Abstract
This paper presents an anomaly detection approach based on clustering and classification for intrusion detection (ID). We use connections obtained from raw packet data of the audit trail as basic elements, then map the network connection records into 8 feature spaces typically of high dimension according to their protocols and services. The approach includes two steps, training stage and testing stage. We perform clustering to group training data points into clusters, from which we select some clusters as normal and known-attack profile according to certain criterion. For those training data excluded from the profile, we use them to build a specific classifier. During the testing stage, we utilize influence-based classification algorithm to classify network behaviors. In the algorithm, an influence function quantifies the influence of an object. The experiments on the KDD’99 Intrusion Detection Data Set demonstrate the detection performance and the effectiveness of our ID approach.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Wang, K., Stolfo, S.J.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Roesch, M.: Snort: The open source network intrusion detection system (2005), http://snort.sourcefire.com/
Stanifor, Hoagland, McAlerney: Practical Automated Detection of Stealthy PortScans. Journal of Computer Security 10(1/2), 105–136 (2002)
Mahoney, M.V., Chan, P.K.: PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic. Technical report, Florida Tech., technical report CS-2001-4 (April 2001)
Mahoney, M.: Network Traffic Anomaly Detection Based on Packet Bytes. In: Proc. ACM. Symposium on Applied Computing, pp. 346–350 (2003)
Lee, W., Stolfo, S.J.: A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)
Barbara, D., Couto, J., Jajodia, S., Wu, N.: ADAM: A Testbed for Exploring the Use of Data Mining in Intrusion Detection. SIGMOD Record, 15–24 (2001)
Ertoz, L., Eilertson, E., et al.: The MINDS - Minnesota Intrusion Detection System. In: Workshop on Next Generation Data Mining, MIT /AAAI Press (2004)
Pfahringer, B.: Winning the KDD99 Classification Cup: Bagged Boosting. SIGKDD explorations 1(2), 65–66 (2000)
Agarwal, R., Joshi, M.V.: PNrule: A New Framework for Learning Classifier Models in Data Mining (A Case-Study in Network Intrusion Detection). Technical Report TR 00-015, Department of Computer Science, University of Minnesota (2000)
MacQueen: Some methods for classification and analysis of multivariate observations. In: Proc. 5th Berkeley Symp. Math. Statistics and Probability, pp. 281–297 (1967)
Chan, P.K., Mahoney, M.V., Arshad, M.H.: A machine learning approach to anomaly detection. Technical Report, Department of Computer Science, Florida Institute of Technology (2003)
University of California, Irvine: KDD Cup 1999 Data (2005), http://www.ics.uci.edu/~kdd/databases/kddcup99/kddcup99.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yang, H., Xie, F., Lu, Y. (2006). Clustering and Classification Based Anomaly Detection. In: Wang, L., Jiao, L., Shi, G., Li, X., Liu, J. (eds) Fuzzy Systems and Knowledge Discovery. FSKD 2006. Lecture Notes in Computer Science(), vol 4223. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11881599_134
Download citation
DOI: https://doi.org/10.1007/11881599_134
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-45916-3
Online ISBN: 978-3-540-45917-0
eBook Packages: Computer ScienceComputer Science (R0)