A Pre-clustering Method To Improve Anomaly Detection

Denis Hock, Martin Kappes, Bogdan Ghita

2016

Abstract

While Anomaly Detection is commonly accepted as an appropriate technique to uncover yet unknown network misuse patterns and malware, detection rates are often diminished by, e.g., unpredictable user behavior, new applications and concept changes. In this paper, we propose and evaluate the benefits of using clustering methods for data preprocessing in Anomaly Detection in order to improve detection rates even in the presence of such events. We study our pre-clustering approach for different features such as IP addresses, traffic characteristics and application layer protocols. Our results obtained by analyzing detection rates for real network traffic with actual intrusions indicates that our approach does indeed significantly improve detection rates and, moreover, is practically feasible.

References

  1. Bouzida, Y., Cuppens, F., Cuppens-Boulahia, N., and Gombault, S. (2004). Efficient intrusion detection using principal component analysis. In 3éme Conférence sur la Sécurité et Architectures Réseaux (SAR), La Londe, France.
  2. Brauckhoff, D., Salamatian, K., and May, M. (2009). Applying pca for traffic anomaly detection: Problems and solutions. In INFOCOM 2009, IEEE, pages 2866-2870. IEEE.
  3. Chen, C. and Liu, L.-M. (1993). Joint estimation of model parameters and outlier effects in time series. Journal of the American Statistical Association, 88(421):284- 297.
  4. Chhabra, P., Scott, C., Kolaczyk, E. D., and Crovella, M. (2008). Distributed spatial anomaly detection. In INFOCOM 2008. The 27th Conference on Computer Communications. IEEE. IEEE.
  5. Cretu-Ciocarlie, G. F., Stavrou, A., Locasto, M. E., and Stolfo, S. J. (2009). Adaptive anomaly detection via self-calibration and dynamic updating. In Recent Advances in Intrusion Detection, pages 41-60. Springer.
  6. Davis, J. J. and Clark, A. J. (2011). Data preprocessing for anomaly based network intrusion detection: A review. Computers & Security, 30(6):353-375.
  7. Denning, D. E. (1987). An intrusion-detection model. Software Engineering, IEEE Transactions on, (2):222- 232.
  8. Heady, R., Luger, G., Maccabe, A., and Servilla, M. (1990). The architecture of a network-level intrusion detection system. Department of Computer Science, College of Engineering, University of New Mexico.
  9. Izakian, H. and Pedrycz, W. (2014). Anomaly detection and characterization in spatial time series data: A clustercentric approach.
  10. Kim, J. and Bentley, P. J. (2002). Towards an artificial immune system for network intrusion detection: an investigation of dynamic clonal selection. In Evolutionary Computation, 2002. CEC'02. Proceedings of the 2002 Congress on, volume 2, pages 1015-1020. IEEE.
  11. Kim, M.-S., Kong, H.-J., Hong, S.-C., Chung, S.-H., and Hong, J. W. (2004). A flow-based method for abnormal network traffic detection. In Network Operations and Management Symposium, 2004. NOMS 2004. IEEE/IFIP, volume 1, pages 599-612. IEEE.
  12. Leung, K. and Leckie, C. (2005). Unsupervised anomaly detection in network intrusion detection using clusters. In Proceedings of the Twenty-eighth Australasian conference on Computer Science-Volume 38, pages 333-342. Australian Computer Society, Inc.
  13. Li, Z., Gao, Y., and Chen, Y. (2005). Towards a high-speed router-based anomaly/intrusion detection system.
  14. Mahoney, M. and Chan, P. K. (2001). Phad: Packet header anomaly detection for identifying hostile network traffic.
  15. Münz, G., Li, S., and Carle, G. (2007). Traffic anomaly detection using k-means clustering. In GI/ITG Workshop MMBnet.
  16. Szmit, M., Adamus, S., Bugala, S., and Szmit, A. (2012). Anomaly detection 3.0 for snort. Snort. AD Project.
Download


Paper Citation


in Harvard Style

Hock D., Kappes M. and Ghita B. (2016). A Pre-clustering Method To Improve Anomaly Detection . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 391-396. DOI: 10.5220/0005953003910396


in Bibtex Style

@conference{secrypt16,
author={Denis Hock and Martin Kappes and Bogdan Ghita},
title={A Pre-clustering Method To Improve Anomaly Detection},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={391-396},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005953003910396},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - A Pre-clustering Method To Improve Anomaly Detection
SN - 978-989-758-196-0
AU - Hock D.
AU - Kappes M.
AU - Ghita B.
PY - 2016
SP - 391
EP - 396
DO - 10.5220/0005953003910396