-day attacks in the real world

  2012cited by this paper
• Nearest-Neighbor and Clustering based Anomaly Detection Algorithms for RapidMiner

  2012influential reference
• Toward developing a systematic approach to generate benchmark datasets for intrusion detection

  2012cited by this paper
• Evaluation: from precision, recall and F-measure to ROC, informedness, markedness and correlation

  2011cited by this paper
• MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking

  2010cited by this paper
• A detailed analysis of the KDD CUP 99 data set

  2009cited by this paper
• Anomaly detection: A survey

  2009influential reference
• Angle-based outlier detection in high-dimensional data

  2008influential reference
• Isolation Forest

  2008cited by this paper
• Comparing Anomaly Detection Techniques for HTTP

  2007cited by this paper
• White Paper Intel Information Technology Computer Manufacturing Enterprise Security Threat Agent Library Helps Identify Information Security Risks

  2007cited by this paper
• Unsupervised Anomaly Detection in Network Traffic by Means of Robust PCA

  2007influential reference
• An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

  2005cited by this paper
• Outlier Detection Using k-Nearest Neighbour Graph

  2004influential reference
• A taxonomy of DDoS attack and DDoS defense mechanisms

  2004cited by this paper
• A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection

  2003cited by this paper
• Enhancing Effectiveness of Outlier Detections for Low Density Patterns

  2002cited by this paper
• Intrusion detection techniques and approaches

  2002cited by this paper
• Estimating the Support of a High-Dimensional Distribution

  2001cited by this paper
• Anomaly Detection over Noisy Data using Learned Probability Distributions

  2000cited by this paper
• The 1999 DARPA off-line intrusion detection evaluation

  2000cited by this paper
• LOF: identifying density-based local outliers

  2000influential reference
• KDD-cup 99: knowledge discovery in a charitable organization's donor database

  2000cited by this paper
• Efficient algorithms for mining outliers from large data sets

  2000cited by this paper

• Unsupervised Detection of Anomalous Commits in Software Repositories

  2025cites this paper
• Hard Shell, Reliable Core: Improving Resilience in Replicated Systems with Selective Hybridization

  2025cites this paper
• What do anomaly scores actually mean? Dynamic characteristics beyond accuracy

  2024cites this paper
• A comparison of anomaly detection algorithms with applications on recoater streaking in an additive manufacturing process

  2024cites this paper
• Bad Design Smells in Benchmark NIDS Datasets

  2024cites this paper
• Local outlier factor for anomaly detection in HPCC systems

  2024cites this paper
• A Holistic review and performance evaluation of unsupervised learning methods for network anomaly detection

  2024cites this paper
• Deep Learning Using Preoperative Optical Coherence Tomography Images to Predict Visual Acuity Following Surgery for Idiopathic Full-Thickness Macular Holes

  2024cites this paper
• Anomaly diagnosis of connected autonomous vehicles: A survey

  2024cites this paper
• Benchmarking Anomaly Detection Algorithms: Deep Learning and Beyond

  2024cites this paper
• EM-AUC: A Novel Algorithm for Evaluating Anomaly Based Network Intrusion Detection Systems

  2024cites this paper
• Elektrik Güç Dağıtımında Akıllı Sayaç Verileri için Anomali Tespiti ve Tahminleme

  2023cites this paper
• METER: A Dynamic Concept Adaptation Framework for Online Anomaly Detection

  2023cites this paper
• Machine Failure Prediction: : A Comparative Anomaly Detection

  2023cites this paper
• Evaluation of 2D and 3D Deep Learning Approaches For Predicting Visual Acuity Following Surgery for Idiopathic Full-Thickness Macular Holes In Spectral Domain Optical Coherence Tomography Images

  2023cites this paper
• Weighted subspace anomaly detection in high-dimensional space

  2023cites this paper
• Detection of Malicious DNS-over-HTTPS Traffic: An Anomaly Detection Approach using Autoencoders

  2023cites this paper
• Data-Driven Network Analysis for Anomaly Traffic Detection

  2023cites this paper
• Blockchain-oriented approach for detecting cyber-attack transactions

  2023cites this paper
• Unsupervised Anomaly Detection for Multivariate Incomplete Data using GAN-based Data Imputation: A Comparative Study

  2023cites this paper
• On Equivalence of Anomaly Detection Algorithms

  2022cites this paper
• The Cross-Evaluation of Machine Learning-Based Network Intrusion Detection Systems

  2022cites this paper
• ICDF: Intrusion collaborative detection framework based on confidence

  2022cites this paper
• Online Anomaly Detection Based On Reservoir Sampling and LOF for IoT devices

  2022cites this paper
• Performance measurement with high performance computer of HW-GA anomaly detection algorithms for streaming data

  2022cites this paper
• Anomaly-based Network Intrusion Detection System Using Semi-supervised Models

  2022cites this paper
• FEMa-FS: Finite Element Machines for Feature Selection

  2022cites this paper
• Understanding the properness of incorporating machine learning algorithms in safety-critical systems

  2021cites this paper
• UN-AVOIDS: Unsupervised and Nonparametric Approach for Visualizing Outliers and Invariant Detection Scoring

  2021cites this paper
• Crucial Role of Data Analytics in the Prevention and Detection of Cyber Security Attacks

  2021cites this paper
• Distributed real-time SlowDoS attacks detection over encrypted traffic using Artificial Intelligence

  2021cites this paper
• An efficient anomaly detection method for uncertain data based on minimal rare patterns with the consideration of anti-monotonic constraints

  2021cites this paper
• Enhancing Unsupervised Anomaly Detection With Score-Guided Network

  2021cites this paper
• Time-Window Based Group-Behavior Supported Method for Accurate Detection of Anomalous Users

  2021cites this paper
• Face mask recognition based on object detection

  2021cites this paper
• Toward situational awareness in threat detection. A survey

  2021cites this paper
• On the educated selection of unsupervised algorithms via attacks and anomaly classes

  2020cites this paper
• Recompose Event Sequences vs. Predict Next Events: A Novel Anomaly Detection Approach for Discrete Event Logs

  2020cites this paper
• Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users

  2020cites this paper
• Performance Comparison of Anomaly Detection Algorithms for Streaming Data

  2020cites this paper
• An Overview of Outliers and Detection Methods in General for Time Series from IoT Devices

  2020cites this paper
• A Genetic Algorithm and Discriminant Analysis Based Outlier Detector

  2020cites this paper
• Into the Unknown: Unsupervised Machine Learning Algorithms for Anomaly-Based Intrusion Detection

  2020cites this paper
• Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape

  2020influential citation
• A Feature Space Transformation to Intrusion Detection Systems

  2020cites this paper
• Anomaly Detection Algorithms for Streaming Data: Performance Comparison

  2020cites this paper
• Auto-Encoder Transposed Permutation Importance Outlier Detector

  2020cites this paper
• Statistical Analysis of Nearest Neighbor Methods for Anomaly Detection

  2019cites this paper
• An Initial Investigation on Sliding Windows for Anomaly-Based Intrusion Detection

  2019cites this paper
• Evaluation of Anomaly Detection Algorithms Made Easy with RELOAD

  2019cites this paper
• C YBER P HYSICAL A NOMALY D ETECTION FOR S MART H OMES : A S URVEY

  year unknowncites this paper