401 |
A DISTRIBUTED NETWORK MANAGEMENT AGENT FOR FAULT TOLERANT INDUSTRIAL NETWORKSLeclerc, Sebastian, Ekrad, Kasra January 2024 (has links)
Within industrial systems, dependability is critical to keep the system reliable and available. Faults leading to failures of the whole system must be mitigated by a laborious design, testing, and verification process. This thesis aims to build a Network Management Agent (NMA), capable of fault detection, localization, and recovery in an Ethernet environment. The chosen NMA environment was a distributed industrial system using a redundant controller pair, where the controllers must determine when the roles should switch in case of primary failure. In the industrial context, this role-switching must be bounded and robust enough to withstand mixed traffic classes competing for network resources. An NMA was built to monitor the network with the help of Media Redundancy Protocol (MRP), heartbeats, and industrial switch queue status queries. The NMA could distinguish between node and link failure by localizing the fault while adjusting the network's Quality of Service (QoS). The controllers could safely switch roles after an average difference of 29.7065 ms from the moment the primary failed, and the secondary took over. Link failure was detected in three possible locations within 31.297 ms and the location was found within 373.419 ms. To the authors' best knowledge, other solutions mainly target L3 networks or require specialized supporting technology, whereas MRP was found in the majority of the investigated industrial switches. The proposed solution requires any heartbeat-like function sent from the switch, which MRP offers, and can be generalized to any environment where distinguishing a link from a node failure is important. QoS anomaly detection however requires capable switches and configuration of rules to prioritize the traffic accordingly.
|
402 |
Deep Learning One-Class Classification With Support Vector MethodsHampton, Hayden D 01 January 2024 (has links) (PDF)
Through the specialized lens of one-class classification, anomalies–irregular observations that uncharacteristically diverge from normative data patterns–are comprehensively studied. This dissertation focuses on advancing boundary-based methods in one-class classification, a critical approach to anomaly detection. These methodologies delineate optimal decision boundaries, thereby facilitating a distinct separation between normal and anomalous observations. Encompassing traditional approaches such as One-Class Support Vector Machine and Support Vector Data Description, recent adaptations in deep learning offer a rich ground for innovation in anomaly detection. This dissertation proposes three novel deep learning methods for one-class classification, aiming to enhance the efficacy and accuracy of anomaly detection in an era where data volume and complexity present unprecedented challenges. The first two methods are designed for tabular data from a least squares perspective. Formulating these optimization problems within a least squares framework offers notable advantages. It facilitates the derivation of closed-form solutions for critical gradients that largely influence the optimization procedure. Moreover, this approach circumvents the prevalent issue of degenerate or uninformative solutions, a challenge often associated with these types of deep learning algorithms. The third method is designed for second-order tensors. This proposed method has certain computational advantages and alleviates the need for vectorization, which can lead to structural information loss when spatial or contextual relationships exist in the data structure. The performance of the three proposed methods are demonstrated with simulation studies and real-world datasets. Compared to kernel-based one-class classification methods, the proposed deep learning methods achieve significantly better performance under the settings considered.
|
403 |
Interaktiv identifiering av avvikelser i mätdata från testning av kretskortBerglund, Ebba, Kazemi, Baset January 2024 (has links)
Visualisering är ett kraftfullt verktyg vid dataanalys, särskilt för att identifiera avvikelser. Att effektivt kunna identifiera felaktiga komponenter i elektronik kan förbättra och utveckla produktionsprocesserna avsevärd. Genom att tydligt visa korrelationen mellan felaktiga och fungerande komponenter kan analytiker identifiera nyckelkomponenter som orsakar defekta produkter. Multivariata data och multivariata tidsseriedata ställer höga krav på visualiseringar på grund av deras komplexitet. Den höga dimensionaliteten kan leda till problem som överlappning och dolda mönster beroende på vilken visualiseringsteknik som används. För att uppnå effektiv visualisering av multivariata data och multivariata tidsseriedata krävs det att både trender över tid och korrelationer mellan olika variabler visas. Studien genomfördes i samarbete med konsultföretaget Syntronic AB för att identifiera lämpliga visualiseringstekniker för data som samlats in vid testning av kretskort. Metoden som användes är design science, vilket omfattar en litteraturstudie, utveckling av prototyp och utvärdering av prototypen. Prototypen består av tre visualiseringstekniker som är: Kategorisk heatmap, Parallella koordinater och Scatterplot. Dessa tekniker jämfördes systematiskt för att bedöma deras effektivitet. Utvärderingen består av kvantitativa metoder såsom mätningar och enkäter, samt den kvalitativa metoden intervju. Resultatet av studien presenterar den utvecklade prototypen och analysen av utvärderingen. Resultatet av studien visar att kategoriska heatmaps är effektiv för att identifiera samband mellan avvikelser i multivariat data. Även om alla användare upplevde visualiseringen svårtolkad vid en första anblick uttryckte de att visualiseringen var effektiv på att visa korrelationer mellan avvikelser. Parallella koordinater upplevdes svårtolkad och ineffektiv på grund av den höga dimensionaliteten där alla dimensioner inte kan visas samtidigt. Förbättringsförslag för att öka användarvänlighet och användarupplevelse lyftes där tree view förslogs som ett alternativ för att välja de dimensioner som ska visas i stället för reglaget. Scatterplots visade sig vara användbar för att analysera enskilda testpunkter och visade generella trender på ett tydligt och begripligt sätt. Studien har även visat att interaktiviteten påverkar upplevelsen av visualisering, där begränsad interaktivitet medför att tekniken upplevds mindre användbar för att identifiera relationer mellan avvikelser. / Visualization is of great importance when analyzing data, especially when distinguishing anomalies. Identifying faulty components of electronics could evolve and improve the production processes tremendously. By effectively displaying the correlation between faulty and working components, analytics can identify key components causing faulty products.Multivariate data and multivariate time series data place high demands on visualizations due to their complexity. The high dimensionality can lead to issues such as overlapping and hidden patterns, depending on the visualization technique used. To achieve effective visualization of multivariate data and multivariate time series data, it is necessary to show both trends over time and correlations between different variables. This study was conducted in cooperation with Syntronic AB, a consulting company, to help identify suitable visualization techniques for data gathered by testing circuit boards. The methodology used is design research which includes research gathering, development of a prototype and evaluation of the prototype. The prototype consists of three visualization techniques: Categorical heatmap, Parallel Coordinates, and Scatterplot. These techniques were systematically compared to assess their effectiveness. The evaluation consists of quantitative methods such as time measurement and survey, and the qualitative method interview. The result of the study shows the developed prototype and the analysis of the evaluation. As a result, the study found categorical heatmaps effective in distinguishing correlation between anomalies in multivariate data. Although all users found the visualization difficult to grasp at first glance, expressed their beliefs regarding the effectiveness of displaying correlation. Parallel Coordinates were perceived as difficult to interpret and ineffective for high-dimensional datasets where all dimensions can´t be displayed simultaneously. Interactive options such as tree view to select test pointsto visualize were suggested to further improve the usefulness of Parallel Coordinates. Scatterplot proved useful for analyzing individual test points and showed general trends in a user-friendly way. Furthermore, the study also showed that interactivity affect the perception of visualizations. Limited interactivity resulted in users finding the visualizations less effective in distinguishing anomalies and were perceived as less user-friendly.
|
404 |
Anomaly Detection in Telecom Service Provider Network Infrastructure Security Logs using an LSTM Autoencoder : Leveraging Time Series Patterns for Improved Anomaly Detection / Avvikelsedetektering i säkerhetsloggar för nätverksinfrastruktur hos en telekomtjänstleverantör med en LSTM Autoencoder : Uttnyttjande av tidsseriemönster för förbättrad avvikelsedetekteringVlk, Vendela January 2024 (has links)
New regulations are placed on Swedish Telecom Service Providers (TSPs) due to a rising concern for safeguarding network security and privacy in the face of ever-evolving cyber threats. These regulations demand that Swedish telecom companies expand their data security strategies with proactive security measures. Logs, serving as digital footprints in IT infrastructure, play a crucial role in identifying anomalies that could indicate security breaches. Deep Learning (DL) has been used to detect anomalies in logs due to its ability to discern intricate patterns within the data. By leveraging deep learning-based models, it is not only possible to identify anomalies but also to predict and mitigate potential threats within the telecom network. An LSTM autoencoder was implemented to detect anomalies in two separate multivariate temporal log datasets; the BETH cybersecurity dataset, and a Cisco log dataset that was created specifically for this thesis. The empirical results in this thesis show that the LSTM autoencoder reached an ROC AUC of 99.5% for the BETH dataset and 76.6% for the Cisco audit dataset. The use of an additional anomaly detection aid in the Cisco audit dataset let the model reach an ROC AUC of 99.6%. The conclusion that could be drawn from this work was that the systematic approach to developing a deep learning model for anomaly detection in log data was efficient. However, the study’s findings raise crucial considerations regarding the appropriateness of various log data for deep learning models used in anomaly detection. / Nya föreskrifter har införts för svenska telekomtjänsteleverantörer på grund av en ökad angelägenhet av att säkerställa nätverkssäkerhet och integritet inför ständigt föränderliga cyberhot. Dessa föreskrifter kräver att svenska telekomföretag utvidgar sina dataskyddsstrategier med proaktiva säkerhetsåtgärder. Loggar, som fungerar som digitala fotspår inom IT-infrastruktur, spelar en avgörande roll för att identifiera avvikelser som kan tyda på säkerhetsintrång. Djupinlärning har använts för att upptäcka avvikelser i loggar på grund av dess förmåga att urskilja intrikata mönster inom data. Genom att utnyttja modeller baserade på djupinlärning är det inte bara möjligt att identifiera avvikelser utan även att förutsäga samt mildra konsekvenserna av potentiella hot inom telekomnätet. En LSTM-autoencoder implementerades för att upptäcka avvikelser i två separata multivariata tidsserielogguppsättningar; BETH-cybersäkerhetsdatauppsättningen och en Cisco-loggdatauppsättning som skapades specifikt för detta arbete. De empiriska resultaten i denna avhandling visar att LSTM-autoencodern uppnådde en ROC AUC på 99.5% för BETH-datauppsättningen och 76.6% för Cisco-datauppsättningen. Användningen av ett ytterligare avvikelsedetekteringsstöd i Cisco-datauppsättningen möjliggjorde att modellen uppnådde en ROC AUC på 99.6%. Slutsatsen som kunde dras från detta arbete var att den systematiska metoden för att utveckla en djupinlärningsmodell för avvikelsedetektering i loggdata var effektiv. Dock väcker studiens resultat kritiska överväganden angående lämpligheten av olika loggdata för djupinlärningsmodeller som används för avvikelsedetektering.
|
405 |
Detecting Anomalies in Imbalanced Financial Data with a Transformer AutoencoderKarlsson, Gustav January 2024 (has links)
Financial trading data presents a unique challenge for anomaly detection due to its high dimensionality and often lack of labelled anomalous examples. Nevertheless, it is of great interest for financial institutions to gain insight into potential trading activities that might lead to financial losses and reputational damage. Given the complexity and unlabelled nature of this financial data, deep learning models such as the Transformer model are particularly suited for this task. This work investigates the application of a Transformer-based autoencoder for anomaly detection in unlabelled financial transaction data with sequential characteristics. To assess the model's ability to detect anomalies and analyse the effects of class imbalance, synthetic anomalies are injected into the dataset. This creates a controlled environment where the model's performance can be evaluated but also the affects of imbalance can be investigated. Two approaches are particularly explored for anomaly detection purposes: an unsupervised approach and a semi-supervised approach that explicitly leverages the presence of anomalies in the training data. Experiments suggest that while the unsupervised approach can detect anomalies with distinctive features, its performance suffers when anomalies are included in the training data since the model tends to reconstruct them. Conversely, the semi-supervised approach effectively addresses this limitation, demonstrating a clear advantage in the presence of class imbalance. While synthetic anomalies enable controlled evaluation and class imbalance analysis, generalizability to real-world financial data requires true anomalies.
|
406 |
Intrångsdetektering på CAN bus data : En studie för likvärdig jämförelse av metoderHedman, Pontus, Skepetzis, Vasilios January 2020 (has links)
Utförda hacker-attacker på moderna fordon belyser ett behov av snabb detektering av hot inom denna miljö, särskilt när det förekommer en trend inom denna industri där moderna fordon idag kan klassas som IoT-enheter. Det förekommer kända fall av attacker där en angripare förmår stoppa fordon i drift, eller ta bromsar ur funktion, och detta har påvisats ske fjärrstyrt. Denna studie undersöker detektion av utförda attacker, på en riktig bil, genom studie av CAN bus meddelanden. De två modellerna CUSUM, från området Change Point Detection, och Random Forests, från området maskininlärning, tillämpas på riktig datamängd, för att sedan jämföras på simulerad data sinsemellan. En ny hypotesdefinition introduceras vilket möjliggör att evalueringsmetoden Conditional expected delay kan nyttjas för fallet Random Forests, där resultat förmås jämföras med evalueringsresultat från CUSUM. Conditional expected delay har inte tidigare studerats för metod av maskininlärning. De båda metoderna evalueras också genom ROC-kurva. Sammantaget förmås de båda metoderna jämföras sinsemellan, med varandras etablerade evalueringsmetoder. Denna studie påvisar metod och hypotes för att brygga de två områdena change point detection och maskininlärning, för att evaluera de två enligt gemensamt motiverade parametervärden. / There are known hacker attacks which have been conducted on modern vehicles. These attacks illustrates a need for early threat detection in this environment. Development of security systems in this environment is of special interest due to the increasing interconnection of vehicles and their newfound classification as IoT devices. Known attacks, that have even been carried out remotely on modern vehicles, include attacks which allow a perpetrator to stop vehicles, or to disable brake mechanisms. This study examines the detection of attacks carried out on a real vehicle, by studying CAN bus messages. The two methods CUSUM, from the field of Change Point Detection, and Random Forests, from the field of Machine Learning, are both applied to real data, and then later comparably evaluated on simulated data. A new hypothesis defintion is introduced which allows for the evaluation method Conditional expected delay to be used in the case of Random Forests, where results may be compared to evaluation results from CUSUM. Conditional expected delay has not been studied in the machinelarning case before. Both methods are also evaluated by method of ROC curve. The combined hypothesis definition for the two separate fields, allow for a comparison between the two models, in regard to each other's established evaluation methods. This study present a method and hypothesis to bridge the two separate fields of study, change point detection, and machinelearning, to achieve a comparable evaluation between the two.
|
407 |
Applying mobile agents in an immune-system-based intrusion detection systemZielinski, Marek Piotr 30 November 2004 (has links)
Nearly all present-day commercial intrusion detection systems are based on a hierarchical architecture. In such an architecture, the root node is responsible for detecting intrusions and for issuing responses. However, an intrusion detection system (IDS) based on a hierarchical architecture has many single points of failure. For example, by disabling the root node, the intrusion-detection function of the IDS will also be disabled.
To solve this problem, an IDS inspired by the human immune system is proposed. The proposed IDS has no single component that is responsible for detecting intrusions. Instead, the intrusion-detection function is divided and placed within mobile agents. Mobile agents act similarly to white blood cells of the human immune system and travel from host to host in the network to detect intrusions. The IDS is fault-tolerant because it can continue to detect intrusions even when most of its components have been disabled. / Computer Science (School of Computing) / M. Sc. (Computer Science)
|
408 |
Detekce útoku pomocí analýzy systémových logů / Attack Detection by Analysis of the System's LogsHolub, Ondřej Unknown Date (has links)
The thesis deals with the attack detection possibilities and the nonstandard behaviour. It focuses on problems with the IDS detection systems, the subsequent classification and methods which are being used for the attack detection. One part of the thesis presents the existing IDS systems and their properties which are necessary for the successful attack detection. Other parts describe methods to obtain information from the operating systems Microsoft Windows and it also analyses the theoretical methods of data abnormalities. The practical part focuses on the design and implementation of the HIDS application. The final application and its detection abilities are tested at the end of the practical part with the help of some model situations. In the conclusion, the thesis sums up the gained information and shows a possible way of the future development.
|
409 |
Unsupervised representation learning for anomaly detection on neuroimaging. Application to epilepsy lesion detection on brain MRI / Apprentissage de représentations non supervisé pour la détection d'anomalies en neuro-imagerie. Application à la détection de lésions d’épilepsie en IRMAlaverdyan, Zaruhi 18 January 2019 (has links)
Cette étude vise à développer un système d’aide au diagnostic (CAD) pour la détection de lésions épileptogènes, reposant sur l’analyse de données de neuroimagerie, notamment, l’IRM T1 et FLAIR. L’approche adoptée, introduite précédemment par Azami et al., 2016, consiste à placer la tâche de détection dans le cadre de la détection de changement à l'échelle du voxel, basée sur l’apprentissage d’un modèle one-class SVM pour chaque voxel dans le cerveau. L'objectif principal de ce travail est de développer des mécanismes d’apprentissage de représentations, qui capturent les informations les plus discriminantes à partir de l’imagerie multimodale. Les caractéristiques manuelles ne sont pas forcément les plus pertinentes pour la tâche visée. Notre première contribution porte sur l'intégration de différents réseaux profonds non-supervisés, pour extraire des caractéristiques dans le cadre du problème de détection de changement. Nous introduisons une nouvelle configuration des réseaux siamois, mieux adaptée à ce contexte. Le système CAD proposé a été évalué sur l’ensemble d’images IRM T1 des patients atteints d'épilepsie. Afin d'améliorer la performance obtenue, nous avons proposé d'étendre le système pour intégrer des données multimodales qui possèdent des informations complémentaires sur la pathologie. Notre deuxième contribution consiste donc à proposer des stratégies de combinaison des différentes modalités d’imagerie dans un système pour la détection de changement. Ce système multimodal a montré une amélioration importante sur la tâche de détection de lésions épileptogènes sur les IRM T1 et FLAIR. Notre dernière contribution se focalise sur l'intégration des données TEP dans le système proposé. Etant donné le nombre limité des images TEP, nous envisageons de synthétiser les données manquantes à partir des images IRM disponibles. Nous démontrons que le système entraîné sur les données réelles et synthétiques présente une amélioration importante par rapport au système entraîné sur les images réelles uniquement. / This work represents one attempt to develop a computer aided diagnosis system for epilepsy lesion detection based on neuroimaging data, in particular T1-weighted and FLAIR MR sequences. Given the complexity of the task and the lack of a representative voxel-level labeled data set, the adopted approach, first introduced in Azami et al., 2016, consists in casting the lesion detection task as a per-voxel outlier detection problem. The system is based on training a one-class SVM model for each voxel in the brain on a set of healthy controls, so as to model the normality of the voxel. The main focus of this work is to design representation learning mechanisms, capturing the most discriminant information from multimodality imaging. Manual features, designed to mimic the characteristics of certain epilepsy lesions, such as focal cortical dysplasia (FCD), on neuroimaging data, are tailored to individual pathologies and cannot discriminate a large range of epilepsy lesions. Such features reflect the known characteristics of lesion appearance; however, they might not be the most optimal ones for the task at hand. Our first contribution consists in proposing various unsupervised neural architectures as potential feature extracting mechanisms and, eventually, introducing a novel configuration of siamese networks, to be plugged into the outlier detection context. The proposed system, evaluated on a set of T1-weighted MRIs of epilepsy patients, showed a promising performance but a room for improvement as well. To this end, we considered extending the CAD system so as to accommodate multimodality data which offers complementary information on the problem at hand. Our second contribution, therefore, consists in proposing strategies to combine representations of different imaging modalities into a single framework for anomaly detection. The extended system showed a significant improvement on the task of epilepsy lesion detection on T1-weighted and FLAIR MR images. Our last contribution focuses on the integration of PET data into the system. Given the small number of available PET images, we make an attempt to synthesize PET data from the corresponding MRI acquisitions. Eventually we show an improved performance of the system when trained on the mixture of synthesized and real images.
|
410 |
Imagerie multispectrale, vers une conception adaptée à la détection de cibles / Multispectral imaging, a target detection oriented designMinet, Jean 01 December 2011 (has links)
L’imagerie hyperspectrale, qui consiste à acquérir l'image d'une scène dans un grand nombre de bandes spectrales, permet de détecter des cibles là où l'imagerie couleur classique ne permettrait pas de conclure. Les imageurs hyperspectraux à acquisition séquentielle sont inadaptés aux applications de détection en temps réel. Dans cette thèse, nous proposons d’utiliser un imageur multispectral snapshot, capable d’acquérir simultanément un nombre réduit de bandes spectrales sur un unique détecteur matriciel. Le capteur offrant un nombre de pixels limité, il est nécessaire de réaliser un compromis en choisissant soigneusement le nombre et les profils spectraux des filtres de l'imageur afin d’optimiser la performance de détection. Dans cet objectif, nous avons développé une méthode de sélection de bandes qui peut être utilisée dans la conception d’imageurs multispectraux basés sur une matrice de filtres fixes ou accordables. Nous montrons, à partir d'images hyperspectrales issues de différentes campagnes de mesure, que la sélection des bandes spectrales à acquérir peut conduire à des imageurs multispectraux capables de détecter des cibles ou des anomalies avec une efficacité de détection proche de celle obtenue avec une résolution hyperspectrale. Nous développons conjointement un démonstrateur constitué d'une matrice de 4 filtres de Fabry-Perot accordables électroniquement en vue de son implantation sur un imageur multispectral snapshot agile. Ces filtres sont développés en technologie MOEMS (microsystèmes opto-électro-mécaniques) en partenariat avec l'Institut d'Electronique Fondamentale. Nous présentons le dimensionnement optique du dispositif ainsi qu'une étude de tolérancement qui a permis de valider sa faisabilité. / Hyperspectral imaging, which consists in acquiring the image of a scene in a large number of spectral bands, can be used to detect targets that are not visible using conventional color imaging. Hyperspectral imagers based on sequential acquisition are unsuitable for real-time detection applications. In this thesis, we propose to use a snapshot multispectral imager able to acquire simultaneously a small number of spectral bands on a single image sensor. As the sensor offers a limited number of pixels, it is necessary to achieve a trade-off by carefully choosing the number and the spectral profiles of the imager’s filters in order to optimize the detection performance. For this purpose, we developed a band selection method that can be used to design multispectral imagers based on arrays of fixed or tunable filters. We use real hyperspectral images to show that the selection of spectral bands can lead to multispectral imagers able to compete against hyperspectral imagers for target detection and anomaly detection applications while allowing snapshot acquisition and real-time detection. We jointly develop an adaptive snapshot multispectral imager based on an array of 4 electronically tunable Fabry-Perot filters. The filters are developed in MOEMS technology (Micro-Opto-Electro-Mechanical Systems) in partnership with the Institut d'Electronique Fondamentale. We present the optical design of the device and a study of tolerancing which has validated its feasibility.
|
Page generated in 0.1383 seconds