En-ABC: An ensemble artificial bee colony based anomaly detection scheme for cloud environment

Abstract

With an exponential increase in the usage of different types of services and applications in cloud computing environment, the identification of malicious behavior of different nodes becomes challenging due to the diversity of traffic patterns generated from various services and applications. Most of the existing solutions reported in the literature are restricted with respect to the usage of a specific technique applicable to single class datasets. But in real life scenarios, applications and services especially in cloud environment may have multi-class datasets. Moreover, non-linear behavior among the dataset attributes generates additional challenges for identification of nodes behavior, and it has not been exploited to its full potential in the existing solutions. This can lead to performance bottlenecks with respect to the identification of malicious behavior of different nodes. Motivated from these facts, this paper proposes an Ensemble Artificial Bee Colony based Anomaly Detection Scheme (En-ABC) for multi-class datasets in cloud environment. En-ABC has following components for identification of malicious behavior of nodes-(i) feature selection and optimization, (ii) data clustering, and (iii) identification of anomalous behavior of nodes. The feature selection and optimization model in En-ABC has been built using Restricted Boltzmann Machine and Unscented Kalman Filter (to handle the non-linear behavior of dataset attributes) respectively. Moreover, Artificial Bee Colony-based Fuzzy C-means clustering technique is used to obtain an optimal clustering based on two objective functions, i.e., Mean Square Deviation and Dunn Index (to handle the participation of attributes in multiple clustered datasets). Then, a profile of normal/abnormal behavior has been built using clustering results for detection of the anomalies. Finally, the performance of the proposed scheme has been compared with the existing schemes (CM, SVM, ML-IDS and MSADA) using various parameters such as-detection, false alarm, and accuracy rates. Experimental results on benchmark (NSL-KDD, NAB and IBRL) and synthetic datasets validate the effectiveness of the proposed scheme.