Abstract
To detect effectively unknown anomalous attack behaviors of network traffic, an Unsupervised Anomaly Detection approach for network flow using Immune Network based K-means clustering (UADINK) is proposed. In UADINK, artificial immune network based K-means clustering algorithm (aiNet_KMC) is introduced to cluster network flow, i.e. extracting abstract internal images from network flows and obtaining an optimizing parameter K of K-means by aiNet model, and network flows are clustered by K-means algorithm. The cluster labeling algorithm (clusLA) and the network flow anomaly detection algorithm (NFAD) are introduced to detect anomalous attack behaviors of network flows, where the clusLA algorithm is used for labeling whether each cluster belongs to malicious, and the labeled clusters are regarded as detectors to identify anomaly network flows by NFAD. To evaluate the effectiveness of UADINK, the ISCX 2012 IDS dataset is considered as the simulating experimental dataset. Compared with the NDM based K-means anomaly detection approach, the results show that UADINK is a radical anomaly detection approach in order to detect anomalies of network flows.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Li, B., et al.: A survey of network flow applications. J. Netw. Comput. Appl. 36(2), 567–581 (2013)
Sperotto, A., et al.: An overview of IP flow-based intrusion detection. IEEE Commun. Surv. Tutor. 12(3), 343–356 (2010)
Moore, A., Denis, Z., Crogan, M.: Discriminators for use in flow-based classification. Department of Computer Science, Queen Mary and Westfield College (2005)
Tan, Z., et al.: Detection of denial-of-service attacks based on computer vision techniques. IEEE Trans. Comput. 64(9), 2519–2533 (2015)
Ahmed, M., Mahmood, A., Hu, J.: A survey of network anomaly detection techniques. J. Netw. Comput. Appl. 60, 19–31 (2016)
Buczak, A., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)
Sheikhan, M., Jadidi, Z.: Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network. Neural Comput. Appl. 24(3–4), 599–611 (2014)
Jadidi, Z., et al.: Flow-Based Anomaly Detection Using Neural Network Optimized with GSA Algorithm, pp. 76–81(2013)
Sperotto, A., et al.: A labeled data set for flow-based intrusion detection. In: International Workshop on IP Operations and Management, pp. 39–50 (2009)
Rodriguez, A., Laio, A.: Clustering by fast search and find of density peaks. Science 344(6191), 1492–1496 (2014)
Jain, A., Murty, M., Flynn, P.: Data clustering: a review. ACM Comput. Surv. 31(3), 264–323 (1999)
Xu, R., Wunsch, D.: Survey of clustering algorithms. IEEE Trans. Neural Netw. 16(3), 645–678 (2005)
Hruschka, E., et al.: A survey of evolutionary algorithms for clustering. IEEE Trans. Syst. Man Cybern. Part C 39(2), 133–155 (2009)
Nanda, S., Panda, G.: A survey on nature inspired metaheuristic algorithms for partitional clustering. Swarm Evol. Comput. 16, 1–18 (2014)
He, H., Tan, Y.: A two-stage genetic algorithm for automatic clustering. Neurocomputing 81, 49–59 (2012)
de Castro, L., Von Zuben, F.: aiNet: an artificial immune network for data analysis. Data Mining: Heuristic Approach 2001(1), 231–259 (2001)
Agrawal, S., Agrawal, J.: Survey on anomaly detection using data mining techniques. Procedia Comput. Sci. 60, 708–713 (2015)
Portnoy, L., et al.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA) (2001)
Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the Twenty-Eighth Australasian Conference on Computer Science, pp. 333–342 (2005)
Petrovic, S., et al.: Labelling clusters in an intrusion detection system using a combination of clustering evaluation techniques. In: Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS 2006), p. 129 (2006)
Syarif, I., Prugel-Bennett, A., Wills, G.: Unsupervised clustering approach for network anomaly detection. In: Benlamri, R. (ed.) NDT 2012. CCIS, vol. 293, pp. 135–145. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30507-8_13
Erman, J., et al.: Offline/realtime traffic classification using semi-supervised learning. Perform. Eval. 64(9–12), 1194–1213 (2007)
Münz, G., Li, S., Carle, G.: Traffic anomaly detection using k-means clustering. In: GI/ITG Workshop MMBnet (2007)
Ahmed, M., Mahmood, A.: Network traffic analysis based on collective anomaly detection. In: 9th IEEE Conference on Industrial Electronics and Applications, pp. 1141–1146 (2014)
Winter, P., Hermann, E., Zeilinger, M.: Inductive intrusion detection in flow-based network data using one-class support vector machines. In: 4th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5. IEEE (2011)
Shiravi, A., et al.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)
Timmis, J., et al.: Theoretical advances in artificial immune systems. Theoret. Comput. Sci. 403(1), 11–32 (2008)
Shi, Y., et al.: An immunity-based time series prediction approach and its application for network security situation. Intel. Serv. Robot. 8(1), 1–22 (2015)
Shi, Y., et al.: Network security situation prediction approach based on clonal selection and SCGM (1, 1) c model. J. Internet Technol. 17(3), 421–429 (2016)
Shi, Y., et al.: An immunity-based IOT environment security situation awareness model. J. Comput. Commun. 5(7), 182–197 (2017)
Jerne, N.: Towards a network theory of the immune system. In: Annales d’immunologie (1974)
MacQueen, J.: Some methods for classification and analysis of multivariate observations. In: Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability, Oakland, CA, USA (1967)
Gaddam, S., Phoha, V., Balagani, K.: K-Means+ ID3: a novel method for supervised anomaly detection by cascading K-Means clustering and ID3 decision tree learning methods. IEEE Trans. Knowl. Data Eng. 19(3), 345–354 (2007)
Li, W., et al.: Efficient application identification and the temporal and spatial stability of classification schema. Comput. Netw. 53(6), 790–809 (2009)
Maloof, M.: Machine Learning and Data Mining for Computer Security: Methods and Applications. Springer, New York (2005). doi:10.1007/1-84628-253-5
Acknowledgements
This work was funded by the National Natural Science Foundation of China under Grant No. 61462025, the China Postdoctoral Science Foundation under Grant No. 2014M562102, Hunan Provincial Natural Science Foundation of China under Grant No. 2015JJ2112, and the Scientific Research Fund of Hunan Provincial Education Department of China under Grant No. 12B099.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Shi, Y., Peng, X., Li, R., Zhang, Y. (2017). Unsupervised Anomaly Detection for Network Flow Using Immune Network Based K-means Clustering. In: Zou, B., Li, M., Wang, H., Song, X., Xie, W., Lu, Z. (eds) Data Science. ICPCSEE 2017. Communications in Computer and Information Science, vol 727. Springer, Singapore. https://doi.org/10.1007/978-981-10-6385-5_33
Download citation
DOI: https://doi.org/10.1007/978-981-10-6385-5_33
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-6384-8
Online ISBN: 978-981-10-6385-5
eBook Packages: Computer ScienceComputer Science (R0)