Faculty Publications

Permanent URI for this communityhttps://idr.nitk.ac.in/handle/123456789/18736

Publications by NITK Faculty

Browse

Author: search.filters.author.Santhi Thilagam, P.S.Subject: search.filters.subject.Anomaly detection

Search Results

Now showing 1 - 6 of 6
  • No Thumbnail Available
    Item
    Identifying Provenance of Information and Anomalous Paths in Attributed Social Networks
    (Institute of Electrical and Electronics Engineers Inc., 2018) Trivedi, H.; Bindu, P.V.; Santhi Thilagam, P.S.
    Information provenance problem is an important and challenging problem in social network analysis and it deals with identifying the origin or source of information spread in a social network. In this paper, an approach for detecting the source of an information spread as well as suspicious anomalous paths in a social network is proposed. An anomalous path is a sequence of nodes that propagates an anomalous information to the given destination nodes who cause an anomalous event. The proposed approach is based on attribute-based anomalies and information cascading technique. The anomalous paths are identified in two steps. The first step assigns an anomalous score to each and every vertex in the given graph based on suspicious attributes. The second step detects the source and suspicious anomalous paths in the network using the anomaly scores. The approach is tested on datasets such as Enron and Facebook to demonstrate its effectiveness. Detecting anomalous paths is useful in several applications including identifying terrorist attacks communication path, disease spreading pattern, and match-fixing hidden path between bookie and a cricketer. © 2018 IEEE.
  • No Thumbnail Available
    Item
    Mining social networks for anomalies: Methods and challenges
    (Academic Press, 2016) Bindu, P.V.; Santhi Thilagam, P.S.
    Online social networks have received a dramatic increase of interest in the last decade due to the growth of Internet and Web 2.0. They are among the most popular sites on the Internet that are being used in almost all areas of life including education, medical, entertainment, business, and telemarketing. Unfortunately, they have become primary targets for malicious users who attempt to perform illegal activities and cause harm to other users. The unusual behavior of such users can be identified by using anomaly detection techniques. Anomaly detection in social networks refers to the problem of identifying the strange and unexpected behavior of users by exploring the patterns hidden in the networks, as the patterns of interaction of such users deviate significantly from the normal users of the networks. Even though a multitude of anomaly detection methods have been developed for different problem settings, this field is still relatively young and rapidly growing. Hence, there is a growing need for an organized study of the work done in the area of anomaly detection in social networks. In this paper, we provide a comprehensive review of a large set of methods for mining social networks for anomalies by providing a multi-level taxonomy to categorize the existing techniques based on the nature of input network, the type of anomalies they detect, and the underlying anomaly detection approach. In addition, this paper highlights the various application scenarios where these methods have been used, and explores the research challenges and open issues in this field. © 2016 Elsevier Ltd. All rights reserved.
  • No Thumbnail Available
    Item
    Discovering suspicious behavior in multilayer social networks
    (Elsevier Ltd, 2017) Bindu, P.V.; Santhi Thilagam, P.S.; Ahuja, D.
    Discovering suspicious and illicit behavior in social networks is a significant problem in social network analysis. The patterns of interactions of suspicious users are quite different from their peers and can be identified by using anomaly detection techniques. The existing anomaly detection techniques on social networks focus on networks with only one type of interaction among the users. However, human interactions are inherently multiplex in nature with multiple types of relationships existing among the users, leading to the formation of multilayer social networks. In this paper, we investigate the problem of anomaly detection on multilayer social networks by combining the rich information available in multiple network layers. We propose a pioneer approach namely ADOMS (Anomaly Detection On Multilayer Social networks), an unsupervised, parameter-free, and network feature-based methodology, that automatically detects anomalous users in a multilayer social network and rank them according to their anomalousness. We consider the two well-known anomalous patterns of clique/near-clique and star/near-star anomalies in social networks, and users are ranked according to the degree of similarity of their neighborhoods in different layers to stars or cliques. Experimental results on several real-world multilayer network datasets demonstrate that our approach can effectively detect anomalous nodes in multilayer social networks. © 2017 Elsevier Ltd
  • No Thumbnail Available
    Item
    Discovering spammer communities in twitter
    (Springer New York LLC barbara.b.bertram@gsk.com, 2018) Bindu, P.V.; Mishra, R.; Santhi Thilagam, P.S.
    Online social networks have become immensely popular in recent years and have become the major sources for tracking the reverberation of events and news throughout the world. However, the diversity and popularity of online social networks attract malicious users to inject new forms of spam. Spamming is a malicious activity where a fake user spreads unsolicited messages in the form of bulk message, fraudulent review, malware/virus, hate speech, profanity, or advertising for marketing scam. In addition, it is found that spammers usually form a connected community of spam accounts and use them to spread spam to a large set of legitimate users. Consequently, it is highly desirable to detect such spammer communities existing in social networks. Even though a significant amount of work has been done in the field of detecting spam messages and accounts, not much research has been done in detecting spammer communities and hidden spam accounts. In this work, an unsupervised approach called SpamCom is proposed for detecting spammer communities in Twitter. We model the Twitter network as a multilayer social network and exploit the existence of overlapping community-based features of users represented in the form of Hypergraphs to identify spammers based on their structural behavior and URL characteristics. The use of community-based features, graph and URL characteristics of user accounts, and content similarity among users make our technique very robust and efficient. © 2018, Springer Science+Business Media, LLC, part of Springer Nature.
  • No Thumbnail Available
    Item
    Modelling Behavioural Dynamics for Asymmetric Application Layer DDoS Detection
    (Institute of Electrical and Electronics Engineers Inc., 2021) Praseed, A.; Santhi Thilagam, P.S.
    Asymmetric application layer DDoS attacks using computationally intensive HTTP requests are an extremely dangerous class of attacks capable of taking down web servers with relatively few attacking connections. These attacks consume limited network bandwidth and are similar to legitimate traffic, which makes their detection difficult. Existing detection mechanisms for these attacks use indirect representations of actual user behaviour and complex modelling techniques, which leads to a higher false positive rate (FPR) and longer detection time, which makes them unsuitable for real time use. There is a need for simple, efficient and adaptable detection mechanisms for asymmetric DDoS attacks. In this work, an attempt is made to model the actual behavioural dynamics of legitimate users using a simple annotated Probabilistic Timed Automata (PTA) along with a suspicion scoring mechanism for differentiating between legitimate and malicious users. This allows the detection mechanism to be extremely fast and have a low FPR. In addition, the model can incrementally learn from run-time traces, which makes it adaptable and reduces the FPR further. Experiments on public datasets reveal that our proposed approach has a high detection rate and low FPR and adds negligible overhead to the web server, which makes it ideal for real time use. © 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
  • No Thumbnail Available
    Item
    HTTP request pattern based signatures for early application layer DDoS detection: A firewall agnostic approach
    (Elsevier Ltd, 2022) Praseed, A.; Santhi Thilagam, P.S.
    Application Layer DDoS (AL-DDoS) attacks are an extremely dangerous variety of DDoS attacks that started becoming popular recently. They are executed using very few legitimate requests, making them very difficult to detect. Since they are executed using attack generation tools and botnets, AL-DDoS attacks display similarity within a request stream (temporal similarity) and across request streams (spatial similarity). Once a particular request stream has been detected as malicious by an anomaly detection mechanism (ADM), spatial similarity can help in detecting AL-DDoS attacks much earlier by employing a dynamic signature based approach. In this work, we use HTTP request patterns as signatures to build a firewall agnostic Early Detection Module (EDM) for AL-DDoS attacks. We also propose the use of Sample Entropy instead of the popular Shannon's Entropy to identify AL-DDoS attacks. Sample Entropy is able to model both the frequencies and sequence of data items within a request stream, and is a better indicator of temporal similarity than Shannon's Entropy. In this work, we demonstrate that Sample Entropy can be used effectively to detect AL-DDoS attacks. With a Sample Entropy based anomaly detection mechanism, we demonstrate that the use of EDM significantly reduces the detection latency for AL-DDoS attacks. © 2022 Elsevier Ltd