More Web Proxy on the site http://driver.im/

Article

ADWICE – anomaly detection with real-time incremental clustering

Authors:

Simin Nadjm-TehraniAuthors Info & Claims

ICISC'04: Proceedings of the 7th international conference on Information Security and Cryptology

Pages 407 - 424

https://doi.org/10.1007/11496618_30

Published: 02 December 2004 Publication History

Abstract

Anomaly detection, detection of deviations from what is considered normal, is an important complement to misuse detection based on attack signatures. Anomaly detection in real-time places hard requirements on the algorithms used, making many proposed data mining techniques less suitable. ADWICE (Anomaly Detection With fast Incremental Clustering) uses the first phase of the existing BIRCH clustering framework to implement fast, scalable and adaptive anomaly detection. We extend the original clustering algorithm and apply the resulting detection mechanism for analysis of data from IP networks. The performance is demonstrated on the KDD data set as well as on data from a test network at a telecom company. Our experiments show a good detection quality (95 %) and acceptable false positives rate (2.8 %) considering the online, real-time characteristics of the algorithm. The number of alarms is then further reduced by application of the aggregation techniques implemented in the Safeguard architecture.

References

[1]

Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. In: Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, San Diego, CA, USA, ACM Press (2003) 138-147

Digital Library

[2]

McHugh, J.: Intrusion and intrusion detection. International Journal of Information Security 1 (2001) 14-35

Digital Library

[3]

Haines, J., Kewley Ryder, D., Tinnel, L., Taylor, S.: Validation of sensor alert correlators. IEEE Security and Privacy 1 (2003) 46-56

Digital Library

[4]

Chyssler, T., Nadjm-Tehrani, S., Burschka, S., Burbeck, K.: Alarm reduction and correlation in defence of ip networks. In: Proceedings of InternationalWorkshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE04), Modena, Italy, IEEE Computer Society (2004) 229-234

Digital Library

[5]

Safeguard: The safeguard project (2003) http://www.ist-safeguard.org/ Acc. May 2004.

[6]

Zhang, T., Ramakrishnan, R., Livny, M.: Birch: an efficient data clustering method for very large databases. SIGMOD Record 1996 ACM SIGMOD International Conference on Management of Data 25 (1996) 103-14

Digital Library

[7]

Fu, Y., Sandhu, K., Shih, M.Y.: A generalization-based approach to clustering of web usage sessions. In: Proceedings of the Web Usage Analysis and User Profiling. International WEBKDD'99 Workshop. Volume 1836 of Lecture Notes in Artificial Intelligence., San Diego, CA, USA, Springer-Verlag (2000) 21-38

Digital Library

[8]

Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 International Joint Conference on Neural Networks (IJCNN '02), Honolulu, HI, Institute of Electrical and Electronics Engineers Inc. (2002) 1702-1707

Digital Library

[9]

Elkan, C.: Results of the kdd'99 classifier learning. ACM SIGKDD Explorations 1 (2000) 63-64

Digital Library

[10]

Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: ACM Workshop on Data Mining Applied to Security. (2001)

[11]

Sequeira, K., Zaki, M.: Admit: Anomaly-based data mining for intrusions. In: Proceedings of the 8th ACM SIGKDD international conference on Knowledge discovery and data mining, Edmonton, Alberta, Canada, ACM Press (2002) 386-395

Digital Library

[12]

Guan, Y., Ghorbani, A. A., Belacel, N.: Y-means: A clustering method for intrusion detection. In: Canadian Conference on AI. Volume 2671 of Lecture Notes in Computer Science., Montreal, Canada, Springer (2003) 616-617

Digital Library

[13]

Munson, J., Wimer, S.: Watcher: the missing piece of the security puzzle. In: Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, LA, USA, IEEE Comput. Soc (2001) 230-9

Digital Library

[14]

Han, J., Kamber, M.: Data Mining - Concepts and Techniques. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA (2001)

Digital Library

[15]

Mahoney, M. V., Chan, P. K.: An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In: Recent Advances in Intrusion Detection. Volume 2820 of Lecture Notes in Computer Science., Pittsburgh, PA, USA, Springer (2003) 220-237

[16]

Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and Systems Security 3 (2000) 186-205

Digital Library

Cited By

Madan SDana K(2016)Modified balanced iterative reducing and clustering using hierarchies (m-BIRCH) for visual clusteringPattern Analysis & Applications10.1007/s10044-015-0472-419:4(1023-1040)Online publication date: 1-Nov-2016
https://dl.acm.org/doi/10.1007/s10044-015-0472-4
D'angelo GPalmieri FFicco MRampone S(2015)An uncertainty-managing batch relevance-based approach to network anomaly detectionApplied Soft Computing10.1016/j.asoc.2015.07.02936:C(408-418)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1016/j.asoc.2015.07.029
Raciti MCucurull JNadjm-Tehrani S(2012)Anomaly detection in water management systemsCritical Infrastructure Protection10.5555/2231096.2231104(98-119)Online publication date: 1-Jan-2012
https://dl.acm.org/doi/10.5555/2231096.2231104
Show More Cited By

Recommendations

Program Anomaly Detection: Methodology and Practices
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

This tutorial will present an overview of program anomaly detection, which analyzes normal program behaviors and discovers aberrant executions caused by attacks, misconfigurations, program bugs, and unusual usage patterns. It was first introduced as an ...
Research and Implementation of an Anomaly Detection Model Based on Clustering Analysis
IPTC '10: Proceedings of the 2010 International Symposium on Intelligence Information Processing and Trusted Computing

IDS (Intrusion Detection system) is an active and driving defense technology. This paper mainly focuses on intrusion detection based on data mining. The aim is to improve the detection rate and decrease the false alarm rate, and the main research method ...
Anomaly intrusion detection based on dynamic cluster updating
PAKDD'07: Proceedings of the 11th Pacific-Asia conference on Advances in knowledge discovery and data mining

For the effective detection of various intrusion methods into a computer, most of previous studies have been focused on the development of misuse-based intrusion detection methods. Recently, the works related to anomaly-based intrusion detection have ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

ICISC'04: Proceedings of the 7th international conference on Information Security and Cryptology

December 2004

488 pages

ISBN:3540262261

Editors:
Choon-sik Park
National Security Research Institute, Daejeon, Korea
,
Seongtaek Chee
National Security Research Institute (NSRI), 161 Gajeong-dong, Yuseong-gu, Daejeon, Korea

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 02 December 2004

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Madan SDana K(2016)Modified balanced iterative reducing and clustering using hierarchies (m-BIRCH) for visual clusteringPattern Analysis & Applications10.1007/s10044-015-0472-419:4(1023-1040)Online publication date: 1-Nov-2016
https://dl.acm.org/doi/10.1007/s10044-015-0472-4
D'angelo GPalmieri FFicco MRampone S(2015)An uncertainty-managing batch relevance-based approach to network anomaly detectionApplied Soft Computing10.1016/j.asoc.2015.07.02936:C(408-418)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1016/j.asoc.2015.07.029
Raciti MCucurull JNadjm-Tehrani S(2012)Anomaly detection in water management systemsCritical Infrastructure Protection10.5555/2231096.2231104(98-119)Online publication date: 1-Jan-2012
https://dl.acm.org/doi/10.5555/2231096.2231104
Apel MBiskup JFlegel UMeier M(2009)Towards early warning systemsProceedings of the 4th international conference on Critical information infrastructures security10.5555/1880551.1880564(151-164)Online publication date: 30-Sep-2009
https://dl.acm.org/doi/10.5555/1880551.1880564
Yu YGuo SLan SBan T(2008)Anomaly intrusion detection for evolving data stream based on semi-supervised learningProceedings of the 15th international conference on Advances in neuro-information processing - Volume Part I10.5555/1813488.1813563(571-578)Online publication date: 25-Nov-2008
https://dl.acm.org/doi/10.5555/1813488.1813563

View Options

View options

Media

Figures

Other

Tables

View Table of Contents