Unsupervised anomaly detection using an evolutionary extension of k-means algorithm

被引:10
作者
Lu, Wei [1 ]
Traoreá, Issa [1 ]
机构
[1] Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC V8W 3P6
来源
International Journal of Information and Computer Security | 2008年 / 2卷 / 02期
关键词
Clustering; Evolutionary computation; Gaussian mixture model; Information and computer security; Intrusion detection; Unsupervised anomaly detection;
D O I
10.1504/IJICS.2008.018513
中图分类号
学科分类号
摘要
In this paper, we propose a new unsupervised anomaly detection framework for network intrusions. The framework consists of a new clustering algorithm named I-means and new anomalousness metrics named IP Weights. I-means is an evolutionary extension of k means algorithm that estimates automatically the number of clusters for a set of data. IP Weights allow the automatic conversion of regular packet features into a 3-dimensional numerical feature space. Online and offline evaluations show not only strong detection effectiveness, but also strong runtime efficiency, with response times falling within a few seconds ranges. © 2008, Inderscience Publishers.
引用
收藏
页码:107 / 139
页数:32
相关论文
共 40 条
[1]  
Axelsson S., The base-rate fallacy and the difficulty of intrusion detection, ACM Transactions on Information and System Security (TISSEC), 3, 3, pp. 186-201, (2000)
[2]  
Back T., Eiben A.E., van der Vaart N.A.L., An empirical study on GAs without parameters, Lecture Notes in Computer Science, 1917, pp. 315-324, (2000)
[3]  
Blake C.L., Merz C.J., UCI Repository of Machine Learning Databases, (1998)
[4]  
Breunig M.M., Kriegel H.P., Ng R.T., Sander J., LOF: Identifying density-based local outliers, Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, pp. 93-104, (2000)
[5]  
Burbeck K., Nadjm-Tehrani S., ADWICE - anomaly detection with real-time incremental clustering, Lecture Notes in Computer Science, 3506, pp. 407-424, (2005)
[6]  
Chimphlee W., Abdullah A.H., Md Sap M.N., Chimphlee S., Srinoy S., Integrating genetic algorithms and fuzzy c-means for anomaly detection, Proceedings of IEEE INDICON 2005, pp. 575-579, (2005)
[7]  
Chimphlee W., Abdullah A.H., Md Sap M.N., Srinoy S., Chimphlee S., Anomaly-based intrusion detection using fuzzy rough clustering, Proceedings of International Conference on Hybrid Information Technology, 1, pp. 329-334, (2006)
[8]  
Dempster A.P., Laird N.M., Rubin D.B., Maximum likelihood from incomplete data via the EM algorithm (with discussion), Journal of the Royal Statistical Society B, 39, pp. 1-38, (1977)
[9]  
Dubes R.C., Cluster analysis and related issues, Handbook of Pattern Recognition and Computer Vision, pp. 3-32, (1993)
[10]  
Emran S.M., Ye N., Robustness of Canberra Metric in computer intrusion detection, Proceedings of the IEEE Workshop on Information Assurance and Security, pp. 80-84, (2001)
1234