Abstract
In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the on-going result of clustering.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Mukherjee, B., Heberlein, T.L., Kevitt, K.N.: Network Intrusion Detection. IEEE Network 8(3), 26–41 (1994)
Heady, R., Luger, G., Maccabe, A., Servilla, M.: The Architecture of a Network Level Intrusion Detection System, Technical Report, Computer Science Department, University of New Mexico (August 1990)
Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: Proc. of the 1991 IEEE Symposium on Research in Security and Privacy (May 1991)
Javitz, H.S., Valdes, A.: The NIDES Statistical Component Description and Justification, Annual report, SRI International, 333 Ravenwood Avenue, Menlo Park, CA 94025 (March 1994)
Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: 20th NISSC (October 1997)
Teng, H.S., Chen, K., Lu, S.C.: Security Audit Trail Analysis Using Inductively Generated Predictive Rules. In: Proceedings of the Sixth Conference on Artificial Intelligence Applications, Piscataway, New Jersey, March 1990, pp. 24–29. IEEE, Los Alamitos (1990)
Stolfo, S.J., Prodromidis, A.L., Tselepis, S., Lee, W., Fan, D., Chan, P.K.: JAM: Java agents for Meta-Learning over Distributed Databases. In: Proc. KDD 1997 and AAAI 1997 Work. on AI Methods in Fraud and Risk Management (1997)
Guha, S., Meyerson, A., Mishra, N., Motwani, R., O’Callaghan, L.: Clustering data streams: Theory and practice. IEEE Trans. Knowl. Data Eng. 15(3), 515–528 (2003)
Park, N.H., Lee, W.S.: Statistical grid-based clustering over data streams. SIGMOD Record 33(1), 32–37 (2004)
Chang, J.H., Lee, W.S.: estWin: adaptively monitoring the recent change of frequent itemsets over online data streams. In: CIKM 2003, pp. 536–539 (2003)
MacQueen, J.: Some Methods for Classification and Analysis of Multivariate Observations. In: Proc. 5th Berkeley Symp., pp. 281–297 (1967)
Zhang, T., Ramakrishnan, R., Livny, M.: Birch: An Efficient data clustering method for very large databases. In: Proceedings for the ACM SIGMOD Conference on Management of Data, Montreal, Canada (June 1996)
Guha, S., Rastogi, R., Shim, K.: CURE: An Efficient Clustering Algorithm for Large Databases. In: ACM SIGMOD International Conference on Management of Data, Seattle, Washington (1998)
Ester, M., Kriegel, H.-P., Sander, J., Xu, X.: A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. In: Proc. 2nd int. Conf. on Knowledge Discovery and Data Mining (KDD 1996), Portland, Oregon. AAAI Press, Menlo Park (1996)
Agrawal, R., Gehrke, J., Gunopulos, D., Raghavan, P.: Automatic Subspace Clustering of High Dimensional Data for Data Mining Applications. In: Proc. of the ACM SIGMOD Int’l Conference on Management of Data, Seattle, Washington (June 1998)
Jeong, T., Ambler, A.: Power efficiency system for flight application (PESFA) mission: Low power dissipation in digital circuit design for flight application/space communications. IEEE Tran. on Aerospace and Electronics Systems 42 (2006)
Sun Microsystems. SunShield Basic Security Module Guid
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Oh, SH., Kang, JS., Byun, YC., Jeong, T.T., Lee, WS. (2006). Anomaly Intrusion Detection Based on Clustering a Data Stream. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds) Information Security. ISC 2006. Lecture Notes in Computer Science, vol 4176. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11836810_30
Download citation
DOI: https://doi.org/10.1007/11836810_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-38341-3
Online ISBN: 978-3-540-38343-7
eBook Packages: Computer ScienceComputer Science (R0)