These methods detect contextual anomalies by evaluating events in a knowledge-based model, which are generated by combining contextual information at multiple semantic levels, from multiple sources.
Published in Chapter:
Contextual Anomaly Detection Methods for Addressing Intrusion Detection
Florian Gottwalt (University of New South Wales, Australia), Elizabeth J. Chang (University of New South Wales, Australia), and Tharam S. Dillon (University of New South Wales, Australia)
Copyright: © 2021
|Pages: 31
DOI: 10.4018/978-1-7998-5728-0.ch009
Abstract
One promising method to detect cyber-crime is anomaly detection, which enables one to detect new, unseen attacks. Despite this ability, anomaly detection methods only have limited utilization in practice, due to the high number of false alarms generated. Recent research has shown that the number of false alarms can be reduced drastically by considering the context in which these alarms occur. However, important questions include, What does context mean in the realm of anomaly detection? and How can it be incorporated to identify potential cyber-crime? To address these questions, this chapter provides novel definitions of context and contextual anomaly detection methods. Based on these, a new taxonomy is proposed for contextual anomaly detection methods, which organizes the methods by the specific problems they address. Further, the chapter highlights the potential of contextual anomaly detection for the reduction of false alarms, particularly for network anomaly detection and provides an introduction and holistic overview of the field for professionals and researchers.