Abstract
Anomaly detection is a method for determining behaviors which do not accord with normal ones. It is mostly used for detecting abnormal behaviors, mutational and unknown attacks. In this paper, we propose a technique that generates patterns about network-based normal behaviors in blocks of a TCP network session for the anomaly detection. One session is expressed as one pattern based on a stream of the packets in the session, and thus the pattern we generate has a sequential feature. We use the ROCK algorithm to cluster the sequence patterns which have categorical attributes. This algorithm performs clustering based on our similarity function which uses Dynamic Programming. The many sequence patterns of the normal behaviors can be reduced to several representative sequence patterns using the clustering. Our detecting sensor uses profiling dataset that are constructed by the representative sequence patterns of normal behaviors. We show the effectiveness of proposed model by using results from the 1999 DARPA Intrusion Detection Evaluation.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Assessment).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Guha, S., Rastogi, R., Sim, K.: A Clustering algorithm for categorical attributes. Technical report, Bell Laboratories, Murray Hill (1997)
Guha, S., Rastogi, R., Sim, K.: ROCK: A robust clustering algorithm for categorical attributes. In: Proc. IEEE International Conference on Data Engineering, Sydney (March 1999)
MacQueen, J.: Some methods for classifiction and analysis of multivariate observations. In: Proc. 5th Berkeley Symp., pp. 281–297 (1967)
Cheong, I.-A., Kim, Y.-M., Kim, M.-S., Noh, B.-N.: The Causality Analysis of Protocol Measures for Detection of Attacks based on Network. In: Kahng, H.-K., Goto, S. (eds.) ICOIN 2004. LNCS, vol. 3090, pp. 962–972. Springer, Heidelberg (2004)
Ng, R., Han, J.: Efficient and effective clustering method for spatial data mining. In: Proc. 1994 Int’l Conf. on VLDB, Santiago, Chile, pp.144–155 (September 1994)
Bloedorn, E., Christiansen, A.D., Hill, W., Skorupka, C., Talbot, L.M., Tivel, J.: Data mining for network intrusion detection: How to get started. MITRE Technical Report (August 2001)
Ramaswarny, S., Rastogi, R., Shim, K.: Efficient Algorithms for Mining Outliers from Large Data Sets. In: Proceedings of the ACM Sigmod 2000 Int. Conference on Management of Data, Dallas, TX (2000)
Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: LOF: Identifying Density-Based Local Outliers. In: Proc. of the ACM Sigmod 2000 Intl. Conference on Management of Data, Dallas, TX (2000)
Knorr, E.M., Ng, R.T.: Algorithms for Mining Distance-Based Outliers in Large Datasets. In: VLDB 1998, Proceedings of the 24th Int. Conference on Very Large Databases, New York City, NY, August 24-27, pp. 392-403 (1998)
Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)
Sequeira, K., Zaki, M.: ADMIT: Anomaly-based data mining for intrusions. In: KDD 2002, pp. 386–395 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Noh, SK., Kim, YM., Kim, D., Noh, BN. (2006). Network Anomaly Detection Based on Clustering of Sequence Patterns. In: Gavrilova, M.L., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3981. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751588_37
Download citation
DOI: https://doi.org/10.1007/11751588_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34072-0
Online ISBN: 978-3-540-34074-4
eBook Packages: Computer ScienceComputer Science (R0)