Unsupervised learning techniques for an intrusion detection system

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Unsupervised learning techniques for an intrusion detection system

Full text

Pdf (338 KB)

Source

Symposium on Applied Computing archive
Proceedings of the 2004 ACM symposium on Applied computing table of contents

Nicosia, Cyprus

SESSION: Computer security (SEC) table of contents

Pages: 412 - 419

Year of Publication: 2004

ISBN:1-58113-812-1

Authors

Stefano Zanero	Politecnico di Milano, Milan, Italy
Sergio M. Savaresi	Politecnico di Milano, Milan, Italy

Sponsor

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 24, Downloads (12 Months): 246, Citation Count: 11

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/967900.967988 What is a DOI?

ABSTRACT

With the continuous evolution of the types of attacks against computer networks, traditional intrusion detection systems, based on pattern matching and static signatures, are increasingly limited by their need of an up-to-date and comprehensive knowledge base. Data mining techniques have been successfully applied in host-based intrusion detection. Applying data mining techniques on raw network data, however, is made difficult by the sheer size of the input; this is usually avoided by discarding the network packet contents.In this paper, we introduce a two-tier architecture to overcome this problem: the first tier is an unsupervised clustering algorithm which reduces the network packets payload to a tractable size. The second tier is a traditional anomaly detection algorithm, whose efficiency is improved by the availability of data on the packet payload content.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	J. P. Anderson. Computer security threat monitoring and surveillance. Technical report, J. P. Anderson Co., Ft. Washington, Pennsylvania, Apr 1980.
	2	Tim Bass, Intrusion detection systems and multisensor data fusion, Communications of the ACM, v.43 n.4, p.99-105, April 2000 [doi>10.1145/332051.332079]
	3	D. Boley, V. Borst, and M. Gini. An unsupervised clustering tool for unstructured data. In IJCAI 99 Int'l Joint Conf. on Artificial Intelligence, Stockholm, Aug 1999.
	4	T. F. Cox and M. A. A. Cox. Multidimensional Scaling. Monographs on Statistics and Applied Probability. Chapman & Hall, 1995.
	5	S. C. Deerwester, S. T. Dumais, T. K. Landauer, G. W. Furnas, and R. A. Harshman. Indexing by latent semantic analysis. Journal of the American Society of Information Science, 41(6):391--407, 1990.
	6	J. Frank. Artificial intelligence and intrusion detection: Current and future directions. In Proc. of the 17th Nat'l Computer Security Conf., Baltimore, MD, 1994.
	7	Luc Girardin, An Eye on Network Intruder-Administrator Shootouts, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.19-28, April 09-12, 1999
	8	Isabelle Guyon , André Elisseeff, An introduction to variable and feature selection, The Journal of Machine Learning Research, 3, 3/1/2003
	9	Jiawei Han , Micheline Kamber, Data mining: concepts and techniques, Morgan Kaufmann Publishers Inc., San Francisco, CA, 2000
	10	John A. Hartigan, Clustering Algorithms, John Wiley & Sons, Inc., New York, NY, 1975
	11	D. Hawkins. Identification of Outliers. Chapman and Hall, London, 1980.
	12	A. K. Jain , M. N. Murty , P. J. Flynn, Data clustering: a review, ACM Computing Surveys (CSUR), v.31 n.3, p.264-323, Sept. 1999 [doi>10.1145/331499.331504]
	13	I. T. Jolliffe. Principal Component Analysis. Springer Verlag, 1986.
	14	K. Kendall. A database of computer attacks for the evaluation of intrusion detection systems. Master's thesis, Massachussets Institute of Technology, 1998.
	15	Teuvo Kohonen, Self-organizing maps, Springer-Verlag New York, Inc., Secaucus, NJ, 1997
	16	K. Labib and R. Vemuri. NSOM: A real-time network-based intrusion detection system using self-organizing maps. Technical report, Dept. of Applied Science, University of California, Davis, 2002.
	17	Terran Lane , Carla E. Brodley, Temporal sequence learning and data reduction for anomaly detection, ACM Transactions on Information and System Security (TISSEC), v.2 n.3, p.295-331, Aug. 1999 [doi>10.1145/322510.322526]
	18	R. Larsen. Lanczos bidiagonalization with partial reorthogonalization. PhD thesis, Dept. Computer Science, University of Aarhus, DK-8000 Aarhus C, Denmark, Oct 1998.
	19	W. Lee and S. Stolfo. Data mining approaches for intrusion detection. In Proc. of the 7th USENIX Security Symp., San Antonio, TX, 1998.
	20	Wenke Lee , Salvatore J. Stolfo , Kui W. Mok, Mining in a data-flow environment: experience in network intrusion detection, Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, p.114-124, August 15-18, 1999, San Diego, California, United States [doi>10.1145/312129.312212]
	21	E. A. Levy. Smashing the stack for fun and profit. Phrack magazine, 7(49), Nov 1996.
	22	P. Lichodzijewski, A. Zincir-Heywood, and M. Heywood. Dynamic intrusion detection using self organizing maps. In 14th Annual Canadian Information Technology Security Symp., May 2002.
	23	A. Likas, N. Vlassis, and J. J. Verbeek. The global k-means clustering algorithm. Pattern Recognition, 36(2), 2003.
	24	M. Mahoney and P. Chan. Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001-2, Florida Institute of Technology, 2001.
	25	Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.262-294, Nov. 2000 [doi>10.1145/382912.382923]
	26	P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proc. 20th NIST-NCSC Nat'l Information Systems Security Conf., pages 353--365, 1997.
	27	T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical Report T2R-0Y6, Secure Networks, Calgary, Canada, 1998.
	28	S. Savaresi and D. L. Boley. On the performance of bisecting k-means and PDDP. In Proc. of the 1st SIAM Conf. on Data Mining, pages 1--14, 2001.
	29	S. Savaresi, D. L. Boley, S. Bittanti, and G. Gazzaniga. Cluster selection in divisive clustering algorithms. In Proc. of the 2nd SIAM Int'l Conf. on Data Mining, pages 299--314, 2002.
	30	G. Serazzi and S. Zanero. Computer virus propagation models. In M. C. Calzarossa and E. Gelenbe, editors, Tutorials of the 11th IEEE/ACM Int'l Symp. on Modeling, Analysis and Simulation of Computer and Telecom. Systems - MASCOTS 2003. Springer-Verlag, 2003.
	31	K. M. C. Tan , B. S. Collie, Detection and classification of TCP/IP network services, Proceedings of the 13th Annual Computer Security Applications Conference, p.99, December 08-12, 1997
	32	Kenji Yamanishi , Jun-Ichi Takeuchi , Graham Williams , Peter Milne, On-line unsupervised outlier detection using finite mixtures with discounting learning algorithms, Proceedings of the sixth ACM SIGKDD international conference on Knowledge discovery and data mining, p.320-324, August 20-23, 2000, Boston, Massachusetts, United States [doi>10.1145/347090.347160]
	33	Calvin Chow, Parzen-Window Network Intrusion Detectors, Proceedings of the 16 th International Conference on Pattern Recognition (ICPR'02) Volume 4, p.40385, August 11-15, 2002

CITED BY 11

	Kyrre Begnum , Mark Burgess, Principle Components and Importance Ranking of Distributed Anomalies, Machine Learning, v.58 n.2-3, p.217-230, February 2005
	Kingsly Leung , Christopher Leckie, Unsupervised anomaly detection in network intrusion detection using clusters, Proceedings of the Twenty-eighth Australasian conference on Computer Science, p.333-342, January 01, 2005, Newcastle, Australia
	Cheng Xiang , Png Chin Yong , Lim Swee Meng, Design of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees, Pattern Recognition Letters, v.29 n.7, p.918-924, May, 2008
	Giorgio Giacinto , Roberto Perdisci , Mauro Del Rio , Fabio Roli, Intrusion detection in computer networks by a modular ensemble of one-class classifiers, Information Fusion, v.9 n.1, p.69-82, January, 2008
	Robert Moskovitch , Yuval Elovici , Lior Rokach, Detection of unknown computer worms based on behavioral classification of the host, Computational Statistics & Data Analysis, v.52 n.9, p.4544-4566, May, 2008
	Harshit Nayyar , Ali A. Ghorbani, Approximate autoregressive modeling for network attack detection, Journal of Computer Security, v.16 n.2, p.165-197, April 2008
	Stefano Zanero, ULISSE, a network intrusion detection system, Proceedings of the 4th annual workshop on Cyber security and informaiton intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead, May 12-14, 2008, Oak Ridge, Tennessee
	Harshit Nayyar , Ali A Ghorbani, Approximate autoregressive modeling for network attack detection, Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, October 30-November 01, 2006, Markham, Ontario, Canada
	Álvaro Herrero , Emilio Corchado , María A. Pellicer , Ajith Abraham, MOVIH-IDS: A mobile-visualization hybrid intrusion detection system, Neurocomputing, v.72 n.13-15, p.2775-2784, August, 2009
	Federico Maggi , Matteo Matteucci , Stefano Zanero, Reducing false positives in anomaly detectors through fuzzy alert aggregation, Information Fusion, v.10 n.4, p.300-311, October, 2009
	G. Corral , E. Armengol , A. Fornells , E. Golobardes, Explanations of unsupervised learning clustering applied to data security analysis, Neurocomputing, v.72 n.13-15, p.2754-2762, August, 2009